MobileIron VSP HA (High Availability) with Citrix NetScaler

MobileIron VSP HA (High Availability) with Citrix NetScaler

MobileIron VSP HA (High Availability) with Citrix NetScaler

This post has already been read 9945 times!

mobileiron-logonetscaler

I have been working with a colleague on implementing a highly available mobile solution.  Whilst there are a number of different options to achieve this this article will focus on setting up the load balancing for the public facing URL’s used with MobileIron.

You will still need to set up your MobileIron VSP’s to replicate and sync but that will be covered in a separate article written by a good friend of mine and mobility expert @andymallins.

Terminology

Firstly, some terminology that you should know before starting the config.

ADNS – Authoriative DNS Service – This is required on the NetScaler to return the correct IP Address of the currently active virtual server this needs to be in place for GSLB to work correctly.

GSLB Site – This is basically a virtual data centre in its simplest terms.  For Example – London as a primary site and New York as a fail over site.  You would have 1 Local GSLB Site for London and 1 Remote GSLB Site for New York, assuming that your London NetScaler was the primary one.

Setting Up GSLB

So, first you will need 2 NetScalers running, one in the primary site and 1 in the fail over, DO NOT RUN THESE IN HA MODE they will need to be separate NetScaler instances.  These NetScalers will need to be able to see each other and be routable.  This is so that they can report on the status of their owned services to each other.

Log into the Admin console for both NetScalers and ensure that both are configured with the basic setup (NSIP, SNIP, Licenses).  Load the GSLB license onto the NetScaler and enable the feature (right click GSLB in Traffic Management – GSLB and select Enable)

Enable GSLB

Enable GSLB

To configure the entire GSLB setup you will initially configure the primary node, then the secondary.  During the config all the services on the Primary may show as down, don’t worry about this until the end of the config.  Once both nodes are set up go back and check the services are up, if not then you more than likely have an issue with routing or firewall rules blocking the GSLB traffic between the NetScalers.

Primary Node

Setting Up ADNS The Listener

The first step in GSLB configuration is to set up the ADNS listener service.  The reason for this is that irrelevant of where the DNS record is hosted (internally or externally) you will need to delegate control of the DNS record to your NetScaler(s), this is so the NetScaler can look at and return the current live node of the GSLB cluster.

Basically an external DNS query will do the following:

  • Request name.domain.com
  • Ask Public DNS Servers for IP (Not found so will be passed to next hop i.e. ISP DNS Servers)
  • ISP Servers have record for name.domain.com but control is delegated to Public IP Address(s) of ADNS Service for company
  • Public IP Address(s) for ADNS Service NAT’s to Internal ADNS IP present on NetScaler
  • ADNS Service on NetScaler returns the current live IP Address for NetScaler Gateway

So, to set it all up.  Its actually a lot simpler than it sounds.

First you need to create a Server Record for the ADNS Listener Server.  The IP Address you assign to the server will need to be a free IP Address on your network (It can be in the DMZ or Internal)

This can be done in Traffic Management – Load Balancing – Servers

ADNS Server Record Site A

ADNS Server Record Site A

You then need to set up an ADNS Service to point to the ADNS Server you have just created.

This can be done in Traffic Management – Load Balancing – Services

Ensure you have the following properties set:

  • Service Name – (Anything you want)
  • Server: The ADNS Server created in the previous step
  • Protocol: ADNS
  • Port: 53
ADNS Listener Service

ADNS Listener Service

Thats it, your NetScaler is now set up to recieve ADNS queries.  If you wanted to test the service you could use nslookup to attach to the ADNS IP you created earlier and will see that you get a good connection.  You may get an error about no A or AAAA records available – this is normal as you have not manually set any of these up on your NetScaler yet.

Setting up GSLB

You are now ready to configure GSLB on the Primary Node.

The first thing you will need to set up are 2 Server entries for the MobileIron VSP’s you have running on the Primary and Fail Over site.

Server Records

You can set these entries up in Traffic Managament – Load Balancing – Servers

mobileiron_vsps

MobileIron VSP’s

GSLB Sites

You will now need to set up the local and remote GSLB Sites.  These are basically representations of data centres in a virtual form.  You will need a free IP Address to assign to each GSLB Site.

Navigate to Traffic Management – GSLB – Sites and click Add.

Enter the Primary Site Details as follows:

  • Name: (Anything you want)
  • Type: Local
  • Site IP Address: Free IP Address representing the primary site
  • Public IP Address: The same as the site IP Address
Primary GSLB Site

Primary GSLB Site

You will now need to set up the fail over (remote) GSLB Site.

Navigate to Traffic Management – GSLB – Sites and click Add.

Enter the Fail Over Site Details as follows:

  • Name: (Anything you want)
  • Type: Remote
  • Site IP Address: Free IP Address representing the fail over site
  • Public IP Address: The same as the site IP Address
Failover GSLB Site

Failover GSLB Site

Monitors

MobileIron when set up in a highly available pair can be monitored automatically by checking the status of a html page provided by the VSP.  Also in the event of a fail over you would not want to automatically drop back to the primary when it comes online.  This is because there would need to be a manual sync of the database from the secondary back to the primary before re-promoting it back to the primary.

