How to load balance 2 servers having Citrix secure gateway and Web interface.

Posted on 2009-04-20
Last Modified: 2012-05-06
Hi experts, we are planning to load balance our Citrix secure gateway and webinterface servers. Actually in our environment we have 1 server in DMZ with Citrix SG and WI installed on the same server, also we are having a SSL certificate. We are planning to have 1 more server installed with Citrix SG and WI for load balancing with BigIP(hardware device). So could you please explain what we need to do with the second server having CSG and WI installed, so that it can be load balanced with first server. Can we do cloning of second server from the first one?? and then change the name of the server. What about the SSL certificate.
Question by:anupam1983
    LVL 36

    Expert Comment

    by:Carl Webster
    Citrix does not recommend or support load balancing when both CSG and WI are on the same server.  You will find lots of people who have tried it and it works for a while then just stops, reboot the servers and it works for a while and then just stops.

    If you use a wildcard SSL cert, export the private key and then import it on the 2nd server.  Otherwise, SSL certs are hardware specific.  IIS is computer name specific.  It would be faster to just clone a base OS and then install IIS, WI, SSL cert and then CSG.  It doesn't take that long to do and you don't have to worry, or try to fix, about cloning issues.
    LVL 19

    Expert Comment

    I agree, clean build is better than a clone in this case; you are not talking about hundreds of servers here.  You will likely need to repair issues with the IIS metabase if you try a clone anyhow.  I have not tried load balancing these servers in the past but I would watch out for issues like Carl mentions.  
    With the F5 switch, you must be very careful to configure your persistent sessions (stickies) so you have one flow always coming back to the same server.  You could consider using session cookies, URL cookies, or perhaps SSL ID persistence.  I have taken a class on the Cisco CSS 11501 and I would imagine the features are pretty similar.  You absolutely cannot have a session start on one server and then come back to the other one; the other will not know anything about the session ticket in Citrix or the SSL session at the TCP layer for that matter.  
    Another option that may be more stable (in light of Carl's response about stability) would be to use the second WI/CSG setup as a standby only.  You can create a "server of last resort" so it only comes into play once the lead box goes down.  You do not gain from the power of the second box but you are redundant at that point and have a simpler system to troubleshoot.  You can also configure "sorry servers" or static pages to dish out in the event both of your real servers are down.  In this case you could even have a few static ICA files posted to provide basic access to resources.  

    Anyway, in concept it sounds fine but it sounds like you have some major testing to do.  

    Author Comment

    Hi CarlWebster/BLipman,
    thanks for your valuable information, so shall i go for 2 WI server and 1 CSG server or 2 separate WI and 2 separate CSG servers. Two will be in production and two will be stand alone.

    In my current setup on single server CSG & WI is configured, so how to separate the CSG & WI in two different servers. Kindly suggest.
    LVL 36

    Expert Comment

    by:Carl Webster
    I have never seen a document FROM CITRIX that shows how to load balance CSG.

    I would move the Web Interface to another server, add a 2nd WI server, NLB them and then reconfigure your CSG box to point to the virtual IP of the NLB WI servers.
    LVL 19

    Accepted Solution

    He is going to have an F5 hardware LB switch so instead of NLB I would use the F5.  You would set up a VIP for WI traffic and take it to the two Web Interface "real servers".  Then, another VIP would balance the 443 CSG traffic between the boxes.  I would highly suggest making one a higher weight or somehow only loading users onto it if the main one is down; at least until you determine you need to distribute load, not just availability.  
    To split the two systems, just install a new Web Interface or a new CSG box and reconfigure to point to the separate server.  The CSG setup routine asked if the WI was on a separate server or the same one.  I would just start off using port 80 and unsecured between the WI and CSG until you want to get fancier.  Then you can consider back end SSL and/or SSL Relay but those can really throw you for a loop so KISS for now.  

    Here is how I would do it:
    first, build a new WI box and place it in the network, get it working just from WI to the Citrix farm.  Then, take the existing CSG box, re-run the setup program for secure gateway and configure it to point to the new WI server.  Get this working through the CSG, passing to the WI, then to the farm.  After you have one server working, get the second CSG and WI boxes build, test them separately, then start putting the load balancer into the mix.  
    If you jump right in you will probably miss a step during your testing and wind up doing hours of needless troubleshooting.  Definitely do this in increments and verify success as you go.  

    In the end, you want to wind up with a Virtual IP address users come into from the outside, it resolves to the F5, the F5 balances to a main server unless it is down and then it goes to the second.  This should work fine if you get through the setup.  

    Author Closing Comment

    If you have any documents please provide.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    NetScaler Deployment Guides and Resources

    Citrix NetScaler is certified to support many of the most commonly deployed enterprise applications. Deployment guides provide in-depth recommendations on configuring NetScaler to meet specific application requirements.

    #Citrix #Citrix Netscaler #HTTP Compression #Load Balance
    Citrix XenDesktop, gold image, VMware, vSphere.
    How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now