Netscaler

You probably should start with your DNS Delegation, yes?

You have a FQDN of myportal.awesome.com

That A record, from zone awesome.com must be.......delegated?

And the next depends on whether you are using SPLIT DNS or have dedicated external zone and manage your own DNS or third party.

Start with
http://support.citrix.com/article/CTX121713

And here is a primer, PDF download
https://support.citrix.com/servlet/KbServlet/download/22506-102-671576/gslb-primer_FINAL_1019.pdf

You don't have gslb ips only vip ips. Think of gslb as intelligent dns. You create gslb services which correlate to each sites vip address. Gslb has the logic action of custommethod or something like that and you set up the gslb vserver with only the service cooresponding to your primary site. Then you create a secondary gslb vserver that cooreaponds to your secondary vip address. Then set the backup vserver on your primary vserver accordingly. This makes it so anytime your primary is detected up that is the ip yoy clients will resolve to. Keep in mind that until the clients dns cache expires on the TTL of the record your clients will still go to the wrong site getting blackholed. So set the TTL accordingly and know that you have a possible outage of 2x that value. Or longer if clients dont adhere to the TTL.

sorry not very clear yet.  In my scenario where 2 sites with 2 netscalers each.  What ip should be natted with external ip ?

How many external ip's do i need ?

Which internal ipaddress should be natted to the external ip ?

So, gslb is a service binded to VIP of Site A and same for Site B ?

So, in my case I will have 2 gslb services ? What is gslb server ?

Again my setup consists of 4 Netscalers , 2 in each site.  How my IP's I need with having one external URL for the users.

Please explain step by step in detail if possible ?

When it comes to IPs each vip is by itself. So if the vip itself doesnt have an external ip then that has to be natted. However at gslb layer it of course needs to know how to monitor the vip as well as what to give the client so there is a public ip parameter for the service definition that must match the public ip being natted

sorry not clear.   Let me put it with example.   External users type this url https://citrix.mycompany.com which has External IPaddress.  So, which internal IP should i Nat this external IPadress to ? VIP 1 ?
If that is the case then VIP 2 also needs to be natted to the same external IP ? or should I have 2nd external ipaddress linked to the same url https://citrix.mycompany.com ?

No, each vip has its own IP.  Here is how GSLB works

GSLB VIP:  citrix.mycompany.com  (this is what clients uses to access your app)
Site 1 VIP: citrix-site1.mycompany.com (internal IP assigned)
Site 1 Firewall: nat configuration for public ip/internal ip for vip
Site 2 VIP: citrix-site2.mycompany.com (internal IP assigned)
Site 2 Firewall: nat configuration for public ip/internal ip for vip

Now when the client does a DNS request for citrix.mycompany.com, GSLB will give out one of the 2 public IPs.  When the client tries to connect and hits the firewall, the firewall will NAT the traffic and relay to the vip.

Config example:

Site 1 VIP:
add lb vserver site1vip HTTP 10.2.3.4 80
... **servicegroup, etc. left off

Site 1 FW:
NAT of 1.2.3.4 to 10.2.3.4

Site 1 DNS Entry:
citrix-site1.mycompany.com A 10.2.3.4

Site 2 VIP:
add lb vserver site2vip HTTP 10.5.6.7 80
... ** servicegroup, etc. left off

Site 1 FW:
NAT of 1.5.6.7 to 10.5.6.7

Site 2 DNS Entry:
citrix-site2.mycompany.com A 10.5.6.7

GSLB:
add server citrix-site1-vip 10.2.3.4
add server citrix-site2-vip 10.5.6.7
add gslb vserver citrix.myco_primary HTTP -lbmethod CUSTOMLOAD -backuplbmethod ROUNDROBIN
add gslb vserver citrix.myco_secondary HTTP -lbmethod CUSTOMLOAD -backuplbmethod ROUNDROBIN
set gslb vserver citrix.myco_primary -backupvserver citrix.myco_secondary
add gslb service citrix-site1 citrix-site1-vip HTTP 80 -publicIP 1.2.3.4 -publicport 80 -sitename "Site 1"
add gslb service citrix-site2 citrix-site2-vip HTTP 80 -publicIP 1.5.6.7 -publicport 80 -sitename "Site 2"
bind gslb vserver citrix.myo_primary -domainname citrix.mycompany.com -TTL 60
**NOTE: you need to define sites as well as they are mandatory config for services
**service to vserver binding and monitor to service binding left off

What I would also recommend actually so you don't have to delegate the entire mycompany.com zone to the GSLB netscaler, is to create a subdomain like gslb.mycompany.com and delegate that from the main DNS servers.  Then you'd do a citrix.gslb.mycompany.com domainname gslb config instead and then do a CNAME from the main DNS servers of citrix.mycompany.com aliasing the gslb vip name of citrix.gslb.mycompany.com

In this way, GSLB will know the public IP to give to clients, and the local IPs to monitor.  HOWEVER, if the GSLB is on the public side of the NAT'ing you're doing then the add server's should reference the public IP, NOT the private IP.

hope all of that makes more sense.

