Introduction
This guide is intended to act as a centralized repository of Citrix server load balancing configurations for use on Citrix ADC (formerly NetScaler). Additionally, common authentication load balancing configurations such as LDAPS and RADIUS are covered. As with our centralized Citrix logs article, this article is intended to be a living document and will be updated as needed as recommendations change, products are introduced, or errors and omissions are identified.
This article is broken up into two sections; load balancing configurations, and custom monitor configurations.
Notes Sept 13 2020: Citrix Endpoint Management (XenMobile) and Content Collaboration (ShareFile) are pending addition to this article.
Load Balancing Configurations
Citrix Delivery Controllers and Cloud Connectors
The following table contains load balancing configuration for Citrix Delivery Controller (aka DDC or XDC) and Citrix Cloud Connectors (if being enumerated by customer-managed StoreFront servers) which provide XML broker services for Citrix resource enumeration:
Component | Category | Configuration | Notes |
Virtual Server | Protocol | SSL | Required for load balancing Desktop Delivery Controllers. As per Citrix Leading practices, XML should be secured. |
Port | 443 | Default port is recommended. | |
Persistence | None | Not required for XML. | |
Method | Least Connection | Default configuration. | |
Certificate Required | Yes | Required on “SSL” VIPs. A SAN certificate can be used on both XML Brokers and the load balancing VIP to ensure end-to-end encryption. Steps for securing XML on the Delivery Controllers’ Broker Service can be found here. | |
Service Group | Protocol | SSL | Required to match virtual server protocol. |
Monitor | Custom Citrix XML Monitor | Custom monitor to determine the availability of the XML brokers. Monitor details can be found here. | |
Service Group Member Port | 443 | Default configuration. |
Citrix StoreFront
The following table contains load balancing configuration for Citrix StoreFront:
Component | Category | Configuration | Notes |
Virtual Server | Protocol | SSL | As per Citrix Leading practices StoreFront services should be secured. Required for load balancing Citrix StoreFront Servers. HTTP is not recommended. |
Port | 443 | Default port is recommended. | |
Persistence | SOURCEIP or COOKIEINSERT | Citrix guidance on this has varied over the years. Currently, official guidance is COOKIEINSERT. Early on in StoreFront’s life, COOKIEINSERT was the standard. Later in StoreFront 2.x, COOKIEINSERT broke sessions and SOURCEIP was the recommended method. Recently, this guidance reverted back. With that said, there have been issues reported with COOKIEINSERT and Android Citrix clients. Our guidance tends to favour SOURCEIP. | |
Timeout | 20 Minutes* | This should match the timeout of Receiver for Web pages in StoreFront.
*This is the default StoreFront value. If StoreFront is configured with any RfW pages as higher than 20, ensure the persistence timeout is greater or equal to whatever is set in StoreFront. |
|
Method | Least Connection | Default configuration. | |
Certificate Required | Yes | Required on “SSL” VIPs. A SAN certificate can be used on both StoreFront servers and the load balancing VIP to ensure end-to-end encryption. | |
Service Group | Protocol | SSL | Required to match virtual server protocol. |
Monitor | Citrix StoreFront Monitor | Custom monitor to determine the availability of the StoreFront instances. More information on custom monitor setup for Citrix StoreFront can be found here. | |
Service Group Member Port | 443 | Default configuration. | |
Insert Client IP Header | Yes | Citrix leading practice. This feature allows the appliance to insert the client’s IP address while forwarding requests to the backend servers. The server inserts client IP in the header of the responses, thus the server is aware of the client, provided the application can make use of this header. StoreFront can. | |
Header | X-Forwarded-For | Allows for Client IP address to be included in the header of the server responses. |
Citrix Workspace Environment Management (WEM)
The following table contains load balancing configuration for Citrix WEM Infrastructure Services. Note that Citrix quietly introduced a new port for WEM 1912 and up; 8288. If this port is not load balanced (either missed or not addressed when upgrading from a prior version of WEM to 1912 or newer), WEM servers may exhibit excessive CPU usage and unanticipated operation. WEM required several ports to be load balanced, so creating multiple VIPs (can use the same IP for each) or a single VIP with an “ANY” port configuration is workable. We generally prefer the former, as presented below:
Component | Category | Configuration | Notes |
Virtual Server (Create one for each port) | Protocol | TCP | Required for load balancing Citrix WEM Infrastructure Service. |
IP Address | IP address of each of the WEM Infrastructure services VIP | IP address assigned to each of the WEM Infrastructure services VIP | |
Port | 8284-8288 | WEM Infrastructure services utilize the following ports:
· Administration Console Service -Port 8284 · Agent Cache Synchronization Service – Port 8285 in WEM 1909 and earlier, Port 8288 in WEM 1912 and later · Agent Service – Port 8286 · Monitor Service -Port 8287 |
|
Persistence | None | No persistence is needed for WEM infrastructure service load balancing as per CTX227144 | |
Method | Least Connection | Default configuration. | |
Certificate Required | No | N\A | |
Service Group (Create one for each port) | Protocol | TCP | Required to match virtual server protocol. |
Monitor | tcp-default | Default tcp monitor will auto-probe on the port specified on the Service Group. Citrix ADC does not presently offer application-level (L7) monitors for WEM. | |
Service Group Member Port | 8284-8288 | Set the port for each respective Service Group. |
Citrix Director
The following table contains load balancing configuration for Citrix Director (for on-prem aka non-Citrix Cloud deployments). It is assumed that Director is running on its own server(s) vs. being collocated with Citrix Delivery Controllers as per Citrix recommendations. This is both to reduce the attack surface and to reduce the load on the Delivery Controllers. Collocation is generally accepted if building a POC, or deploying a very small environment where financially, having separate servers is not feasible.
