Can anyone help me understand Netscaler GSLB pl ?  This is what I am planning to do...

2 physical Sites
2 Netscaler Vpx appliances in each Site
Site A will have Vip1 (HA between 2 netscalers in that site)
Site B will bave Vip 2 ( HA between 2 netscalers in that site)

External users hit the URL lets say. which has external IPaddress NATTED to our internal Ipaddress.

I got GSLB liceince.

My plan is to hit GSLB IP, goes to Site A , failover to Site B .

How do I make this happen ?  How many IP's I need in total

The Ip's I got so far are:

Netscaler 1 - nsip, snip, Vip
same for the other 3 netscalers....
where do i configure GSLB Ipaddress ?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Brian MurphyIT ArchitectCommented:
You probably should start with your DNS Delegation, yes?

You have a FQDN of

That A record, from zone must be.......delegated?

And the next depends on whether you are using SPLIT DNS or have dedicated external zone and manage your own DNS or third party.

Start with

And here is a primer, PDF download
You don't have gslb ips only vip ips. Think of gslb as intelligent dns. You create gslb services which correlate to each sites vip address. Gslb has the logic action of custommethod or something like that and you set up the gslb vserver with only the service cooresponding to your primary site. Then you create a secondary gslb vserver that cooreaponds to your secondary vip address. Then set the backup vserver on your primary vserver accordingly. This makes it so anytime your primary is detected up that is the ip yoy clients will resolve to. Keep in mind that until the clients dns cache expires on the TTL of the record your clients will still go to the wrong site getting blackholed. So set the TTL accordingly and know that you have a possible outage of 2x that value. Or longer if clients dont adhere to the TTL.
jafrullahmAuthor Commented:
sorry not very clear yet.  In my scenario where 2 sites with 2 netscalers each.  What ip should be natted with external ip ?

How many external ip's do i need ?

Which internal ipaddress should be natted to the external ip ?

So, gslb is a service binded to VIP of Site A and same for Site B ?

So, in my case I will have 2 gslb services ? What is gslb server ?

Again my setup consists of 4 Netscalers , 2 in each site.  How my IP's I need with having one external URL for the users.

Please explain step by step in detail if possible ?
When it comes to IPs each vip is by itself. So if the vip itself doesnt have an external ip then that has to be natted. However at gslb layer it of course needs to know how to monitor the vip as well as what to give the client so there is a public ip parameter for the service definition that must match the public ip being natted
jafrullahmAuthor Commented:
sorry not clear.   Let me put it with example.   External users type this url which has External IPaddress.  So, which internal IP should i Nat this external IPadress to ? VIP 1 ?
If that is the case then VIP 2 also needs to be natted to the same external IP ? or should I have 2nd external ipaddress linked to the same url ?
No, each vip has its own IP.  Here is how GSLB works

GSLB VIP:  (this is what clients uses to access your app)
Site 1 VIP: (internal IP assigned)
Site 1 Firewall: nat configuration for public ip/internal ip for vip
Site 2 VIP: (internal IP assigned)
Site 2 Firewall: nat configuration for public ip/internal ip for vip

Now when the client does a DNS request for, GSLB will give out one of the 2 public IPs.  When the client tries to connect and hits the firewall, the firewall will NAT the traffic and relay to the vip.

Config example:

Site 1 VIP:
add lb vserver site1vip HTTP 80
... **servicegroup, etc. left off

Site 1 FW:
NAT of to

Site 1 DNS Entry: A

Site 2 VIP:
add lb vserver site2vip HTTP 80
... ** servicegroup, etc. left off

Site 1 FW:
NAT of to

Site 2 DNS Entry: A

add server citrix-site1-vip
add server citrix-site2-vip
add gslb vserver citrix.myco_primary HTTP -lbmethod CUSTOMLOAD -backuplbmethod ROUNDROBIN
add gslb vserver citrix.myco_secondary HTTP -lbmethod CUSTOMLOAD -backuplbmethod ROUNDROBIN
set gslb vserver citrix.myco_primary -backupvserver citrix.myco_secondary
add gslb service citrix-site1 citrix-site1-vip HTTP 80 -publicIP -publicport 80 -sitename "Site 1"
add gslb service citrix-site2 citrix-site2-vip HTTP 80 -publicIP -publicport 80 -sitename "Site 2"
bind gslb vserver citrix.myo_primary -domainname -TTL 60
**NOTE: you need to define sites as well as they are mandatory config for services
**service to vserver binding and monitor to service binding left off

What I would also recommend actually so you don't have to delegate the entire zone to the GSLB netscaler, is to create a subdomain like and delegate that from the main DNS servers.  Then you'd do a domainname gslb config instead and then do a CNAME from the main DNS servers of aliasing the gslb vip name of

In this way, GSLB will know the public IP to give to clients, and the local IPs to monitor.  HOWEVER, if the GSLB is on the public side of the NAT'ing you're doing then the add server's should reference the public IP, NOT the private IP.

hope all of that makes more sense.
jafrullahmAuthor Commented:
Hi Cyclops3590

  Thanks for the explanation.  I am beginning to understand this now but not 100% yet.   I am not very good with DNS so trying to understand it slowly.