With this in mind we want to create a monitor that will ask for the status of the VSP and return the service as live ONLY if it the current primary node.  This can be achieved by using a HTTP-ECV monitor.

Navigate to Traffic Management – Load Balancing – Monitors and click Add.

Enter the following details for the Primary VSP

  • Name: (Anything You Want)
  • Type: HTTP-ECV
  • Destination IP: The internal (DMZ) IP of your VSP
  • Destination Port: 443
  • Put a tick in Secure

hamonitor

 

Click on the Special Parameters tab and fill it out as shown below

Special Parameters

Special Parameters

Click create.

NOTE: Re-create another monitor for the secondary VSP changing the IP address for the secondary but keeping the rest of the monitor the same.

Services

Once the monitors are done you will need to set up Services to load balance across the sites, in this case vsp.domain.com

Set up the Primary Site VSP.

Navigate to Traffic Management – GSLB – Services and click Add.

Enter the following details:

  • Name: (Anything You Want)
  • Site Name: Pick the primary site from the drop down list
  • Type Local
  • Server Name: Select the server record created for the Primary VSP
  • Public IP: Public IP that you NAT to the internal IP of the VSP

Click the monitor tab and select the monitor you created for the primary VSP.

Click on OK.  This service should show as Up (Green) this is expected as if you checked the /hastatus.html page it would show as the primary.

You now need to set up the VSP for the Fail Over Site.

Navigate to Traffic Management – GSLB – Services and click Add.

Enter the following details:

  • Name: (Anything You Want)
  • Site Name: Pick the fail over site from the drop down list
  • Type Remote
  • Server Name: Select the server record created for the Primary VSP
  • Public IP: Public IP that you NAT to the internal IP of the NetScaler Gateway

Click the monitor tab and select the monitor you created for the secondary VSP.

Click on OK. This service WILL show as Down (Red) this is expected as if you checked the /hastatus.html page it would show as the secondary and therefore the monitor will fail until it is promoted to primary.

vServers

All that remains on the Primary Site now is to configure the Virtual Servers that will load balance the VSP’s and set a applicable backup vServer for the Primary.

Navigate to Traffic Management – GSLB – Virtual Servers and click Add.

Add the details for the Primary Virtual Server.

Enter a name for the vServer, ensure the DNS Record Type is A and tick the VSP you created for the Primary Site in the listed services.

You now need to assign the domain name that the Primary vServer will be responsible for.  Click on the domains tab and click Add.  Enter the domain name that the users type in to access the VSP sitting on the back end.

You now need to add the Virtual Server that will run the Service for the Fail Over Site.

Navigate to Traffic Management – GSLB – Virtual Servers and click Add.

Add the details for the Fail Over Virtual Server.

Enter a name for the vServer, ensure the DNS Record Type is A and tick the VSP you created for the Fail Over Site in the listed services.

NOTE: Do NOT add a domain for this vServer, the NetScaler will take care of moving the domains across the vServers in the event of a fail over.

The final step for the Primary Node is to add the fail over vServer as a back up vServer for the Primary.

Navigate to Traffic Management – GSLB – Virtual Servers and double click the Primary VSP vServer.  Click the advanced tab and from the Backup vServer drop down select the Fail Over VSP vServer you created earlier.

Thats it! You have configured the Primary Node.  Now onto the Fail Over node.

MobileIron VSP

MobileIron VSP

Fail Over Node

I am not going to bore you with lots more screen shots here.  Basically the process of configuring the fail over node in a GSLB cluster is exactly the same as the primary with the exception of the below:

  • All IP Addresses used for Server Records and GSLB Site Addresses must be in the same DMZ or Internal Subnet as the fail over NetScaler.
  • When setting up the sites, services and virtual servers for GSLB the fail over (local) site becomes LOCAL and the primary site will become REMOTE
  • The domain name being added and the backup vServer when setting up Virtual Servers should be set exactly the same as the primary site.

Once you have finished the fail over NetScaler then everything is done.

Some notes, when delegating DNS make sure you add both primary and fail over ADNS listeners and test DNS by using nslookup and connecting to each ADNS listener.

As always, please share and comment.

Laters,
b@m

 

2 thoughts on “MobileIron VSP HA (High Availability) with Citrix NetScaler

  1. Costa K

    Excellent post, just one thing I want to check. When creating the monitor for the Secondary site, you say that all settings should be the same except for the IP address. The Receive String is still set to Mode: Primary, is this correct or should this be set as Secondary?

    1. Bretty Post author

      Hi there,

      It would still need to read Primary. The reason for this is that you only want the monitor to report active once the failover node is promoted to the Primary.

      Thanks,
      Bretty

Leave a Reply

Your email address will not be published. Required fields are marked *