Component | Category | Configuration | Notes |
Virtual Server | Protocol | SSL | Citrix recommendation. Although not required, strongly recommended. |
Port | 443 | As per Citrix Leading practices, it is recommended to use port 443 for load balancing Citrix Director. This requires for SSL certificates to be installed on each of the Citrix Director instances. | |
Persistence | SOURCEIP or COOKIEINSERT | Citrix documentation favours COOKIEINSERT. However, if integrating Citrix Director with Citrix ADM for single-pane-of-glass view that includes HDX Insight, SOURCEIP is needed. Otherwise sporadically only one Director server will ever properly render the HDX Insight data on-screen within Director. | |
Timeout | 245 or TBD | Timeout set for Director; default value is 245 minutes. | |
Method | Least Connection | Traffic is sent to the least loaded server. | |
Certificate Required | Yes | Required on “SSL” VIPs. A SAN certificate can be used on both Director servers and the load balancing VIP to ensure end-to-end encryption. | |
Service Group | Protocol | SSL | Required to match virtual server protocol. |
Monitor | Citrix Director Monitor | Custom monitor is used to monitor for the availability of Citrix Director. More information on custom monitor setup for Citrix Director can be found here. | |
Service Group Member Port | 443 | Default configuration. |
RADIUS
The following table contains load balancing configuration for RADIUS Servers. This is general guidance, and elements such as port configuration may vary between implementations. Note that in some environments, there may be a need to bind a NETPROFILE to the virtual server, one that specifies the SNIP that should be used to interface with the back-end RADIUS servers as documented here. Be sure the NSIPs as well as SNIP are added as RADIUS clients on the RADIUS server.
Component | Category | Configuration | Notes |
Virtual Server | Protocol | RADIUS | Required for load balancing RADIUS Servers. Transmits over UDP. |
Port | 1812 | RADIUS uses port 1812 by default, however, use of other ports is not uncommon. | |
Persistence | Not required | RADIUS does not require persistence. If required in a given implementation, mirror the “Method” configurations below. | |
Method | TOKEN | Selection of service is based on the token extracted from the client request. For subsequent requests with the same token, the virtual server chooses the same server that handled the initial request. | |
Expression | CLIENT.UDP.RADIUS.USERNAME | Expression used with TOKEN load balancing method for RADIUS. Directs all requests that match the expression to the service selected by the load balancing method. | |
Certificate Required | No | N\A | |
Service Group | Protocol | RADIUS | Required for load balanced RADIUS instances. |
Monitor | UDP or RADIUS Monitor (Preferred) | Custom monitor is used to monitor for the availability of RADIUS Servers. More information on monitor setup can be found here. | |
Service Group Member Port | 1812 | Port to match the VIP’s RADIUS port. |
LDAPS
The following table contains load balancing configuration for LDAPS (from now-retired LDAPv2). These configurations would work just as well for LDAP over TLS (uses StartTLS, and part of LDAPv3) which uses TCP 389. In the table below, we are assuming the VIP will be used only by the Citrix ADC itself, thus using TCP is more practical, allowing the client (in this case ADC) to negotiate SSL with the back-end server. If the LDAPS VIP is intended to be used by other clients, SSL_TCP should be used (and will require a certificate on the virtual server) to terminate traffic at the ADC.