Now that you understand our setup, let me put down what I understood and the doubts I have.

In total these are the IP’s I need:
SiteA:  5 Internal IP’s (2 snips, 2 Nsip’s and 1 Vip)
SiteB: 5 Internal IP’s (2 snip’s, 2 nsip’s and 1 Vip)

3 External IP’s in total: One for Site A – Natted to VIP of siteA , One for Site B – Natted to VIP of SiteB
3rd for main GSLB VIP:…..   correct ?
Now, do we not do Natting of GSLB external IP to any internal IP ?

You said  "Now when the client does a DNS request for, GSLB will give out one of the 2 public IPs"

When users type  -  where does it land ?  I mean where does GSLB take place to decide which site VIP it should hit ? or which one of the 2 public IP's to give out ?

What entries or steps , do I need on our Internal DNS Servers ?

I take it, on external DNS server, I would need 3 entries ? – ext ip1 – ext ip 2 which is natted to vip1 – ext ip 3 which is natted to vip 2

  Sorry if I am confusing you or asking repeated questions, its just that I am trying to get the basics right.
>>3rd for main GSLB VIP:…..   correct ?

No, there is no IP here.  GSLB is DNS.  You'll need to configure an ADNS "vip" on the GSLB netscaler that makes the netscaler become a DNS server.  This is where DNS queries will be directed to.  

So when the client says, gimme an IP for, the netscaler will see the gslb vserver with a domainname value of and know this is the vserver associated with that name.  from there it looks at the services bound to the vserver to see which are UP.  Of those it will issue back one of them depending on lbmethod.  In this case, you are doing primary/secondary so if the primary site is up, it'd be the only service bound that is UP and thus GSLB would reply to DNS query with that IP.  If the primary site is down, it'd be marked DOWN and the primary gslb vserver would be marked down and in turn queries would fall to the backupvserver; the secondary gslb vserver with the secondary site bound.  In this case the GSLB would send that IP back (if down, it should still send that IP i believe as it'd be the only service and queries would fall to the backupvserver still).

Now, how does GSLB determine if a site is UP or DOWN?  It does it by monitoring the IP associated with the 'server' specified and the port
add gslb service citrix-site1 citrix-site1-vip HTTP 80 -publicIP -publicport 80 -sitename "Site 1"
                                                           ^server             ^port
not written above but you have to bind a monitorname (typically tcp) to the service as well.  This is the healthcheck used to see if the vip is responding.  If it doesn't respond then it will be marked DOWN.

You will only see one of two external IPs. site1 or site2.  Think of GSLB as being an alias for the vips associated with it.  In this case, you associate site 1 and site 2 vips with the GSLB name.  All GSLB has to do is figure out which of the addresses associated with those site vips has to be returned with the DNS reply.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jafrullahmAuthor Commented:
Thanks for the detailed explanation.  I think it is clear now.  I am about to install it and let you know how it goes but this is good enough for me to start.  One quick one, I setup one netscaler with NSIP and SNIP.  Going to setup 2nd netscaler which is going to be in HA pair. I read somewhere that they both share same SNIP ? is that true and what is the reason ?  SNIP is used by netscaler to communicate with other devices on the network right ? NSIP should be unique which is used to manage the network.  What is the purpose of having common SNIP for HA pair ?
Good question.  To answer though I want to explain the difference between NSIP and SNIP
NSIP = Netscaler IP
SNIP = Subnet IP
NSIP is the address directly assigned to each netscaler, regardless of being stand-alone, HA peer, or cluster peer.  This is typically reserved for mgmt traffic (ssh'ing, snmp polling, snmp trap sending, syslog sending, etc.)
SNIP is the address that is assigned to the "group".  The group can be a single stand-alone netscaler, an HA pair, or a cluster (cluster is slightly different, but rough concept is the same).  Typically this is used to talk to other devices as part of actual data traffic (non-mgmt traffic)

So you'll have a SNIP for every subnet that you attach to the netscaler.  So depending on how you are architecting your load balancing environment and how many vlans/subnets you need to bind to the netscaler pair, you'll need an IP in each subnet and have to configure a SNIP for each subnet.  

With that said, there is a slight exception to that rule, the mgmt vlan that you configure the NSIP in.  There is no "true" need to have a SNIP in that subnet, however it isn't a dumb idea to do either as it can make some mgmt easier.  The reason is that when you have a HA pair, whichever node is the primary will own all floating IPs (SNIPs are floating).  Floating IPs is just a fancy term for saying whichever is primary owns the IP and the secondary will in essence only be accessible over the NSIP.  What that means is the mgmt vlan SNIP will always be on the primary.  Thus if you want to monitor (via polling) or access the primary (via ssh/https) you can use the mgmt vlan SNIP and never have to guess which is the current primary.

