Navigation
- GSLB Planning
- ADNS
- Metric Exchange Protocol
- GSLB Services
- GSLB Virtual Server
- Test GSLB
- DNS Delegation
- Geo Location Database
This article was written for NetScaler 10.5.
- For NetScaler 12.0 or Citrix ADC 12.1, see https://www.carlstalhood.com/global-server-load-balancing-gslb-netscaler-12/
- For NetScaler 11.1, see https://www.carlstalhood.com/global-server-load-balancing-gslb-netscaler-11-1/
GSLB Planning
GSLB is nothing more than DNS. GSLB is not in the data path. GSLB receives a DNS query and GSLB sends back an IP address, which is exactly how a DNS server works. However, GSLB can do some things that DNS servers can’t do:
- Don’t give out an IP address unless it is UP (monitoring)
- If active IP address is down, give out the passive IP address (active/passive)
- Give out the IP address that is closest to the user (proximity load balancing)
- Give out different IPs for internal vs external (DNS View)
GSLB is only useful if you have a single DNS name that could resolve to two or more IP addresses. If there’s only one IP address then use normal DNS instead.
Citrix Blog Post Global Server Load Balancing: Part 1 explains how DNS queries work and how GSLB fits in.
Citrix has a good DNS and GSLB Primer.
When configuring GSLB, don’t forget to ask “where is the data?”. For XenApp/XenDesktop, DFS multi-master replication of user profiles is not supported so configure “home” sites for users. More information at Citrix Blog Post XenDesktop, GSLB & DR – Everything you think you know is probably wrong!
GSLB can be enabled both externally and internally. For external GSLB, configure it on the DMZ NetScaler appliances and expose it to the Internet. For internal GSLB, configure it on internal NetScaler appliances. Note: Each NetScaler appliance only has one DNS table so if you try to use one NetScaler for both public and internal then be aware that external users can query for internal GSLB-enabled DNS names.
For internal and external GSLB of the same DNS name on the same appliance, you can use DNS Policies and DNS Views to return different IP addresses depending on where users are connecting from. Citrix CTX130163 How to Configure a GSLB Setup for Internal and External Users Using the Same Host Name.
However, GSLB monitoring applies to the entire GSLB Service so it would take down both internal and external GSLB. If you need different GSLB monitoring for internal and external of the same DNS name, try CNAME:
- External citrix.company.com:
- Configure NetScaler GSLB for citrix.company.com.
- On public DNS, delegate citrix.company.com to the NetScaler DMZ ADNS services.
- Internal citrix.company.com:
- Configure NetScaler GSLB for citrixinternal.company.com or something like that.
- On internal DNS, create CNAME for citrix.company.com to citrixinternal.company.com
- On internal DNS, delegate citrixinternal.company.com to NetScaler internal ADNS services.
Some IP Addresses are needed on each NetScaler pair:
- ADNS IP: An IP that will listen for ADNS queries. For external, create a public IP for the ADNS IP and open UDP 53 so Internet-based DNS servers can access it. This can be an existing SNIP on the appliance.
- GSLB Site IP / MEP IP: A GSLB Site IP that will be used for NetScaler-to-NetScaler communication, which is called MEP or Metric Exchange Protocol. The IP for ADNS can also be used for MEP / GSLB Site.
- RPC Source IP: RPC traffic is sourced from a SNIP, even if this is different than the GSLB Site IP. It’s less confusing if you use a SNIP as the GSLB Site IP.
- Public IP: For external GSLB, create public IPs that are NAT’d to the GSLB Site IPs. The same public IP used for ADNS can also be used for MEP. MEP should be routed across the Internet so NetScaler can determine if the remote datacenter has Internet connectivity or not.
- MEP Port: Open port TCP 3009 between the two NetScaler GSLB Site IPs. Make sure only the NetScalers can access this port on the other NetScaler. Do not allow any other device on the Internet to access this port. This port is encrypted.
- GSLB Sync Ports: To use GSLB Configuration Sync, open ports TCP 22 and TCP 3008 from the NSIP (management IP) to the remote public IP that is NAT’d to the GSLB Site IP. The GSLB Sync command runs a script in BSD shell and thus NSIP is always the Source IP.
- DNS Queries: The purpose of GSLB is to resolve a DNS name to one of several potential IP addresses. These IP addresses are usually public IPs that are NAT’d to existing Load Balancing, SSL Offload, Content Switching, or NetScaler Gateway VIPs in each datacenter.