Hi Cyclops3590

  Thanks for the explanation.  I am beginning to understand this now but not 100% yet.   I am not very good with DNS so trying to understand it slowly.

Now that you understand our setup, let me put down what I understood and the doubts I have.

In total these are the IP’s I need:
SiteA:  5 Internal IP’s (2 snips, 2 Nsip’s and 1 Vip)
SiteB: 5 Internal IP’s (2 snip’s, 2 nsip’s and 1 Vip)

3 External IP’s in total: One for Site A – Natted to VIP of siteA , One for Site B – Natted to VIP of SiteB
3rd for main GSLB VIP: Citrix.mycompany.com…..   correct ?
Now, do we not do Natting of GSLB external IP to any internal IP ?

You said  "Now when the client does a DNS request for citrix.mycompany.com, GSLB will give out one of the 2 public IPs"

When users type Citrix.mycompany.com  -  where does it land ?  I mean where does GSLB take place to decide which site VIP it should hit ? or which one of the 2 public IP's to give out ?

What entries or steps , do I need on our Internal DNS Servers ?

I take it, on external DNS server, I would need 3 entries ?
Citrix.mycompany.com – ext ip1
Citrix-site1.mycompany.com – ext ip 2 which is natted to vip1
Citrix-site2.mycompany.com – ext ip 3 which is natted to vip 2

  Sorry if I am confusing you or asking repeated questions, its just that I am trying to get the basics right.

Thanks for the detailed explanation.  I think it is clear now.  I am about to install it and let you know how it goes but this is good enough for me to start.  One quick one, I setup one netscaler with NSIP and SNIP.  Going to setup 2nd netscaler which is going to be in HA pair. I read somewhere that they both share same SNIP ? is that true and what is the reason ?  SNIP is used by netscaler to communicate with other devices on the network right ? NSIP should be unique which is used to manage the network.  What is the purpose of having common SNIP for HA pair ?

Good question.  To answer though I want to explain the difference between NSIP and SNIP
NSIP = Netscaler IP
SNIP = Subnet IP
NSIP is the address directly assigned to each netscaler, regardless of being stand-alone, HA peer, or cluster peer.  This is typically reserved for mgmt traffic (ssh'ing, snmp polling, snmp trap sending, syslog sending, etc.)
SNIP is the address that is assigned to the "group".  The group can be a single stand-alone netscaler, an HA pair, or a cluster (cluster is slightly different, but rough concept is the same).  Typically this is used to talk to other devices as part of actual data traffic (non-mgmt traffic)

So you'll have a SNIP for every subnet that you attach to the netscaler.  So depending on how you are architecting your load balancing environment and how many vlans/subnets you need to bind to the netscaler pair, you'll need an IP in each subnet and have to configure a SNIP for each subnet.  

With that said, there is a slight exception to that rule, the mgmt vlan that you configure the NSIP in.  There is no "true" need to have a SNIP in that subnet, however it isn't a dumb idea to do either as it can make some mgmt easier.  The reason is that when you have a HA pair, whichever node is the primary will own all floating IPs (SNIPs are floating).  Floating IPs is just a fancy term for saying whichever is primary owns the IP and the secondary will in essence only be accessible over the NSIP.  What that means is the mgmt vlan SNIP will always be on the primary.  Thus if you want to monitor (via polling) or access the primary (via ssh/https) you can use the mgmt vlan SNIP and never have to guess which is the current primary.

