Director Load Balancing – NetScaler 11

Last Modified: Nov 6, 2020 @ 7:25 am

37 Comments

Navigation

Monitor

  1. On the left, expand Traffic Management, expand Load Balancing, and click Monitors.
  2. On the right, click Add.
  3. Name it Director or similar.
  4. Change the Type drop-down to HTTP.
  5. If you will use SSL to communicate with the Director servers, then scroll down and check the box next to Secure.
  6. Switch to the Special Parameters tab.
  7. In the HTTP Request field, enter GET /Director/LogOn.aspx?cc=true
  8. If Single Sign-on is enabled on Director, then you might have to add 302 as a Response Code.
  9. Click Create.

Servers

  1. On the left, expand Traffic Management, expand Load Balancing, and click Servers.
  2. On the right, click Add.
  3. Enter a descriptive server name. Usually it matches the actual server name.
  4. Enter the IP address of the server.
  5. Enter comments to describe the server. Click Create.
  6. Continue adding Director servers.

Service Group

  1. On the left, expand Traffic Management, expand Load Balancing, and click Service Group.

  2. On the right, click Add.
  3. Give the Service Group a descriptive name (e.g. svcgrp-Director-SSL).
  4. Change the Protocol to HTTP or SSL. If the protocol is SSL, ensure the Director Monitor has Secure enabled.
  5. Scroll down and click OK.
  6. Click where it says No Service Group Member.
  7. If you did not previously create server objects, then enter the IP address of a Director Server. If you previously created a server objects, then change the selection to Server Based and select the server objects.
  8. Enter 80 or 443 as the port. Then click Create.
  9. On the right, under Advanced Settings, click Monitors.
  10. On the left, in the Monitors section, click where it says No Service Group to Monitor Binding.
  11. Click the arrow next to Click to select.
  12. Select the Director monitor and click Select.
  13. Then click Bind.
  14. To verify that the monitor is working, on the left, in the Service Group Members section, click the Service Group Members line.
  15. Highlight a member and click Monitor Details.
  16. The Last Response should be Success – HTTP response code 200 received. Click Close twice.
  17. Then click Done.

Responder

Create a Responder policy to redirect users from the root page to /Director.

  1. Go to AppExpert > Responder and enable the feature if it isn’t already enabled.
  2. Go to AppExpert > Responder > Actions.
  3. On the right, click Add.
  4. Give the Action a name (e.g. Director_Redirect).
  5. Change the Type to Redirect.
  6. In the Expression box, enter "/Director", including the quotes.
  7. Click Create.
  8. Go to AppExpert > Responder > Policies.
  9. On the right, click Add.
  10. Give the Policy a name (e.g. Director_Redirect).
  11. Select the previously created Action.
  12. In the Expression box, enter HTTP.REQ.URL.PATH.EQ("/")
  13. Click Create.

Load Balancing Virtual Server

  1. Create or install a certificate that will be used by the SSL Virtual Server. This certificate must match the DNS name for the load balanced Director servers.
  2. On the left, under Traffic Management > Load Balancing, click Virtual Servers.

  3. On the right click Add.
  4. Name it Director-SSL-LB or similar.
  5. Change the Protocol to SSL.
  6. Specify a new internal VIP.
  7. Enter 443 as the Port.
  8. Click OK.
  9. On the left, in the Services and Service Groups section, click where it says No Load Balancing Virtual Server ServiceGroup Binding.
  10. Click the arrow next to Click to select.
  11. Select your Director Service Group and click Select.
  12. Click Bind.
  13. Click Continue.
  14. Click where it says No Server Certificate.
  15. Click the arrow next to Click to select.
  16. Select the certificate for this Director Load Balancing Virtual Server and click Select.
  17. Click Bind.
  18. Click Continue.
  19. On the right, in the Advanced Settings column, click Persistence.
  20. Select SOURCEIP persistence.
  21. Set the timeout to match the timeout of Director. The default timeout for Director is 245 minutes.
  22. The IPv4 Netmask should default to 32 bits.
  23. Click OK.
  24. On the right, in the Advanced Settings section, add the Policies section.
  25. On the left, in the Policies section, click the plus icon.
  26. Select Responder in the Choose Policy drop-down and click Continue.
  27. Select the previously created Director_Redirect policy and click Bind.
  28. If you haven’t enabled the Default SSL Profile, then perform other normal SSL configuration including: disable SSLv3, bind a Modern Cipher Group, and enable Strict Transport Security. 
    bind ssl vserver MyvServer -certkeyName MyCert