Now to finish up about the SNIP for HA pair.  Like I said, it depends on your architecture.  There are 2 main architectures I'm aware of: server vlan setup or VIP-SNIP setup.  Server vlan means that that the HA pair will have a SNIP in the same subnet as the servers that will be load balanced actually exist.  This also generally means the VIP that users access will typically be in the subnet as well.  This simplifies a few things.  For one, you only have to put a single vlan bound to the netscaler and have a single SNIP.  User traffic will come into the VIP and the LB in turn will use the SNIP as the source when connecting to the server.  Since there is no L3 device between them, meaning no ACLs, it helps simplify the access and latency from LB to server.  The VIP-SNIP arch. would have 2 vlans bound, each with their own SNIP; one in the VIP vlan and one in the SNIP vlan.  (Sorry if the naming is getting confusing but they're named by their function).  The VIP vlan would house only VIPs the client uses to connect to and the SNIP vlan would be small like a /29 as the only IPs in there are ones used by the LB to talk to the server.  So why have a SNIP in the VIP vlan?  for one, completeness and being able to test you can reach the GW in that subnet, but there are a few cases where this is needed (I just can't recall at the moment what they are).  While obviously you have to now do ACLs from LB to server, you can simply add more VIP vlans later if needed and don't have to worry about the subnet getting filled with server IPs.  Also, if the LB is compromised they don't have a direct leg into the server vlan.

To summarize:
NSIP is assigned directly to a single netscaler, always
SNIP is assigned to a "group" of netscalers and is only active on the current primary
NSIP is for mgmt traffic whether accessing the netscaler or the netscaler sending data elsewhere
SNIP is for data traffic and is generally only used when the netscaler is initiating traffic to a server it needs to talk to.
jafrullahmAuthor Commented:
Thanks for the explanation.   I read this statement in QA of Netscaler webinar last week . "(This is also a common best practice to enable MgmtAccess on a SNIP in management VLAN, so that you always connect to the Active Netscaler and never by accident to the Passive Netscaler ".   Does that mean , once we have HA enabled, we can configure to connect to manage HA by using SNIP ? where do i configure this ?
very simple actually.  just add another snip but ensure its in the same vlan as the NSIPs.  then set that snip "set ns ip X.X.X.X" to have mgmt access enabled.  but make sure to disable telnet/ftp, etc. and make it secure; same as the nsip addresses.
jafrullahmAuthor Commented:
Sorry bit confused.  I have currently assigned same SNIP to both netscalers in HA. This SNIP is in the vlan as both NSIP's.  you said add another snip ? can we not use existing SNIP which is common to both ?
Is there any option in GUI to enable management access on SNIP ?
Under normal conditions only a single SNIP is needed per vlan you bind.  Remember, SNIPs "float" to whichever is the primary so you can't add a SNIP to each netscaler.  In fact, you should only add snips on whichever is the primary at the time.  The reason is that snip configs are one of the many config parts that are sync'ed in an HA pair.

So as an example, lets say you are doing the server vlan approach where the vips and servers and load balancer all exist in the same vlan/subnet ( and will bind to interface 1/1.  You're mgmt interface you want separate so not to have mgmt traffic influence data traffic and that will go in vlan/subnet ( and bind to interface 0/1

So when you're setting things up, you do the following
Setup NSIP of and bind its vlan to 0/1
Setup SNIP of (vlan already bound to 0/1)
Setup SNIP of and bind its vlan and the IP to 1/1
*NOTE: there is a reason for not binding the IP to the 0/1 interface but binding the 54 IP to the 1/1 but that is beyond this question
Setup HA peer of
Do other setup you wish to do
*NOTE: at this point the netscaler is configured to be in an HA pair and since its already in the pair, it'll become the primary.  It is already also searching for netscaler2 at to finishing up the pairing, sync config/files, and determine status.  so a sh ha node at this point will show unknown for the second node

Setup NSIP of and bind vlan to 0/1
Setup HA peer of
Wait a few seconds and run sh ha node.  It should now show a healthy pair.
jafrullahmAuthor Commented:
Ok, so having seperate SNIP on different vlan to  NSIP and enabling only Management access on that SNIP , is a good practice ?  

Actually I dont have multiple VLAN's here, just one vlan in the dmz that I have been given.  So, can i enable management access to the only SNIP that I have and login to this SNIP instead of primary NS to make changes ?
By default telnet,ftp ssh etc are ticked, can i leave them ticked ? Do i have to have secure access only checked ?
mgmt access should ONLY be enabled on IPs that are in a secured area; typically a separate subnet.  definitely not a DMZ.  if you're going to put it in the DMZ then I would definitely untick telnet and ftp.  please take no offense, but if you don't know why running mgmt access, especially telnet in a DMZ is a bad idea, you should pry look into hiring a consultant to help out.  again, not trying to offend, just saying you may be in over your head on this one and need more help than can be provided via chatting on an internet forum.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.