- IP Summary: In summary, for external GSLB, you will need a minimum of two public IPs in each datacenter:
- One public IP that is NAT’d to the IP that is used for ADNS and MEP (GSLB Site IP). You only need one IP for ADNS / MEP no matter how many GSLB names are configured. MEP (GSLB Site IP) can be a different IP, if desired.
- One public IP that is NAT’d to a Load Balancing, SSL Offload, Content Switching, or NetScaler Gateway VIP.
- If you GSLB-enable multiple DNS names, each DNS name usually resolves to different IPs. This usually means that you will need additional public IPs NAT’d to additional VIPs.
ADNS
- Identify a SNIP that you will use for MEP and ADNS.
- Configure a public IP for the SNIP and configure firewall rules.
- If you wish to use GSLB configuration sync then management access (SSH) must be enabled on this SNIP.
- On the left, expand Traffic Management > Load Balancing, and click Services.
- On the right, click Add.
- Name the service ADNS or similar.
- In the IP Address field, enter an appliance SNIP.
- In the Protocol field, select ADNS. Then click OK.
- Scroll down and click Done.
- On the left of the console, expand System, expand Network, and then click IPs.
- On the right, you’ll see the SNIP is now marked as the ADNS svc IP. If you don’t see this yet, click the Refresh icon.
- Repeat on the other appliance in the other datacenter.
- Your NetScaler appliances are now DNS servers.
Metric Exchange Protocol
- Open the firewall rules for Metric Exchange Protocol. You can use the same SNIP and same public IP used for ADNS.
- On the left, expand Traffic Management, right-click GSLB, and enable the feature.
- Expand GSLB, and click Sites.
- On the right, click Add.
- Add the local site first. Enter a descriptive name and in the Site Type drop-down, select LOCAL.
- In the Site IP Address field, enter an appliance SNIP. This SNIP must be in the default Traffic Domain. The NetScaler listens for GSLB MEP traffic on this IP.
- For Internet-routed GSLB MEP, in the Public IP Address field, enter the public IP that is NAT’d to the GSLB Site IP (SNIP). For internal GSLB, there is no need to enter anything in the Public IP field. Click Create.
- Go back to System > Network > IPs, and verify that the IP is now marked as a GSLB site IP. If you don’t see it yet, click the Refresh button.
- If you want to use the GSLB Sync Config feature, then you’ll need to edit the GSLB site IP, and enable Management Access.
- Scroll down and enable Management Access. SSH is all you need.
- Go to the other appliance and also create the local GSLB site using its GSLB site IP and its public IP that is NAT’d to the GSLB site IP.
- In System > Network > IPs on the remote appliance, there should now be a GSLB site IP. This could be a SNIP. If GSLB Sync is desired, enable management access on that IP and ensure SSH is enabled.
- Now on each appliance add another GSLB Site, which will be the remote GSLB site.
- Enter a descriptive name and select REMOTE as the Site Type.
- Enter the other appliance’s actual GSLB Site IP as configured on the appliance. This IP does not need to be reachable.
- In the Public IP field, enter the public IP that is NAT’d to the GSLB Site IP on the other appliance. For MEP, TCP 3009 must be open from the local GSLB Site IP to the remote public Site IP. For GSLB sync, TCP 22, and TCP 3008 must be open from the local NSIP to the remote public Site IP. Click Create.
- Repeat on the other appliance.
- MEP will not function yet since the NetScaler appliances are currently configured to communicate unencrypted on TCP 3011. To fix that, on the left, expand System, expand Network, and click RPC.
- On the right, edit the new RPC address (the other site’s GSLB Site IP), and click Edit.
- On the bottom, check the box next to Secure, and click OK.
- Do the same thing on the other appliance.
- If you go back to GSLB > Sites, you should see it as active.
GSLB Services
GSLB Services represent the IP addresses that are returned in DNS Responses. DNS Query = DNS name. DNS Response = IP address.
GSLB should be configured identically on both NetScalers. Since you have no control over which NetScaler will receive the DNS query, you must ensure that both NetScalers are giving out the same DNS responses.
Create the same GSLB Services on both NetScalers:.
- Start on the appliance in the primary data center. This appliance should already have a traffic Virtual Server (NetScaler Gateway, Load Balancing, or Content Switching) for the DNS name that you are trying to GSLB enable.
- On the left, expand Traffic Management > GSLB, and click Services.
- On the right, click Add.
- The service name should be similar to the DNS name that you are trying to GSLB. Include the site name in the service name.
- Select the LOCAL Site.
- On the bottom part, select Virtual Servers, and then select a Virtual Server that is already defined on this appliance. It should automatically fill in the other fields. If you see a message asking if you wish to create a service object, click Yes.
