How to load balance 2 servers having Citrix secure gateway and Web interface.
Hi experts, we are planning to load balance our Citrix secure gateway and webinterface servers. Actually in our environment we have 1 server in DMZ with Citrix SG and WI installed on the same server, also we are having a SSL certificate. We are planning to have 1 more server installed with Citrix SG and WI for load balancing with BigIP(hardware device). So could you please explain what we need to do with the second server having CSG and WI installed, so that it can be load balanced with first server. Can we do cloning of second server from the first one?? and then change the name of the server. What about the SSL certificate.
I agree, clean build is better than a clone in this case; you are not talking about hundreds of servers here. You will likely need to repair issues with the IIS metabase if you try a clone anyhow. I have not tried load balancing these servers in the past but I would watch out for issues like Carl mentions.
With the F5 switch, you must be very careful to configure your persistent sessions (stickies) so you have one flow always coming back to the same server. You could consider using session cookies, URL cookies, or perhaps SSL ID persistence. I have taken a class on the Cisco CSS 11501 and I would imagine the features are pretty similar. You absolutely cannot have a session start on one server and then come back to the other one; the other will not know anything about the session ticket in Citrix or the SSL session at the TCP layer for that matter.
Another option that may be more stable (in light of Carl's response about stability) would be to use the second WI/CSG setup as a standby only. You can create a "server of last resort" so it only comes into play once the lead box goes down. You do not gain from the power of the second box but you are redundant at that point and have a simpler system to troubleshoot. You can also configure "sorry servers" or static pages to dish out in the event both of your real servers are down. In this case you could even have a few static ICA files posted to provide basic access to resources.
Anyway, in concept it sounds fine but it sounds like you have some major testing to do.
With the F5 switch, you must be very careful to configure your persistent sessions (stickies) so you have one flow always coming back to the same server. You could consider using session cookies, URL cookies, or perhaps SSL ID persistence. I have taken a class on the Cisco CSS 11501 and I would imagine the features are pretty similar. You absolutely cannot have a session start on one server and then come back to the other one; the other will not know anything about the session ticket in Citrix or the SSL session at the TCP layer for that matter.
Another option that may be more stable (in light of Carl's response about stability) would be to use the second WI/CSG setup as a standby only. You can create a "server of last resort" so it only comes into play once the lead box goes down. You do not gain from the power of the second box but you are redundant at that point and have a simpler system to troubleshoot. You can also configure "sorry servers" or static pages to dish out in the event both of your real servers are down. In this case you could even have a few static ICA files posted to provide basic access to resources.
Anyway, in concept it sounds fine but it sounds like you have some major testing to do.
ASKER
Hi CarlWebster/BLipman,
thanks for your valuable information, so shall i go for 2 WI server and 1 CSG server or 2 separate WI and 2 separate CSG servers. Two will be in production and two will be stand alone.
In my current setup on single server CSG & WI is configured, so how to separate the CSG & WI in two different servers. Kindly suggest.
thanks for your valuable information, so shall i go for 2 WI server and 1 CSG server or 2 separate WI and 2 separate CSG servers. Two will be in production and two will be stand alone.
In my current setup on single server CSG & WI is configured, so how to separate the CSG & WI in two different servers. Kindly suggest.
I have never seen a document FROM CITRIX that shows how to load balance CSG.
I would move the Web Interface to another server, add a 2nd WI server, NLB them and then reconfigure your CSG box to point to the virtual IP of the NLB WI servers.
I would move the Web Interface to another server, add a 2nd WI server, NLB them and then reconfigure your CSG box to point to the virtual IP of the NLB WI servers.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
If you have any documents please provide.
If you use a wildcard SSL cert, export the private key and then import it on the 2nd server. Otherwise, SSL certs are hardware specific. IIS is computer name specific. It would be faster to just clone a base OS and then install IIS, WI, SSL cert and then CSG. It doesn't take that long to do and you don't have to worry, or try to fix, about cloning issues.