set ssl vserver MyvServer -ssl3 DISABLED -tls11 ENABLED -tls12 ENABLED

unbind ssl vserver MyvServer -cipherName ALL

bind ssl vserver MyvServer -cipherName Modern

bind ssl vserver MyvServer -eccCurveName ALL

bind lb vserver MyvServer -policyName insert_STS_header -priority 100 -gotoPriorityExpression END -type RESPONSE

SSL Redirect

  1. Right-click the Director SSL Load Balancing Virtual Server and click Add.
  2. Change the Name to Director-HTTP-SSLRedirect or something like that.
  3. Change the Protocol to HTTP.
  4. Click OK. This HTTP Virtual Server uses the same VIP as the SSL Load Balancer.
  5. Bind the AlwaysUp service. See SSL Redirect – Responder Method for more information.
  6. Bind the http_to_ssl_redirect_responderpol Responder Policy.
  7. That’s all this LB vServer needs. Click Done when done.

SSL Warning

  1. If you are doing SSL Offload (SSL on front end, HTTP on back end), when connecting to Director it might complain about “You are not using a secure connection”.
  2. To turn off this warning, login to the Director servers and run IIS Manager.
  3. On the left, navigate to Server > Sites > Default Web Site > Director.
  4. In the middle, double-click Application Settings.
  5. Change UI.EnableSslCheck to false.

CLI Commands

Here is a list of NetScaler CLI commands for Director Load Balancing:

add server Director01 10.2.2.18
add server Director02 10.2.2.100
add server 127.0.0.1 127.0.0.1
add service AlwaysUp 127.0.0.1 HTTP 80
add serviceGroup svcgrp-Director-HTTP HTTP
add ssl certKey wildcom -cert WildcardCorpCom_pem -key WildcardCorpCom_pem
add lb vserver Director-SSL-LB SSL 10.2.2.210 443 -persistenceType SOURCEIP -timeout 245
add lb vserver Director-HTTP-SSLRedirect HTTP 10.2.2.210 80 -persistenceType NONE
add responder action Director_Redirect redirect "\"/Director\"" -responseStatusCode 302
add responder action http_to_ssl_redirect_responderact redirect "\"https://\" + HTTP.REQ.HOSTNAME.HTTP_URL_SAFE + HTTP.REQ.URL.PATH_AND_QUERY.HTTP_URL_SAFE" -responseStatusCode 302
add responder policy Director_Redirect "http.REQ.URL.PATH.EQ(\"/\")" Director_Redirect
add responder policy http_to_ssl_redirect_responderpol HTTP.REQ.IS_VALID http_to_ssl_redirect_responderact
bind lb vserver Director-HTTP-SSLRedirect AlwaysUp
bind lb vserver Director-SSL-LB svcgrp-Director-SSL
bind lb vserver Director-SSL-LB -policyName Director_Redirect -priority 100 -gotoPriorityExpression END -type REQUEST
bind lb vserver Director-HTTP-SSLRedirect -policyName http_to_ssl_redirect_responderpol -priority 100 -gotoPriorityExpression END -type REQUEST
add lb monitor Director HTTP -respCode 200 -httpRequest "GET /Director/LogOn.aspx?cc=true" -LRTM DISABLED -secure YES
bind serviceGroup svcgrp-Director-SSL Director01 443
bind serviceGroup svcgrp-Director-SSL Director02 443
bind serviceGroup svcgrp-Director-SSL -monitorName Director
set ssl serviceGroup svcgrp-Director-SSL -tls11 DISABLED -tls12 DISABLED
bind ssl vserver Director-SSL-LB -certkeyName wildcom
bind ssl vserver Director-SSL-LB -eccCurveName P_256
bind ssl vserver Director-SSL-LB -eccCurveName P_384
bind ssl vserver Director-SSL-LB -eccCurveName P_224
bind ssl vserver Director-SSL-LB -eccCurveName P_521

37 thoughts on “Director Load Balancing – NetScaler 11”

  1. Thanks Carl,

    I have set this 2 x Directors up to LB via GSLB, however get:
    “An internal error has occurred. For assistance contact your administrator” when going via the GSLB setup.