- Scroll up and make sure the Service Type is SSL. It’s annoying that NetScaler doesn’t set this drop-down correctly.
- The Public IP field contains the actual IP Address that the GSLB ADNS service will hand out. Make sure this Public IP is user accessible. It doesn’t even need to be a NetScaler owned IP.
- Scroll down and click OK.
- If the GSLB Service IP is a VIP on the local appliance, then GSLB will simply use the state of the local traffic Virtual Server (Load Balancing, Content Switching, or Gateway). If the GSLB Service IP is a VIP on a remote appliance, then GSLB will use MEP to ask the other appliance for the state of the remote traffic Virtual Server. In both cases, there’s no need to bind a monitor to the GSLB Service.
- However, you can also bind monitors directly to the GSLB Service. Here are some reasons for doing so:
- If the GSLB Service IP is a NetScaler-owned traffic VIP, but the monitors bound the traffic Virtual Server are not the same ones you want to use for GSLB. When you bind monitors to the GSLB Services, the monitors bound to the traffic Virtual Server are ignored.
- If the GSLB Service IP is in a non-default Traffic Domain, then you will need to attach a monitor since GSLB cannot determine the state of Virtual Servers in non-default Traffic Domains.
- If the GSLB Service IP is not hosted on a NetScaler, then only GSLB Service monitors can determine if the Service IP is up or not.
- If you intend to do GSLB active/active and if you need site persistence then you can configure your GSLB Services to use Connection Proxy or HTTP Redirect. See Citrix Blog Post Troubleshooting GSLB Persistence with Fiddler for more details.
- Click Done.
- On the other datacenter NetScaler, create a GSLB Service.
- Select the REMOTE site that is hosting the service.
- Since the service is on a different appliance and not this one, you won’t be able to select it using the Virtual Servers option. Instead, select New Server.
- For the Server IP, enter the actual VIP configured on the other appliance. This local NetScaler will use GSLB MEP to communicate with the remote NetScaler to find a traffic Virtual Server with this VIP. The remote NetScaler respond if the remote traffic Virtual Server is up or not. The remote Server IP configured here does not need to be directly reachable by this local appliance. If the Server IP is not owned by either NetScaler, then you will need to bind monitors to your GSLB Service.
- In the Public IP field, enter the IP address that will be handed out to clients. This is the IP address that users will use to connect to the service. For Public DNS, you enter a Public IP that is usually NAT’d to the traffic VIP. For internal DNS, the Public IP and the Server IP are usually the same.
- Scroll up and change the Service Type to match the Virtual Server defined on the other appliance..
- Click OK.
- Just like the other appliance, you can also configure Site Persistence and GSLB Service Monitors. Click Done when done.
- Create more GSLB Services, one for each traffic VIP. GSLB is useless if there’s only one IP address to return. You should have multiple IP addresses (VIPs) through which a web service (e.g. NetScaler Gateway) can be accessed. Each of these VIPs is typically in different datacenters, or on different Internet circuits. The mapping between DNS name and IP addresses is configured in the GSLB vServer, as detailed in the next section.
GSLB Virtual Server
The GSLB Virtual Server is the entity that the DNS name is bound to. GSLB vServer then gives out the IP address of one of the GSLB Services that is bound to it.
Configure the GSLB vServer identically on both appliances:
- On the left, expand Traffic Management > GLSB and click Virtual Servers.
- On the right, click Add.
- Give the GSLB vServer a descriptive name. For active/active, you can name it the same as your DNS name. For active/passive, you will create two GSLB Virtual Servers, one for each datacenter, so include Active or Passive in the Virtual Server name.
- Make sure Service Type is set correctly.
- If you intend to bind multiple GSLB Services to this GSLB vServer, then you can optionally check the box for Send all “active” service IPs. By default, GSLB only gives out one IP per DNS query. This checkbox always returns all IPs, but the IPs are ordered based on the GSLB Load Balancing Method and/or GSLB Persistence.
- Click OK.
- On the right, in the Advanced column, click Service.
- On the left, click where it says No GSLB Virtual Server to GSLBService Binding.
- Click the arrow next to Click to select.
- Check the box next to an existing GSLB Service and click OK. If your GSLB is active/passive then only bind one service.
- If your GSLB is active/active then bind multiple GSLB Services. Also, you’d probably need to configure GSLB persistence (Source IP or cookies).
- Click Bind.
- On the right, in the Advanced column, click Domains.
- On the left, click where it says No GSLB Virtual Server Domain Binding.
- Enter the FQDN that GSLB will resolve.
