Citrix Netscaler: Configuring HTTPS load balancing

I finally got a chance to set up and configure a Citrix Netscaler appliance to load balance two websites.  In this setup the Netscaler will load balance two SSL (HTTPS) web servers with end-to-end encryption.

I did run into some confusion around “SSL Offloading”.  In my configuration I wanted everything to be secured with SSL.  A simple “SSL Offloading” setup decrypts the SSL traffic on the load balancer and forwards the traffic to the web servers in clear text (HTTP).  The clear text traffic is then vulnerable to being captured, read and compromised.

There is a simple way to configure “SSL Offloading” and avoid traffic being sent in clear text (HTTP) to the internal web servers.  When adding Services, add the two web servers as HTTPS services, this way the clear text is re-encrypted and sent to the internal web servers.  Citrix will also use “Session multiplexing” to re-use existing SSL connections to the internal web servers and avoid CPU intensive key exchange.

Mywebsite.com
|
Load Balancing VIP (https 192.168.11.203)
/                \
WebServer-1 (https 192.168.11.201)               WebServer-2 (https 192.168.11.202)

 

How to set up Load Balancing in Citrix Netscaler:

1.   Add Servers
2.   Add a Service, two “https” web servers
3.   Add a Virtual server (VIP)
4.   Enable “SSL Offloading” and “Load Balancing”
5.   SSL – Create an RSA key, use RSA key to create a cert request.
6.   SSL – Download cert request, forward to CA authority, upload cert/rootCA to NS LB
7.   Install the cert and rootCA in NS LB
8.   Link the cert to the rootCA so they become a pair
9.   Bind the Services to the Virtual Server VIP
10. Bind the cert to the LB VIP, bind the rootCA to the LB VIP
11. Virtual server (VIP) will turn green and will start to load balance the sites

 

1. Add Servers

Log into Netscaler appliance with the default credentials: http://192.168.11.222
Username: nsroot
Password: nsroot

citrix netscaler login nsroot


Add the two web servers that will be behind the Load Balancer virtual IP
Traffic Management > Load Balancing > Servers > Add

Citrix Netscaler add servers

 

2. Add a Service, two “https” web servers

citrix netscaler add services

Add Service 1 specifying HTTPS and port 443 – “Server1_https / server1.mylab.local”

citrix netscaler add services 1 https

Add service 2 specifying HTTPS and port 443 – “Server2_https / server2.mylab.local”

citrix netscaler add services 2 https

 

3. Add a Virtual server (VIP)

This is the main Load Balancing virtual server IP (VIP) that will forward the traffic to the two web servers.

citrix netscaler add virtual server

Add virtual server VIP

citrix netscaler add virtual server

 

4. Enable “SSL Offloading” and “Load Balancing”

Click on Settings > “Configure Basic Features”

citrix netscaler enable ssl offloading load balancer

Make sure “SSL Offloading” and “Load Balancing” are checked.

citrix netscaler enable ssl offloading load balancer

 

5. SSL – Create an RSA key, use RSA key to create a cert request.

Create the private key that will generate the certificate request
SSL > Create RSA Key

citrix netscaler create an rsa key

Create the “RSA Key”, 2048, PEM, DES3, enter PEM passphrase

citrix netscaler create rsa key

Create Certificate Signing Request “MySite_LB_VIP_request”, we will need to specify the private key we created previously “MySite_LB_VIP.key” to create the certificate request.  For Common Name type in mysite.mylab.local or whatever name that will be used to access the main site.

citrix netscaler create certificate signing request

 

 

6. SSL – Download cert request, forward to CA authority, upload cert/rootCA to NS LB

Download the certificate request “MySite_LB_VIP_request”
citrix netscaler download the certificate request

Now that we have the certificate request for the Load Balancer virtual server (VIP) we need to get the certificate.

log into a local CA certificate authority and generate a CA signed cert

citrix netscaler create a certificate for vip

Click Advanced Certificate request

citrix netscaler load balancer ssl cert create

Click “Submit a certificate request…”

citrix netscaler load balancer cert create

Past the Cert request into the window, choose Web Server template and click Submit.

citrix netscaler load balancer create cert create

Choose Base 64 encoded

citrix netscaler load balancer create cert creat

Upload the cert you just generated “Mysite_LB_VIP_cert.cer” to the citrix appliance

citrix netscaler upload ssl cert

All we need now is the RootCA cert, so that we can upload it to the citrix netscaler appliance.  We can extract the RootCA cert from the MySite_LB_VIP.cer.  Download that cert and open it up in Windows, click on Certification Path and highlight the root CA cert and click on “View Certificate” this will open u the root CA and we will be able to export it.