Now to finish up about the SNIP for HA pair.  Like I said, it depends on your architecture.  There are 2 main architectures I'm aware of: server vlan setup or VIP-SNIP setup.  Server vlan means that that the HA pair will have a SNIP in the same subnet as the servers that will be load balanced actually exist.  This also generally means the VIP that users access will typically be in the subnet as well.  This simplifies a few things.  For one, you only have to put a single vlan bound to the netscaler and have a single SNIP.  User traffic will come into the VIP and the LB in turn will use the SNIP as the source when connecting to the server.  Since there is no L3 device between them, meaning no ACLs, it helps simplify the access and latency from LB to server.  The VIP-SNIP arch. would have 2 vlans bound, each with their own SNIP; one in the VIP vlan and one in the SNIP vlan.  (Sorry if the naming is getting confusing but they're named by their function).  The VIP vlan would house only VIPs the client uses to connect to and the SNIP vlan would be small like a /29 as the only IPs in there are ones used by the LB to talk to the server.  So why have a SNIP in the VIP vlan?  for one, completeness and being able to test you can reach the GW in that subnet, but there are a few cases where this is needed (I just can't recall at the moment what they are).  While obviously you have to now do ACLs from LB to server, you can simply add more VIP vlans later if needed and don't have to worry about the subnet getting filled with server IPs.  Also, if the LB is compromised they don't have a direct leg into the server vlan.

To summarize:
NSIP is assigned directly to a single netscaler, always
SNIP is assigned to a "group" of netscalers and is only active on the current primary
NSIP is for mgmt traffic whether accessing the netscaler or the netscaler sending data elsewhere
SNIP is for data traffic and is generally only used when the netscaler is initiating traffic to a server it needs to talk to.

Thanks for the explanation.   I read this statement in QA of Netscaler webinar last week . "(This is also a common best practice to enable MgmtAccess on a SNIP in management VLAN, so that you always connect to the Active Netscaler and never by accident to the Passive Netscaler ".   Does that mean , once we have HA enabled, we can configure to connect to manage HA by using SNIP ? where do i configure this ?

very simple actually.  just add another snip but ensure its in the same vlan as the NSIPs.  then set that snip "set ns ip X.X.X.X" to have mgmt access enabled.  but make sure to disable telnet/ftp, etc. and make it secure; same as the nsip addresses.

Sorry bit confused.  I have currently assigned same SNIP to both netscalers in HA. This SNIP is in the vlan as both NSIP's.  you said add another snip ? can we not use existing SNIP which is common to both ?
Is there any option in GUI to enable management access on SNIP ?

Under normal conditions only a single SNIP is needed per vlan you bind.  Remember, SNIPs "float" to whichever is the primary so you can't add a SNIP to each netscaler.  In fact, you should only add snips on whichever is the primary at the time.  The reason is that snip configs are one of the many config parts that are sync'ed in an HA pair.

So as an example, lets say you are doing the server vlan approach where the vips and servers and load balancer all exist in the same vlan/subnet (192.168.1.0/24) and will bind to interface 1/1.  You're mgmt interface you want separate so not to have mgmt traffic influence data traffic and that will go in vlan/subnet (10.1.1.0/24) and bind to interface 0/1

So when you're setting things up, you do the following
Netscaler1
Setup NSIP of 10.1.1.5 and bind its vlan to 0/1
Setup SNIP of 10.1.1.7 (vlan already bound to 0/1)
Setup SNIP of 192.168.1.54 and bind its vlan and the IP to 1/1
*NOTE: there is a reason for not binding the IP to the 0/1 interface but binding the 54 IP to the 1/1 but that is beyond this question
Setup HA peer of 10.1.1.6
Do other setup you wish to do
*NOTE: at this point the netscaler is configured to be in an HA pair and since its already in the pair, it'll become the primary.  It is already also searching for netscaler2 at 10.1.1.6 to finishing up the pairing, sync config/files, and determine status.  so a sh ha node at this point will show unknown for the second node

Netscaler2
Setup NSIP of 10.1.1.6 and bind vlan to 0/1
Setup HA peer of 10.1.1.5
Wait a few seconds and run sh ha node.  It should now show a healthy pair.

Ok, so having seperate SNIP on different vlan to  NSIP and enabling only Management access on that SNIP , is a good practice ?  

Actually I dont have multiple VLAN's here, just one vlan in the dmz that I have been given.  So, can i enable management access to the only SNIP that I have and login to this SNIP instead of primary NS to make changes ?
By default telnet,ftp ssh etc are ticked, can i leave them ticked ? Do i have to have secure access only checked ?

mgmt access should ONLY be enabled on IPs that are in a secured area; typically a separate subnet.  definitely not a DMZ.  if you're going to put it in the DMZ then I would definitely untick telnet and ftp.  please take no offense, but if you don't know why running mgmt access, especially telnet in a DMZ is a bad idea, you should pry look into hiring a consultant to help out.  again, not trying to offend, just saying you may be in over your head on this one and need more help than can be provided via chatting on an internet forum.