- If this GSLB is active/passive, there are two options:
- Use the Backup IP field to specify the IP address that will be handed out if the primary NetScaler is inaccessible or if the VIP on the primary appliance is marked down for any reason.
- Or, create a second GSLB Virtual Server that has the passive GSLB service bound to it. Don’t bind a Domain to the second GSLB Virtual Server. Then edit the Active GSLB Virtual Server and use the Backup Virtual Server section to select the second GSLB Virtual Server.
- Click Bind.
- If this is active/active GSLB, you can edit the Method section to enable Static Proximity. This assumes the Geo Location database has already been installed on the appliance.
- Also for active/active, if you don’t want to use Cookie-based persistence, then you can use the Persistence section to configure Source IP persistence.
- Click Done.
- If you are configuring active/passive using the backup GSLB Virtual Server method, create a second GSLB Virtual Server that has the passive GSLB service bound to it. Don’t bind a Domain to the second GSLB Virtual Server. Then edit the Active GSLB Virtual Server and use the Backup Virtual Server section to select the second GSLB Virtual Server.
- On the left, if you expand Traffic Management > DNS, expand Records, and click Address Records, you’ll see a new DNS record for the GSLB domain you just configured. Notice it is marked as GSLB DOMAIN.
- Create identical GSLB Virtual Servers on the other NetScaler appliance. Both NetScalers must be configured identically.
- You can also synchronize the GSLB configuration with the remote appliance by going to Traffic Management > GSLB.
- On the right, click Sychronize configuration on remote sites.
- Use the check boxes on the top, if desired. It’s usually a good idea to Preview the changes before applying them. Then click OK to begin synchronization.
Some notes regarding GSLB Sync:
- It’s probably more reliable to do it from the CLI by running sync gslb config and one of the config options (e.g. -preview).
- GSLB Sync runs as a script on the BSD shell and thus always uses the NSIP as the source IP.
- GSLB Sync connects to the remote GSLB Site IP on TCP 3008 (if RPC is Secure) and TCP 22.
Test GSLB
- To test GSLB, simply point nslookup to the ADNS services and submit a DNS query for one of the DNS names bound to a GSLB vServer. Run the query multiple times to make sure you’re getting the response you expect.
- Both NetScaler ADNS services should be giving the same response.
- To simulate a failure, disable the traffic Virtual Server.
- Then the responses should change. Verify on both ADNS services.
- Re-enable the traffic Virtual Server, and the responses should return to normal.
DNS Delegation
If you are enabling GSLB for the domain gateway.corp.com, you’ll need to create a delegation at the server that is hosting the corp.com DNS zone. For public GSLB, you need to edit the public DNS zone for corp.com.
DNS Delegation instructions will vary depending on what product host’s the public DNS zone. This section details Microsoft DNS, but it should be similar in BIND or web-based DNS products.
There are two ways to delegate GSLB-enabled DNS names to NetScaler ADNS:
- Delegate the individual record. For example, delegate gateway.corp.com to the two NetScaler ADNS services (gslb1.corp.com and gslb2.corp.com).
- Delegate an entire subzone. For example, delegate the subzone gslb.corp.com to the two NetScaler ADNS services. Then create a CNAME record in the parent DNS zone for gateway.corp.com that is aliased to gateway.gslb.corp.com. When DNS queries make it to NetScaler, they will be for gateway.gslb.corp.com and thus gateway.gslb.corp.com needs to be bound to the GSLB Virtual Server instead of gateway.corp.com. For additional delegations, simply create more CNAME records.
This section covers the first method – delegating an individual DNS record:
- Run DNS Manager.
- First, create Host Records pointing to the ADNS services running on the NetScalers in each data center. These host records for ADNS are used for all GSLB delegations no matter how many GSLB delegations you need to create.
- The first Host record is gslb1 (or similar) and should point to the ADNS service (Public IP) on one of the NetScaler appliances.
- The second Host record is gslb2 and should point to the ADNS Service (public IP) on the other NetScaler appliance.
- If you currently have a host record for the service that you are delegating to GSLB (gateway.corp.com), delete it.
- Right-click the parent DNS zone and click New Delegation.
- In the Welcome to the New Delegation Wizard page, click Next.
- In the Delegated Domain Name page, enter the left part of the DNS record that you are delegating (e.g. gateway). Click Next.
- In the Name Servers page, click Add.
- This is where you specify gslb1.corp.com and gslb2.corp.com. Enter gslb1.corp.com and click Resolve. Then click OK. If you see a message about the server not being authoritative for the zone, ignore the message.
- Then click Add to add the other GSLB ADNS server.
