I finally got a chance to set up and configure a Citrix Netscaler appliance to load balance two websites. In this setup the Netscaler will load balance two SSL (HTTPS) web servers with end-to-end encryption.
I did run into some confusion around “SSL Offloading”. In my configuration I wanted everything to be secured with SSL. A simple “SSL Offloading” setup decrypts the SSL traffic on the load balancer and forwards the traffic to the web servers in clear text (HTTP). The clear text traffic is then vulnerable to being captured, read and compromised.
There is a simple way to configure “SSL Offloading” and avoid traffic being sent in clear text (HTTP) to the internal web servers. When adding Services, add the two web servers as HTTPS services, this way the clear text is re-encrypted and sent to the internal web servers. Citrix will also use “Session multiplexing” to re-use existing SSL connections to the internal web servers and avoid CPU intensive key exchange.
Load Balancing VIP (https 192.168.11.203)
WebServer-1 (https 192.168.11.201) WebServer-2 (https 192.168.11.202)
How to set up Load Balancing in Citrix Netscaler:
1. Add Servers
2. Add a Service, two “https” web servers
3. Add a Virtual server (VIP)
4. Enable “SSL Offloading” and “Load Balancing”
5. SSL – Create an RSA key, use RSA key to create a cert request.
6. SSL – Download cert request, forward to CA authority, upload cert/rootCA to NS LB
7. Install the cert and rootCA in NS LB
8. Link the cert to the rootCA so they become a pair
9. Bind the Services to the Virtual Server VIP
10. Bind the cert to the LB VIP, bind the rootCA to the LB VIP
11. Virtual server (VIP) will turn green and will start to load balance the sites
Log into Netscaler appliance with the default credentials: http://192.168.11.222
Add the two web servers that will be behind the Load Balancer virtual IP
Traffic Management > Load Balancing > Servers > Add
Add Service 1 specifying HTTPS and port 443 – “Server1_https / server1.mylab.local”
Add service 2 specifying HTTPS and port 443 – “Server2_https / server2.mylab.local”
This is the main Load Balancing virtual server IP (VIP) that will forward the traffic to the two web servers.
Add virtual server VIP
Click on Settings > “Configure Basic Features”
Make sure “SSL Offloading” and “Load Balancing” are checked.
Create the private key that will generate the certificate request
SSL > Create RSA Key
Create the “RSA Key”, 2048, PEM, DES3, enter PEM passphrase
Create Certificate Signing Request “MySite_LB_VIP_request”, we will need to specify the private key we created previously “MySite_LB_VIP.key” to create the certificate request. For Common Name type in mysite.mylab.local or whatever name that will be used to access the main site.
Now that we have the certificate request for the Load Balancer virtual server (VIP) we need to get the certificate.
log into a local CA certificate authority and generate a CA signed cert
Click Advanced Certificate request
Click “Submit a certificate request…”
Past the Cert request into the window, choose Web Server template and click Submit.
Choose Base 64 encoded
Upload the cert you just generated “Mysite_LB_VIP_cert.cer” to the citrix appliance
All we need now is the RootCA cert, so that we can upload it to the citrix netscaler appliance. We can extract the RootCA cert from the MySite_LB_VIP.cer. Download that cert and open it up in Windows, click on Certification Path and highlight the root CA cert and click on “View Certificate” this will open u the root CA and we will be able to export it.
export the Root CA
export root CA “Copy to”, choose base-64 encoding
Save the root CA “MySite_LB_VIP_CA_cert”
Now we should have the Load Balancer VIP cert and the root CA uploaded to the appliance.
Now that we have the certs we need to install them in Citrix
Install the Root CA certificate, leaving “Key File Name” and “Password” empty
Both Certificates should be installed as seen below and be “Valid” in status column
Link the VIP cert to the root CA so that it is a complete chain.
Link the LB VIP cert to the root CA cert
The Virtual Server VIP will show up in red which is fine. It will turn green when you attach the Services, VIP cert and CA cert to the Virtual Server. Highlight the MySite_LB_VIP and click Edit or double click on the Virtual Server VIP.
Bind the Virtual Server VIP certificate and CA certificate to the Virtual Server
Bind the server certificate to the Virtual Server VIP
Bind the Root CA certificate to the Virtual Server VIP
Bind the two services defined previously to the Virtual Server VIP
Now you should have 2 service bindings and 1 Server cert and 1 CA cert
Give it a minute or so before the Virtual server turns green, I had to refresh the screen to see it turn green. If it’s not turning green go back to SSL section and make sure the certs show up as Valid in status column. Make sure the VIP cert is linked to Root CA cert as mentioned in step 8. Make sure You bind services, cert and ca cert to Virtual server VIP as mentioned in step 9, 10. Make sure under Settings “Load Balancing” and “SSL Offloading” is checked.
It took about a minute for the virtual server VIP to turn green. I had to refresh the screen.
Testing the VIP and SSL load balancer
I am able to access Server2.mylab.local as the VIP round robins the requests
Refreshing the page takes me to the second load balanced server