    The problem is not present if I go directly to the Directors using their IP, bypassing GSLB.

    I have configured:
    – New monitor (secure) with 302 responded and bound to the service – have a healthy UP status
    – created a responder policy and action and bound to the associated virtual server

    Any ideas would be appreciated.

    A

    Reply

    1. Are you doing active/active GSLB? If you disable one GSLB Service, does it work? If so, then that suggests persistence problem.

      Do you have SSON enabled for Director? Try it without.

      Reply

  2. Hey Carl,
    As always, superb info and awesome writeup… thank you!

    Wondering if you could kindly tip on the following setup – all internal facing:

    Datacenter 1
    —————–
    Netscaler
    Director x 1

    Datacenter 2
    —————–
    Netscaler
    Director x 1

    Load balance directors using NS via one VIP/fqdn between both Netscaler’s.
    I am assuming a GSLB setup… any info for this would be greatly appreciated.

    Thanks in advance.
    Newbie 🙂

    Reply

    1. If you have a single DNS name that could resolve to more than one IP, then that’s exactly what GSLB is intended for. Are you asking how to configure GSLB? With Director in multiple datacenters, I normally configure GSLB.

      Reply

  3. Hi Carl, thx for all the great content on your site. I was wondering if you’ve ever used F5 for load balancing citrix and have any thoughts?

    Reply

    1. For normal load balancing, F5 is fine. However, for ICA Proxy, F5 has limitations as compared to NetScaler Gateway. There are advantages for one vendor to provide the full stack.

      Reply

  4. Carl, we have 2 locations with 2 Citrix Sites in each location. We would like to setup Director behind GSLB. So we would have 2 director servers in each location with each director server pointing at different delivery controllers in its home location and remote location. Any thoughts or hangups with that scenario

    Reply

    1. I can’t think of any issue with that, other than the Saved Filters probably needing to be moved to a shared folder.

      Reply

  5. Hi Carl, great articles!

    I installed a fresh Director 7.9 instance as part of an upgrade from 7.6, but before I read your article (I’m a nube). You mentioned only pointing it to a single Delivery Controller and I pointed it to 2 DDC’s. Also, I’m using NS to load balance.

    My question is:
    1) How to remove the additional DDC from Director?
    2) On the other Director server, do I use the same DDC?

    Chris

    Reply

    1. In IIS > Default Web Site > Director, in the middle is Application Settings. There’s Service.AutoDiscoveryAddresses.

      I usually point each Director server to a different Controller.

      Reply

  6. Hey Carl.

    I’m having trouble load balancing Director for XenApp 7.9. I’ve used the monitor you’ve specified above but it won’t work, just keep getting the response: Failure – HTTP response code 404 received.

    I think the page URL might be different to the 7.6 version. I’ve tried changing it slightly in the monitor special parameters but whatever I have tried doesn’t seem to work.

    I’ve enabled the windows authentication option in IIS so I’m wondering if that is doing something weird to the URL.

    Any thoughts on what I should try?

    Reply

    1. With SSON enabled in Director, I’m guessing you’re getting a 302 response code. You can add 302 as a valid response in your monitor.

      Reply

      1. Hello Carl,
        I have tried this monitor and various combinations with no luck. I am on Director 7.15.2000 Build 225. Added GET /Director/LogOn.aspx?cc=true with SSL and response code 200 and 302. Is there anything specific that needs to be set under Advanced Parameters?

