[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4313
  • Last Modified:

How to load balance 2 servers having Citrix secure gateway and Web interface.

Hi experts, we are planning to load balance our Citrix secure gateway and webinterface servers. Actually in our environment we have 1 server in DMZ with Citrix SG and WI installed on the same server, also we are having a SSL certificate. We are planning to have 1 more server installed with Citrix SG and WI for load balancing with BigIP(hardware device). So could you please explain what we need to do with the second server having CSG and WI installed, so that it can be load balanced with first server. Can we do cloning of second server from the first one?? and then change the name of the server. What about the SSL certificate.
0
anupam1983
Asked:
anupam1983
  • 2
  • 2
  • 2
1 Solution
 
Carl WebsterCommented:
Citrix does not recommend or support load balancing when both CSG and WI are on the same server.  You will find lots of people who have tried it and it works for a while then just stops, reboot the servers and it works for a while and then just stops.

If you use a wildcard SSL cert, export the private key and then import it on the 2nd server.  Otherwise, SSL certs are hardware specific.  IIS is computer name specific.  It would be faster to just clone a base OS and then install IIS, WI, SSL cert and then CSG.  It doesn't take that long to do and you don't have to worry, or try to fix, about cloning issues.
0
 
BLipmanCommented:
I agree, clean build is better than a clone in this case; you are not talking about hundreds of servers here.  You will likely need to repair issues with the IIS metabase if you try a clone anyhow.  I have not tried load balancing these servers in the past but I would watch out for issues like Carl mentions.  
With the F5 switch, you must be very careful to configure your persistent sessions (stickies) so you have one flow always coming back to the same server.  You could consider using session cookies, URL cookies, or perhaps SSL ID persistence.  I have taken a class on the Cisco CSS 11501 and I would imagine the features are pretty similar.  You absolutely cannot have a session start on one server and then come back to the other one; the other will not know anything about the session ticket in Citrix or the SSL session at the TCP layer for that matter.  
Another option that may be more stable (in light of Carl's response about stability) would be to use the second WI/CSG setup as a standby only.  You can create a "server of last resort" so it only comes into play once the lead box goes down.  You do not gain from the power of the second box but you are redundant at that point and have a simpler system to troubleshoot.  You can also configure "sorry servers" or static pages to dish out in the event both of your real servers are down.  In this case you could even have a few static ICA files posted to provide basic access to resources.  

Anyway, in concept it sounds fine but it sounds like you have some major testing to do.  
0
 
anupam1983Author Commented:
Hi CarlWebster/BLipman,
thanks for your valuable information, so shall i go for 2 WI server and 1 CSG server or 2 separate WI and 2 separate CSG servers. Two will be in production and two will be stand alone.

In my current setup on single server CSG & WI is configured, so how to separate the CSG & WI in two different servers. Kindly suggest.
0
Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

 
Carl WebsterCommented:
I have never seen a document FROM CITRIX that shows how to load balance CSG.

I would move the Web Interface to another server, add a 2nd WI server, NLB them and then reconfigure your CSG box to point to the virtual IP of the NLB WI servers.
0
 
BLipmanCommented:
He is going to have an F5 hardware LB switch so instead of NLB I would use the F5.  You would set up a VIP for WI traffic and take it to the two Web Interface "real servers".  Then, another VIP would balance the 443 CSG traffic between the boxes.  I would highly suggest making one a higher weight or somehow only loading users onto it if the main one is down; at least until you determine you need to distribute load, not just availability.  
To split the two systems, just install a new Web Interface or a new CSG box and reconfigure to point to the separate server.  The CSG setup routine asked if the WI was on a separate server or the same one.  I would just start off using port 80 and unsecured between the WI and CSG until you want to get fancier.  Then you can consider back end SSL and/or SSL Relay but those can really throw you for a loop so KISS for now.  

Here is how I would do it:
first, build a new WI box and place it in the network, get it working just from WI to the Citrix farm.  Then, take the existing CSG box, re-run the setup program for secure gateway and configure it to point to the new WI server.  Get this working through the CSG, passing to the WI, then to the farm.  After you have one server working, get the second CSG and WI boxes build, test them separately, then start putting the load balancer into the mix.  
If you jump right in you will probably miss a step during your testing and wind up doing hours of needless troubleshooting.  Definitely do this in increments and verify success as you go.  

In the end, you want to wind up with a Virtual IP address users come into from the outside, it resolves to the F5, the F5 balances to a main server unless it is down and then it goes to the second.  This should work fine if you get through the setup.  
0
 
anupam1983Author Commented:
If you have any documents please provide.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now