Setting Up NetScaler GSLB To Load Balance Access Gateway

Setting Up NetScaler GSLB To Load Balance Access Gateway

Setting Up NetScaler GSLB To Load Balance Access Gateway

This post has already been read 43925 times!

I was looking into setting up site to site fail over for NetScaler Gateway the other day and ended up setting it all up using the NetScaler feature Global Server Load Balancing.  This is a additional feature for the NetScaler (depending on your license) and will need to be purchased on top of the Standard edition license, or if you have Enterprise / Platinum then happy days, your covered.  Even though it is an additional extra I can honestly say it is worth every penny, the scope this gives you is outstanding!

There is not many step by step guides out there on setting it all up with images and explanations so I thought I would write a guide on setting it up.  Hopefully this should help some of you out there, if not it may have a couple of little hints in there you may not have known about.

Terminology

Firstly, some terminology that you should know before starting the config.

ADNS – Authoriative DNS Service – This is required on the NetScaler to return the correct IP Address of the currently active NetScaler Gateway – this needs to be in place for GSLB to work correctly.

GSLB Site – This is basically a virtual data centre in its simplest terms.  For Example – London as a primary site and New York as a fail over site.  You would have 1 Local GSLB Site for London and 1 Remote GSLB Site for New York, assuming that your London NetScaler was the primary one.

The rest is fairly self explanatory so I won’t bore you with endless abbreviations!

The Basic Set Up

So, first you will need 2 NetScalers running, one in the primary site and 1 in the fail over, DO NOT RUN THESE IN HA MODE they will need to be seperate NetScaler instances.  These NetScalers will need to be able to see each other and be routable.  This is so that they can report on the status of their owned services to each other.

NOTE: In the screen shots below some of the services show as down, this is only because the laptop I am running the lab on does not have enough power to run 2 NetScalers and a Windows Server 2008 Router (not a lot of power I know but hey!).  You will have to trust me – when everything is up (i.e. the router) it works perfectly.

Here is a screen show of the simple lab I have running.

2 NetScalers and 1 Router

2 NetScalers and 1 Router

NetScaler Management Consoles

NetScaler Management Consoles

Log into the Admin console for both NetScalers and ensure that both are configured with the basic setup (NSIP, SNIP, Licenses, DNS and a NetScaler Gateway on each).  Load the GSLB license onto the NetScaler and enable the feature (right click GSLB in Traffic Management – GSLB and select Enable)

Enable GSLB

Enable GSLB

Once you have everything enabled you will need to ensure that you have a NetScaler Gateway set up and configured on each NetScaler.  Ensure that both gateways are identical (Certificates included) as if they are different the users will get a different experience when the GSLB site to site fail over kicks in.

Site A NetScaler Gateway

Site A NetScaler Gateway

Site B NetScaler Gateway

Site B NetScaler Gateway

At this point you are now ready to start configuring GSLB.

To configure the entire GSLB setup you will initially configure the primary node, then the secondary.  During the config all the services on the Primary may show as down, don’t worry about this until the end of the config.  Once both nodes are set up go back and check the services are up, if not then you more than likely have an issue with routing or firewall rules blocking the GSLB traffic between the NetScalers.

Primary Node

Setting Up ADNS The Listener

The first step in GSLB configuration is to set up the ADNS listener service.  The reason for this is that irrelevant of where the DNS record is hosted (internally or externally) you will need to deligate control of the DNS record to your NetScaler(s), this is so the NetScaler can look at and return the current live node of the GSLB cluster.

Basically an external DNS query will do the following:

  • Request name.domain.com
  • Ask Public DNS Servers for IP (Not found so will be passed to next hop i.e. ISP DNS Servers)
  • ISP Servers have record for name.domain.com but control is delegated to Public IP Address(s) of ADNS Service for company
  • Public IP Address(s) for ADNS Service NAT’s to Internal ADNS IP present on NetScaler
  • ADNS Service on NetScaler returns the current live IP Address for NetScaler Gateway

So, to set it all up.  Its actually a lot simpler than it sounds.

First you need to create a Server Record for the ADNS Listener Server.  The IP Address you assign to the server will need to be a free IP Address on your network (It can be in the DMZ or Internal)

This can be done in Traffic Management – Load Balancing – Servers

ADNS Server Record Site A

ADNS Server Record Site A

You then need to set up an ADNS Service to point to the ADNS Server you have just created.

This can be done in Traffic Management – Load Balancing – Services

Ensure you have the following properties set:

  • Service Name – (Anything you want)
  • Server: The ADNS Server created in the previous step
  • Protocol: ADNS
  • Port: 53
ADNS Listener Service

ADNS Listener Service

Thats it, your NetScaler is now set up to recieve ADNS queries.  If you wanted to test the service you could use nslookup to attach to the ADNS IP you created earlier and will see that you get a good connection.  You may get an error about no A or AAAA records available – this is normal as you have not manually set any of these up on your NetScaler yet.

Setting up GSLB

You are now ready to configure GSLB on the Primary Node.

The first thing you will need to set up are 2 Server entries for the NetScaler Gateways you have running on the Primary and Fail Over site.  The reason for this is that the GSLB cannot load balance NetScaler Gateways directly, it will load balance a server record, that in turn will point to the NetScaler Gateway.

You can set these entries up in Traffic Managament – Load Balancing – Servers

Server Records For Both NetScaler Gateways

Server Records For Both NetScaler Gateways

You will now need to set up the local and remote GSLB Sites.  These are basically representations of data centres in a virtual form.  You will need a free IP Address to assign to each GSLB Site.

Navigate to Traffic Management – GSLB – Sites and click Add.

Enter the Primary Site Details as follows:

  • Name: (Anything you want)
  • Type: Local
  • Site IP Address: Free IP Address representing the primary site
  • Public IP Address: The same as the site IP Address
Primary GSLB Site

Primary GSLB Site

You will now need to set up the fail over (remote) GSLB Site.

Navigate to Traffic Management – GSLB – Sites and click Add.

Enter the Fail Over Site Details as follows:

  • Name: (Anything you want)
  • Type: Remote
  • Site IP Address: Free IP Address representing the fail over site
  • Public IP Address: The same as the site IP Address
Fail Over GSLB Site

Fail Over GSLB Site

Once the sites are done you will need to set up Services to load balance across the sites.

Set up the Primary Site Service.

Navigate to Traffic Management – GSLB – Services and click Add.

Enter the following details:

  • Name: (Anything You Want)
  • Site Name: Pick the primary site from the drop down list
  • Type Local
  • Server Name: Select the server record created for the Primary NetScaler Gateway
  • Public IP: If presenting externally put the public IP that you NAT to the internal IP of the NetScaler Gateway

Click on OK.

Primary Site Service

Primary Site Service

You now need to set up the Service for the Fail Over Site.

Navigate to Traffic Management – GSLB – Services and click Add.

Enter the following details:

  • Name: (Anything You Want)
  • Site Name: Pick the fail over site from the drop down list
  • Type Remote
  • Server Name: Select the server record created for the Primary NetScaler Gateway
  • Public IP: If presenting externally put the public IP that you NAT to the internal IP of the NetScaler Gateway

Click on OK.

Fail Over Site Service

Fail Over Site Service

All that remains on the Primary Site now is to configure the Virtual Servers that will load balance the services and set a applicable backup vServer for the Primary.

Navigate to Traffic Management – GSLB – Virtual Servers and click Add.

Add the details for the Primary Virtual Server.

Enter a name for the vServer, ensure the DNS Record Type is A and tick the Service you created for the Primary Site in the listed services.

Primary Site vServer

Primary Site vServer

You now need to assign the domain name that the Primary vServer will be responsible for.  Click on the domains tab and click Add.  Enter the domain name that the users type in to access the NetScaler Gateways sitting on the back end (This is normally the certificate domain name assigned to the gateway)

Domain Name

Domain Name

You now need to add the Virtual Server that will run the Service for the Fail Over Site.

Navigate to Traffic Management – GSLB – Virtual Servers and click Add.

Add the details for the Fail Over Virtual Server.

Enter a name for the vServer, ensure the DNS Record Type is A and tick the Service you created for the Fail Over Site in the listed services.

Fail Over vServer

Fail Over vServer

NOTE: Do NOT add a domain for this vServer, the NetScaler will take care of moving the domains across the vServers in the event of a fail over.

No Domain Added

No Domain Added

The final step for the Primary Node is to add the fail over vServer as a back up vServer for the Primary.

Navigate to Traffic Management – GSLB – Virtual Servers and double click the Primary Site vServer.  Click the advanced tab and from the Backup vServer drop down select the Fail Over Site vServer you created earlier.

Backup vServer

Backup vServer

Thats it! You have configured the Primary Node.  Now onto the Fail Over node.

Fail Over Node

I am not going to bore you with lots more screen shots here.  Basically the process of configuring the fail over node in a GSLB cluster is exactly the same as the primary with the exception of the below:

  • All IP Addresses used for Server Records and GSLB Site Addresses must be in the same DMZ or Internal Subnet as the fail over NetScaler.
  • When setting up the sites, services and virtual servers for GSLB the fail over (local) site becomes LOCAL and the primary site will become REMOTE
  • The domain name being added and the backup vServer when setting up Virtual Servers should be set exactly the same as the primary site.

Once you have finished the fail over NetScaler then everything is done.

Some notes, when delegating DNS make sure you add both primary and fail over ADNS listeners and test DNS by using nslookup and connecting to each ADNS listener.

Thats it, hopefully this will help some of you out there when setting up your GSLB fail over.

As always, please share and comment.

Laters,
b@m

 

23 thoughts on “Setting Up NetScaler GSLB To Load Balance Access Gateway

  1. Gareth Chapman

    Hey Dave. Instead of creating a backup vServer for SiteB, can on not just create another gslb service and tick the SiteB service in one Virtual server?
    Would that not do the same thing?

  2. Bob Mundy

    Hi Dave

    Great article just had a thought about a situation that’s been bothering me for a while

    is there anything in Netscaler Access gateway to report its self down to GSLB if it can no longer contact Web Interface / Storefront that it is configured for

    1. Bretty Post author

      In order to set up something like that you would have to build in HA and GSLB into the storefront setup – can be set up as a dual node HA GSLB cluster – then it would essentially always be up.

  3. Loay Zee

    Does the GSLB service monitor attempt to connect to the public IP address of the service or internal IP?

    Is there a way to make the GSLB service monitor test against the internal IP for the GSLB service?

    NetScaler public IPs are NATed, and NS cannot reach those NATed IPs, so service always in down state.

    1. Bretty Post author

      The GSLB monitor uses the internal IP address for communication. That’s how it should be set up. But. In the service you specify the internal and external ip. When the DNS query comes in it will return the external ip, which is natted to the internal ip.

      Bretty

      1. Loay Zee

        Negative, try to put a non-reachable IP address in the public IP field and the GSLB service will go down.

        The NetScaler seems to be checking against the public IP address of the GSLB service not the internal IP.

        Is it possible to alter this behavior and force the NetScaler to use the internal IP address for service monitoring?

        1. Loay Zee

          Never mind, custom LB monitors solved the problem.

          With a custom monitor I can point to the internal IP and link that to the GSLB service instead of the generic TCP or PING monitors.

          1. Andrew

            Hi Loay,

            I want to do the same. Do, you mind to send me the config ( hiding your details). i have 3 NS, 2 pon HA and want to us the 3rd as DR. I want to monitor the up Link. if the uplink fails, the DR will kick in.

            Thanks in advance

          2. Bretty Post author

            Are you still in need of the config? Apologies – been a little busy and not followed up on comments for some time !

  4. Pingback: XenApp/XenDesktop 7.6 – Highest Availability (on a budget!) | blog.technicall.us

  5. Sunil

    Dear Loay or bretty,

    Do, you mind to send me the config ( hiding your details). i have 3 NS, 2 pon HA and want to us the 3rd as DR. I want to monitor the up Link. if the uplink fails, the DR will kick in.

    regards
    Sunil

    1. Bretty Post author

      Hi there,
      Drop me a line with some more specifics around your config. I’m running 2 X HA pairs failing over in the event of a DR. However that is in the case of a failure in the gateway, to monitor the links we can do something funky around GSLB monitors to get it to fail over.

      Thanks.
      Dave.

  6. Joey A

    After using both this article and the one provided below, I was able to successfully get GSLB setup setup for my client (though a lot of time and research/understanding was needed). A lot of work for some automation and add-on features for DNS, but still very cool technology.
    I found a lot of good notes under this article such as to NOT setup the two site appliances under HA mode, which was my original thought as my client has a high speed private link between site locations.
    http://techfusioncbt.com/citrix-netscaler-vpx-mpx-sdx-networking-network/citrix-netscaler-gslb/

  7. jabber

    Question about port 53.
    Port 53 is only for the netscalers to communicate between eachcother ?
    Or does port 53 needs to be open to the world to connect to the ADSN vServer?

  8. Skyrocket

    we are having one netscaler vpx in each DC which are configured with GSLB service. now we are planning to add second netscaler in each DC and make HA Pair so, the Question is will HA work with GSLB or will it fail?

Leave a Reply

Your email address will not be published. Required fields are marked *