 

citrix netscaler install root CA cert

 

export the Root CA

citrix netscaler copy the root CA

export root CA “Copy to”, choose base-64 encoding

citrix netscaler export root ca

Save the root CA “MySite_LB_VIP_CA_cert”

citrix netscaler export root CA

Now we should have the Load Balancer VIP cert and the root CA uploaded to the appliance.

citrix netscaler cert and root ca

 

7. Install the cert and rootCA in NS LB

Now that we have the certs we need to install them in Citrix

citrix netscaler install certs for virtual server

We need to install the cert for the VIP and also the Root CA

citrix netscaler installing the vip cert

Install the Root CA certificate, leaving “Key File Name” and “Password” empty

citrix netscaler install ca cert

Both Certificates should be installed as seen below and be “Valid” in status column

citrix netscaler vip cert and ca cert installed

 

8. Link the cert to the rootCA so they become a pair

Link the VIP cert to the root CA so that it is a complete chain.

citrix netscaler link ssl cert to vip

Link the LB VIP cert to the root CA cert

citrix netscaler Link the cert

The Virtual Server VIP will show up in red which is fine.  It will turn green when you attach the Services, VIP cert and CA cert to the Virtual Server.  Highlight the MySite_LB_VIP and click Edit or double click on the Virtual Server VIP.

citrix netscaler bind ssl cert

 

9. Bind the cert to the LB VIP, bind the rootCA to the LB VIP

Bind the Virtual Server VIP certificate and CA certificate to the Virtual Server

DC - Pa$$w0rd-2017-02-25-13-28-45

Bind the server certificate to the Virtual Server VIP

citrix netscaler bind ssl certificate

Bind the Root CA certificate to the Virtual Server VIP

citrix netscaler bind ca cert

 

10. Bind the Services to the Virtual Server VIP

Bind the two services defined previously to the Virtual Server VIP

DC - Pa$$w0rd-2017-02-25-13-30-06

Now you should have 2 service bindings and 1 Server cert and 1 CA cert

DC - Pa$$w0rd-2017-02-25-13-30-20

Give it a minute or so before the Virtual server turns green, I had to refresh the screen to see it turn green.  If it’s not turning green go back to SSL section and make sure the certs show up as Valid in status column.  Make sure the VIP cert is linked to Root CA cert as mentioned in step 8.  Make sure You bind services, cert and ca cert to Virtual server VIP as mentioned in step 9, 10.  Make sure under Settings “Load Balancing” and “SSL Offloading” is checked.

11. Virtual server (VIP) will turn green and will start to load balance the sites

It took about a minute for the virtual server VIP to turn green.  I had to refresh the screen.

citrix netscaler vip fully confiured

Testing the VIP and SSL load balancer

I am able to access Server2.mylab.local as the VIP round robins the requests

citrix netscaler testing vip

Refreshing the page takes me to the second load balanced server

citrix netscaler testing vip load balancing

This entry was posted in Citrix and tagged , , , , . Bookmark the permalink.

One Response to Citrix Netscaler: Configuring HTTPS load balancing

  1. Alexandra says:

    Skype has opened its web-structured buyer beta on the world,
    right after launching it generally within the U.S. and You.K.
    previous this month. Skype for Website also now works with Chromebook and
    Linux for immediate messaging communication (no video and voice yet,
    those demand a connect-in installment).

    The increase of your beta contributes assist for a longer set of spoken languages to help you strengthen that international usability

Leave a Reply

Your email address will not be published. Required fields are marked *