Using Load Balancing in Citrix

In the case where Citrix environment is accessed from  users within the Network as well as  users  from outside the network.
I would like to know how to lay out the Load balancing and security part.

for instance users from inside the network when they try to access their applications, they will go to Storefront servers, however they need to go through certain load balancing system in order to use the least busiest storefront server.
I am not sure if there is any mechanism that provide user's data to be encrypted within the network, if it is necessary.

Users when they are home, and they need to access their applications, they will still have to go through Load balancer and Security system, for instance after they cross the firewall, then need to get authenticated by Citrix Gateway (component of Netscaler), then the load balancer will put them through the least busiest StoreFront.

I have seen this diagram below, but it is still does not cover the whole picture.. I am not sure how many Load balancer needs to be put up for Outside users as well as for users within the network.

Any Citrix Expert to put a diagram here and explain the flow of the traffic?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Tony JohncockLead Technical ArchitectCommented:
SF servers can handle tens of thousands of hits per hour so not sure you'd need to go to the "least busiest" at any point.

(Unfortunately he doesn't seem to have written part 2 yet which covers SF 3.0)

But his key points are:

"...Single Server Scalability (StoreFront 2.6)

Yes, I realize StoreFront 3.0 has been released and I’m planning a follow-up article in a few weeks once we complete our internal testing. But we can still learn a lot from the 2.6 numbers.

And this time around we looked at really pushing the limits of a single StoreFront server to determine how we should go about deploying this critical infrastructure component in a global enterprise with hundreds of thousands of users (when we did the first round of testing 2.5 years ago with StoreFront 2.0, we really only looked at scenarios with 10k users). So this time we bumped up the test harness to 40k users and we logged in all users within 15 minutes (sustaining 44 requests per second).

We also did another test to see if we could log in users even faster and we were able to sustain 100 requests per second. But here is ultimately what we found in terms of Single Server Scalability:

A single 2 vCPU server can comfortably support 32,000 user connections per hour using Receiver for Web.

If we scale “up” by adding additional CPU to a StoreFront VM, a single 16 vCPU server can support 110,000 user connections per hour. 5 nodes can theoretically support 337,000 connections per hour, although we’ve never scaled that high in a customer environment.
If we scale “out” by adding additional 2 vCPU nodes, a 5 node group can support 160,000 connections per hour.

It is important to note that the scalability is non-linear when you add vCPUs or nodes.  All of these numbers are also based on a single site/farm – aggregation of multiple sites is a topic for another day...."


"...The sweet spot for a single StoreFront VM seems to be 4 vCPUs and 8 GB RAM. The sweet spot for a server group seems to be 2 or 3 nodes. So start with 2 StoreFront VMs with those specs and you’ll be able to comfortably handle about 150,000 user connections per hour.

If you need additional capacity or will have truly extreme logon storms, then add another node with those same specs to the group – that will get you over 200,000 connections or so. Put these StoreFront nodes behind a NetScaler and you’re off and running.

Make sure you account for the flavor of Receiver used! That 150k number in the previous bullet is actually about 140k for RfW and 190k for Native Receiver. So it really does matter how your users will be accessing the StoreFront infrastructure."

So in essence most modern load balancers will handle all of your SF traffic easily and the only reason for multiple ones is for high availability.

The following will explain the logon and connection process - it's for Web Interface but to all intents and purposes is identical to SF:

Your load balancers, by the way, can be pretty much anything - NetScalers, F5 etc.
jskfanAuthor Commented:
I am not sure you understood what I asked for.

Let s start with Internal users. How do they get to the StoreFront , assuming we have three StoreFront servers. Do they go to the DMZ and use Netscaler Virtual server(that points to FQDN of StoreFront) or we need to put another Netscaler inside the Network

For External users I believe there is no choice, Netscaler( with CAG) is mandatory.

if you can put a diagram that shows how Internal /External users get to the Storefront , that would be helpful
Tony JohncockLead Technical ArchitectCommented:
Well in fairness you didn't ask that - you stated: "for instance users from inside the network when they try to access their applications, they will go to Storefront servers, however they need to go through certain load balancing system in order to use the least busiest storefront server."

In the second link I sent, the Web Interface server (which is deprecated and replaced by StoreFront but effectively performs the same role in this context) would simply sit behind a load balancer.

Ok so let's address internal users.

No requirement for any kind of Netscaler unless that is your chosen load balancer.

At the simplest level you could have 2 SF servers and simply load balance in DNS. Lose a SF server and 50% of connections drop so not ideal.

Add in a load balancer and it's just load balancing between a single URL and IP to two or more behind. The intelligence in most load balancers allowing for a failed SF server to be taken automatically out of the load.

The reason I say no reason for it to be a Netscaler is they are expensive as load balancers and many sites already have internal ones they can leverage.

For external access personally though I would recommend a pair of Netscalers. For a number of reasons but for one, they are Citrix products so you get end-to-end support with none of the silliness of one vendor blaming another.
Tony JohncockLead Technical ArchitectCommented:
I will check this one: 

Pretty much what I just described but a much better visualisation.
jskfanAuthor Commented:

The link gives some visibility, however I need to know:

for internal users if we put 2 Netscalers inside the Network for loadbalancing and SSL offloading, There will be no CAG configuration .

For external users, we put  2 Netscalers in the DMZ for load balancing /SSL offloading and we configure CAG component.
Tony JohncockLead Technical ArchitectCommented:
Can you rephrase the question because they read as two statements as you've put them. Sorry but I don't want to assume and give you misinformation.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jskfanAuthor Commented:
for internal users if we can just put 2 Netscalers inside the Network for loadbalancing and SSL offloading, There will be no need for CAG configuration . is that correct ?

 For external users, we need to  put  2 Netscalers in the DMZ for load balancing /SSL offloading and we will have to configure CAG component.  is that correct ?
jskfanAuthor Commented:
thank you
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.