Component | Category | Configuration | Justifications |
Virtual Server | Protocol | TCP | Suitable for use by Citrix Gateway or AAA vServer (which also allows the use of an APIPA VIP like 169.254.100.x to save firewall rules and IPs). |
Port | 636 | LDAPS uses port 636. | |
Persistence | None | No persistence needs to be configured. | |
Method | Least Connection | Default configuration. | |
Certificate Required | No | N\A | |
Service Group | Protocol | TCP | Required to match virtual server protocol. |
Monitor | LDAPS Monitor | Custom monitor is used to monitor for the availability of LDAP Servers. More information on monitor setup can be found here. | |
Service Group Member Port | 636 | Port which LDAPS is generally listening on. |
Monitors
The following table contains the configuration details of the monitors configured for the various load balancing virtual servers:
Component | Category | Configuration | Notes |
Citrix XML Monitor | Type | CITRIX-XD-DDC | Type of monitor being used. |
IP Source | SNIP | Monitor traffic sources from SNIP. | |
Destination IP | Bound Service | Default configuration. | |
Port | N\A | Not applicable. | |
Secure | Yes | It is assumed XML is secured. | |
Down Time | 30 Seconds | Default value. | |
Response Time Out | 2 Seconds | Default value. | |
Interval | 5 second | Default value. | |
Validate Credentials | Optional | Added monitoring capability to ensure Delivery controllers are online even if the standard monitor probe is successful. Service account credentials used should have access to the Delivery controllers. | |
Citrix StoreFront Monitor | Type | STOREFRONT | Type of the Monitor being used. |
IP Source | SNIP and NSIP | Monitor traffic sources from SNIP as well as NSIP depending on configuration. Assume both. | |
Destination IP | Bound Service | Default configuration. | |
Port | N\A | Not applicable. | |
Secure | Yes | It is assumed StoreFront servers are secured with certificates. | |
Down Time | 30 Seconds | Default value. | |
Response Time Out | 2 Seconds | Default value. | |
Interval | 5 second | Default value. | |
Store Name | TBD | Name assigned to a StoreFront Store. If the Store does not exist, the monitor will fail. | |
StoreFront Account Service | Enabled | Used to probe account service to determine the state of StoreFront store. May use TCP 8000 for monitoring. | |
Citrix Director Monitor | Type | HTTPS | Type of monitor being used. |
IP Source | SNIP | Monitor traffic sources from SNIP. | |
Destination IP | Bound Service | Default configuration. | |
Port | N\A | Not applicable. | |
Secure | Yes | SSL is being used. | |
Down Time | 30 Seconds | Default value. | |
Response Time Out | 2 Seconds | Default value. | |
Interval | 5 second | Default value. | |
HTTP Request | GET /Director/LogOn.aspx?cc=true | Custom HTTP request. | |
Response code | 200
302 |
HTTP response codes to check for availability of backend Director servers. Response code 302 is used when Single Sign-On is enabled on Director. | |
RADIUS Monitor | Type | RADIUS | Type of monitor being used. |
IP Source | SNIP | Monitor traffic sources from SNIP. | |
Destination IP | Bound Service | Default configuration. | |
Port | N\A | Not applicable. | |
Secure | N\A | Not applicable. | |
Down Time | 30 Seconds | Down Time value set to default value. | |
Response Time Out | 4 Seconds | Increase default timeout to accommodate for RADIUS Response. | |
Interval | 5 second | Default Value. | |
Response Code | 2
3 |
RADIUS response code 2 indicates success and 3 indicates failure. Either result means that the RADIUS server is functional. | |
RADIUS Key | RADIUS key value | RADIUS key configured on the RADIUS server with ADC as the RADIUS client. | |
RADIUS Credentials | Username and Password | Credentials to login against RADIUS servers. Ensure credentials do not expire or change. If using Microsoft NPS for radius use fake Ping User-Name. | |
LDAPS Monitor | Type | LDAP | Type of monitor being used. |
IP Source | NSIP | As the LDAPS monitor uses a Perl script, monitor traffic sources from NSIP. | |
Destination IP | Bound Service | Default configuration. | |
Port | N\A | Not applicable. | |
Secure | Yes | To be used when employing LDAPS. | |
Down Time | 30 Seconds | Down Time value set to default value. | |
Response Time Out | 2 Seconds | Default value. | |
Interval | 5 second | Default Value | |
Base DN | dc=<value>, dc=<value> | Domain name in LDAP format. | |
Bind DN | <Service account UPN> | UPN login of a service account in the domain that can browse all objects in that domain. Alternatively sAMAccountName can be used in format <DOMAIN>\<serviceacct> | |
Filter | cn=builtin | Ensures search results do not return the entire domain, which is unneeded for a monitor. | |
Password | <Service account password> | Service account password. Ensure no semicolon in the password as Perl will not be able to parse the parameter. |
-
Chetan Kini
Chetan is a consultant focused on virtualization and cloud technologies. Chetan has years of experience in professional and managed services and has specialized in end-user computing with organizations across North America.