        Reply

  7. Hello Carl,

    First a big Thank you for all your Articles. They helped me a lot.
    I’ve got a Problem with LB and sson. When i implement the Settings for SSON the Monitor you described is no longer working.

    Reply

  8. Hi Carl,

    i use NetScaler VPX Version 11.0 64.34nc.
    I’ve configured all the points and everything is up.

    When I try to open the Director over the load balancing address, the website is loading but the director site does not appear.
    The default SSL Profile is not enabled so I’ve tried to set the recommend settings.
    But when I create the “Modern” cipher group I get the following error “ AES-GCM/SHA2 ciphers not suppoted on VPX an FIPS.

    Any idea?? What can I do?

    Reply

    1. 11.0 build 65 adds support for GCM ciphers on VPX. But that shouldn’t cause a problem. Are you doing 443 on front end and 80 on back end? If so, you might have to open SSL vServer > SSL Parameters, check box for SSL Redirect.

      Reply

      1. With SSON enabled? Or without?

        I assume you can connect to either Director server directly and see the logon page.

        If you only load balance to one Director server, does it work?

        Reply

        1. Without SSON enabled.
          Yes, when i connect to both director servers directly i can logon an everything works fine.
          When i load balance to one director, i get the same error. i tried that with both of them.

          Reply

  9. I created a LB director using your guide. Also enabled SSO on the director it but when using the LB Virtual server it connects correctly to the director using SSL. But after logged in i get an error from the director:

    Cannot retrieve the data.
    Data source unresponsive or reported an error. View Director server event logs for further information.

    The eventlog on the director says:

    Failed to connect to data source ‘Unknown error.’ (‘https://director01.domain.local:8083/’).

    Verify that the data source is available.

    User: ‘AWL\admin_user’
    Console operation: ‘Retrieving license server alerts data…’

    Additional diagnostics information (error message):
    ‘The server committed a protocol violation. Section=ResponseStatusLine’

    Reply

    1. Does it work without SSO? I’ve not been able to get SSO to work properly through load balancing.

      Port 8083?

      Reply

      2. Carl, Seeing the same issue with our Director / Netscaler combination when using the responder policy to point users to /Director

        With the policy bound, see a lot of ‘Cannot retrieve the data.
        Data source unresponsive or reported an error. View Director server event logs for further information’
        With the policy unbound all is well. Netscaler version 11.1 53.13nc

        Using HTTP.REQ.URL.PATH.EQ(“/”) as the responder policy and and “/Director” as the policy action.

        Work around was to put a default page on the IIS box pointing users to the full URL.

        Reply

  10. Thanks for the write up. We only had one hitch:

    It didn’t work the first time out 10 minutes of troubleshooting and we figured it out. We had to configure the responder policy a bit differently.

    Actions
    “http://director.domain.com/Director/”
    Policy
    HTTP.REQ.URL.CONTAINS(“Director”).NOT

    Not sure why but no biggie and we are rocking.

    Reply

    1. What specifically didn’t work?

      Instead of CONTAINS, does HTTP.REQ.URL.PATH.SET_TEXT_MODE(IGNORE_CASE).STARTSWITH(“/Director”).NOT work? I’m trying to be more precise.

      Reply

      1. Well first off, I think I am off base because the NS is still on 10.5 so and this article is specific to 11. This is likely this issue. We’re upgrading in a couple weeks.

        In any case, the responder policy did not insert the “/Director” when we configured with the settings you defined in the initial write up so we configured the policy to redirect with the entire path: “http://director.domain.com/Director/” which worked great.

        I’m sure it’s a version difference but we’re working.
        Thanks,

        Reply

        1. Hmm, I did one today on 10.5 and it worked. My Customer originally created the Responder action as a Respond_With instead of Redirect and that naturally didn’t work. I rebuilt it as Redirect and it worked. The expression needs to match the root page only so it doesn’t go into a redirect loop.

          Reply

  11. Excellent write up… as always.

    I just implemented this and it worked perfect first try.

    Thank you for all the hard work you do.

    Reply

    1. No problem. I created this because somebody mentioned to me they couldn’t find it on my site. Let me know if anything else is missing.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *