Skip to main content

Introduction

This guide is intended to act as a centralized repository of Citrix server load balancing configurations for use on Citrix ADC (formerly NetScaler). Additionally, common authentication load balancing configurations such as LDAPS and RADIUS are covered. As with our centralized Citrix logs article, this article is intended to be a living document and will be updated as needed as recommendations change, products are introduced, or errors and omissions are identified.

This article is broken up into two sections; load balancing configurations, and custom monitor configurations.

Notes Sept 13 2020: Citrix Endpoint Management (XenMobile) and Content Collaboration (ShareFile) are pending addition to this article.

Load Balancing Configurations

Citrix Delivery Controllers and Cloud Connectors

The following table contains load balancing configuration for Citrix Delivery Controller (aka DDC or XDC) and Citrix Cloud Connectors (if being enumerated by customer-managed StoreFront servers) which provide XML broker services for Citrix resource enumeration:

Component Category Configuration Notes
Virtual Server Protocol SSL Required for load balancing Desktop Delivery Controllers. As per Citrix Leading practices, XML should be secured.
Port 443 Default port is recommended.
Persistence None Not required for XML.
Method Least Connection Default configuration.
Certificate Required Yes Required on “SSL” VIPs. A SAN certificate can be used on both XML Brokers and the load balancing VIP to ensure end-to-end encryption. Steps for securing XML on the Delivery Controllers’ Broker Service can be found here.
Service Group Protocol SSL Required to match virtual server protocol.
Monitor Custom Citrix XML Monitor Custom monitor to determine the availability of the XML brokers. Monitor details can be found here.
Service Group Member Port 443 Default configuration.

 

Citrix StoreFront

The following table contains load balancing configuration for Citrix StoreFront:

Component Category Configuration Notes
Virtual Server Protocol SSL As per Citrix Leading practices StoreFront services should be secured. Required for load balancing Citrix StoreFront Servers. HTTP is not recommended.
Port 443 Default port is recommended.
Persistence SOURCEIP or COOKIEINSERT Citrix guidance on this has varied over the years. Currently, official guidance is COOKIEINSERT. Early on in StoreFront’s life, COOKIEINSERT was the standard. Later in StoreFront 2.x, COOKIEINSERT broke sessions and SOURCEIP was the recommended method. Recently, this guidance reverted back. With that said, there have been issues reported with COOKIEINSERT and Android Citrix clients. Our guidance tends to favour SOURCEIP.
Timeout 20 Minutes* This should match the timeout of Receiver for Web pages in StoreFront.

*This is the default StoreFront value. If StoreFront is configured with any RfW pages as higher than 20, ensure the persistence timeout is greater or equal to whatever is set in StoreFront.

Method Least Connection Default configuration.
Certificate Required Yes Required on “SSL” VIPs. A SAN certificate can be used on both StoreFront servers and the load balancing VIP to ensure end-to-end encryption.
Service Group Protocol SSL Required to match virtual server protocol.
Monitor Citrix StoreFront Monitor Custom monitor to determine the availability of the StoreFront instances. More information on custom monitor setup for Citrix StoreFront can be found here.
Service Group Member Port 443 Default configuration.
Insert Client IP Header Yes Citrix leading practice. This feature allows the appliance to insert the client’s IP address while forwarding requests to the backend servers. The server inserts client IP in the header of the responses, thus the server is aware of the client, provided the application can make use of this header. StoreFront can.
Header X-Forwarded-For Allows for Client IP address to be included in the header of the server responses.

 

Citrix Workspace Environment Management (WEM)

The following table contains load balancing configuration for Citrix WEM Infrastructure Services. Note that Citrix quietly introduced a new port for WEM 1912 and up; 8288. If this port is not load balanced (either missed or not addressed when upgrading from a prior version of WEM to 1912 or newer), WEM servers may exhibit excessive CPU usage and unanticipated operation. WEM required several ports to be load balanced, so creating multiple VIPs (can use the same IP for each) or a single VIP with an “ANY” port configuration is workable. We generally prefer the former, as presented below:

Component Category Configuration Notes
Virtual Server (Create one for each port) Protocol TCP Required for load balancing Citrix WEM Infrastructure Service.
IP Address IP address of each of the WEM Infrastructure services VIP IP address assigned to each of the WEM Infrastructure services VIP
Port 8284-8288 WEM Infrastructure services utilize the following ports:

·       Administration Console Service -Port 8284

·       Agent Cache Synchronization Service – Port 8285 in WEM 1909 and earlier, Port 8288 in WEM 1912 and later

·       Agent Service – Port 8286

·       Monitor Service -Port 8287

Persistence None No persistence is needed for WEM infrastructure service load balancing as per CTX227144
Method Least Connection Default configuration.
Certificate Required No N\A
Service Group (Create one for each port) Protocol TCP Required to match virtual server protocol.
Monitor tcp-default Default tcp monitor will auto-probe on the port specified on the Service Group. Citrix ADC does not presently offer application-level (L7) monitors for WEM.
Service Group Member Port 8284-8288 Set the port for each respective Service Group.

 

Citrix Director

The following table contains load balancing configuration for Citrix Director (for on-prem aka non-Citrix Cloud deployments). It is assumed that Director is running on its own server(s) vs. being collocated with Citrix Delivery Controllers as per Citrix recommendations. This is both to reduce the attack surface and to reduce the load on the Delivery Controllers. Collocation is generally accepted if building a POC, or deploying a very small environment where financially, having separate servers is not feasible.

Component Category Configuration Notes
Virtual Server Protocol SSL Citrix recommendation. Although not required, strongly recommended.
Port 443 As per Citrix Leading practices, it is recommended to use port 443 for load balancing Citrix Director. This requires for SSL certificates to be installed on each of the Citrix Director instances.
Persistence SOURCEIP or COOKIEINSERT Citrix documentation favours COOKIEINSERT. However, if integrating Citrix Director with Citrix ADM for single-pane-of-glass view that includes HDX Insight, SOURCEIP is needed. Otherwise sporadically only one Director server will ever properly render the HDX Insight data on-screen within Director.
Timeout 245 or TBD Timeout set for Director; default value is 245 minutes.
Method Least Connection Traffic is sent to the least loaded server.
Certificate Required Yes Required on “SSL” VIPs. A SAN certificate can be used on both Director servers and the load balancing VIP to ensure end-to-end encryption.
Service Group Protocol SSL Required to match virtual server protocol.
Monitor Citrix Director Monitor Custom monitor is used to monitor for the availability of Citrix Director. More information on custom monitor setup for Citrix Director can be found here.
Service Group Member Port 443 Default configuration.

 

RADIUS

The following table contains load balancing configuration for RADIUS Servers. This is general guidance, and elements such as port configuration may vary between implementations. Note that in some environments, there may be a need to bind a NETPROFILE to the virtual server, one that specifies the SNIP that should be used to interface with the back-end RADIUS servers as documented here. Be sure the NSIPs as well as SNIP are added as RADIUS clients on the RADIUS server.

Component Category Configuration Notes
Virtual Server Protocol RADIUS Required for load balancing RADIUS Servers. Transmits over UDP.
Port 1812 RADIUS uses port 1812 by default, however, use of other ports is not uncommon.
Persistence Not required RADIUS does not require persistence. If required in a given implementation, mirror the “Method” configurations below.
Method TOKEN Selection of service is based on the token extracted from the client request. For subsequent requests with the same token, the virtual server chooses the same server that handled the initial request.
Expression CLIENT.UDP.RADIUS.USERNAME Expression used with TOKEN load balancing method for RADIUS. Directs all requests that match the expression to the service selected by the load balancing method.
Certificate Required No N\A
Service Group Protocol RADIUS Required for load balanced RADIUS instances.
Monitor UDP or RADIUS Monitor (Preferred) Custom monitor is used to monitor for the availability of RADIUS Servers. More information on monitor setup can be found here.
Service Group Member Port 1812 Port to match the VIP’s RADIUS port.

 

LDAPS

The following table contains load balancing configuration for LDAPS (from now-retired LDAPv2). These configurations would work just as well for LDAP over TLS (uses StartTLS, and part of LDAPv3) which uses TCP 389. In the table below, we are assuming the VIP will be used only by the Citrix ADC itself, thus using TCP is more practical, allowing the client (in this case ADC) to negotiate SSL with the back-end server. If the LDAPS VIP is intended to be used by other clients, SSL_TCP should be used (and will require a certificate on the virtual server) to terminate traffic at the ADC.

Component Category Configuration Justifications
Virtual Server Protocol TCP Suitable for use by Citrix Gateway or AAA vServer (which also allows the use of an APIPA VIP like 169.254.100.x to save firewall rules and IPs).
Port 636 LDAPS uses port 636.
Persistence None No persistence needs to be configured.
Method Least Connection Default configuration.
Certificate Required No N\A
Service Group Protocol TCP Required to match virtual server protocol.
Monitor LDAPS Monitor Custom monitor is used to monitor for the availability of LDAP Servers. More information on monitor setup can be found here.
Service Group Member Port 636 Port which LDAPS is generally listening on.

 

Monitors

The following table contains the configuration details of the monitors configured for the various load balancing virtual servers:

Component Category Configuration Notes
Citrix XML Monitor Type CITRIX-XD-DDC Type of monitor being used.
IP Source SNIP Monitor traffic sources from SNIP.
Destination IP Bound Service Default configuration.
Port N\A Not applicable.
Secure Yes It is assumed XML is secured.
Down Time 30 Seconds Default value.
Response Time Out 2 Seconds Default value.
Interval 5 second Default value.
Validate Credentials Optional Added monitoring capability to ensure Delivery controllers are online even if the standard monitor probe is successful. Service account credentials used should have access to the Delivery controllers.
Citrix StoreFront Monitor Type STOREFRONT Type of the Monitor being used.
IP Source SNIP and NSIP Monitor traffic sources from SNIP as well as NSIP depending on configuration. Assume both.
Destination IP Bound Service Default configuration.
Port N\A Not applicable.
Secure Yes It is assumed StoreFront servers are secured with certificates.
Down Time 30 Seconds Default value.
Response Time Out 2 Seconds Default value.
Interval 5 second Default value.
Store Name TBD Name assigned to a StoreFront Store. If the Store does not exist, the monitor will fail.
StoreFront Account Service Enabled Used to probe account service to determine the state of StoreFront store. May use TCP 8000 for monitoring.
Citrix Director Monitor Type HTTPS Type of monitor being used.
IP Source SNIP Monitor traffic sources from SNIP.
Destination IP Bound Service Default configuration.
Port N\A Not applicable.
Secure Yes SSL is being used.
Down Time 30 Seconds Default value.
Response Time Out 2 Seconds Default value.
Interval 5 second Default value.
HTTP Request GET /Director/LogOn.aspx?cc=true Custom HTTP request.
Response code 200

302

HTTP response codes to check for availability of backend Director servers. Response code 302 is used when Single Sign-On is enabled on Director.
RADIUS Monitor Type RADIUS Type of monitor being used.
IP Source SNIP Monitor traffic sources from SNIP.
Destination IP Bound Service Default configuration.
Port N\A Not applicable.
Secure N\A Not applicable.
Down Time 30 Seconds Down Time value set to default value.
Response Time Out 4 Seconds Increase default timeout to accommodate for RADIUS Response.
Interval 5 second Default Value.
Response Code 2

3

RADIUS response code 2 indicates success and 3 indicates failure. Either result means that the RADIUS server is functional.
RADIUS Key RADIUS key value RADIUS key configured on the RADIUS server with ADC as the RADIUS client.
RADIUS Credentials Username and Password Credentials to login against RADIUS servers. Ensure credentials do not expire or change. If using Microsoft NPS for radius use fake Ping User-Name.
LDAPS Monitor Type LDAP Type of monitor being used.
IP Source NSIP As the LDAPS monitor uses a Perl script, monitor traffic sources from NSIP.
Destination IP Bound Service Default configuration.
Port N\A Not applicable.
Secure Yes To be used when employing LDAPS.
Down Time 30 Seconds Down Time value set to default value.
Response Time Out 2 Seconds Default value.
Interval 5 second Default Value
Base DN dc=<value>, dc=<value> Domain name in LDAP format.
Bind DN <Service account UPN> UPN login of a service account in the domain that can browse all objects in that domain. Alternatively sAMAccountName can be used in format <DOMAIN>\<serviceacct>
Filter cn=builtin Ensures search results do not return the entire domain, which is unneeded for a monitor.
Password <Service account password> Service account password. Ensure no semicolon in the password as Perl will not be able to parse the parameter.

 

  • Chetan Kini
    Chetan Kini

    Chetan is a consultant focused on virtualization and cloud technologies. Chetan has years of experience in professional and managed services and has specialized in end-user computing with organizations across North America.

Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments

Redefine Your Approach to Technology and Innovation

Schedule a call to discover how customized solutions crafted for your success can drive exceptional outcomes, with Ferroque as your strategic ally.