- Once both ADNS servers are added to the list, click Next.
- In the Completing the New Delegation Wizard page, click Finish.
- If you run nslookup against your Microsoft DNS server, it will respond with Non-authoritative answer. That’s because it got the response from NetScaler and not from itself.
That’s all there is to it. Your NetScalers are now DNS servers. For active/passive, the NetScalers will hand out the public IP address of the primary data center. When the primary data center is not accessible, GSLB will hand out the GSLB Service IP bound to the Backup GSLB vServer.
Geo Location Database
If you want to use DNS Policies or Static Proximity GSLB Load Balancing or Responders based on user’s location, import a geo location database. Common free databases are:
- GeoLite Legacy – http://dev.maxmind.com/geoip/legacy/geolite/
- IP2Location Lite – http://lite.ip2location.com/.
For IP2Location, see the blog post Add IP2Location Database as NetScaler’s Location File for instructions on how to import.
For GeoLite Legacy:
- Download the GeoLite Country database CSV from http://dev.maxmind.com/geoip/legacy/geolite/.
- Note: GeoLite City is actually two files that must be merged as detailed at Citrix Blog Post GeoLite City as NetScaler location database. GeoLite Country doesn’t need any preparation.
- Upload the extracted database (.csv file) to the NetScaler appliance at /var/netscaler/locdb.
To import the Geo database:
- In the NetScaler GUI, on the left, expand AppExpert, expand Location, and click Static Database (IPv4).
- On the right, click Add.
- Browse to the location database file.
- In the Location Format field, select geoip-country and click Create.
- When you open a GSLB Service, the public IP will be translated to a location.
You can use the Geo locations in a DNS Policy, static proximity GSLB Load Balancing, or Responders:
- Citrix Knowledgebase article – How to Block Access to a Website Using a Location Database Based on User’s Country
- Neil Spellings blog post – Using Netscaler HTTP callouts for real-time GeoIP and anonymous proxy detection
- Citrix Docs – Overriding Static Proximity Behavior by Configuring Preferred Locations
Thanks again Carl, for another awesome writeup!…
Followed this article, along with other resources and managed to get GSLB working (active/active) – however wondering if you can shed some light on why if I enable the “Enable Health Monitoring“ on a GSLB service – the service state goes DOWN?
If I uncheck the health monitor of the service, the service state becomes UP and traffic flow to the gslb/service>server works as expected.
Thanks in advance,
Newbie.
Do you mean “effective state”? It’s always down if you bind a monitor. It’s one of the quirks. https://support.citrix.com/article/CTX214755
Hi Carl,
I am having an issue understanding the static proximity deployment. I have two sites, I already have the whole GSLB topology up and working. I tested RTT and am trying to test static one. Here is what I did:
I created records under Traffic Management/GSLB/Location/Custom Entries.
First, I created a custom entry in site 1 with these details:
Start> 172.16.21.2
End> 172.16.21.4
Location Name > Central America.CR.Heredia.*.San Rafael.*
Then created a custom entry in site 2 with these details:
Start> 192.168.1.1
End> 192.168.1.3
Location Name > Central America.CR.Heredia.*.Concepcion.*
I have a MAC running vmware fusion, so my VM is configured with DNS server as 172.16.21.2 and my MAC uses 192.168.1.1. My expectation was for traffic sent from VM1 to be handled by site 1 while when using my MAC CLI it would get sent towards site 2.
Maybe I am not following the mechanics of the static proximity engine, all you do to associate a site with certain prefixes/IPs, is just create entries on each device?. it is not working for me.
Thanks!
Jose
What responses are you seeing?
The source IP seen by GSLB will either be the DNS Server’s IP, or you client’s IP, depending on the availability of EDNS Client Subnet.
Static Proximity should give you the GSLB Service IP that is closest to the location of your Source IP. Make sure your GSLB Service IPs have the correct location.
Hey Carl,
Well, I do not see the static configuration per region taking effect, I noticed the location field does not show in the GSLB services. Now, I added this after the whole GSLB objects were created, meaning I am doing this with existing GSLB VS and services, not sure I should delete them and readd them after adding the location entries. As far as what I described on my initial post, does that config makes sense and looks good?
Thanks,
Jose
What is the public IP associated with the GSLB Services? If it’s a private IP, does it match one of the custom locations you added? If not, add a custom location for it.
Is the in-built static database imported?
The GSLB Services should show you their location, even if you configure Location after creating the services.
At this time I am only using custom locations, have not imported any db. My question is, can you manage just by using custom entries or you definitely need a db?. I created a custom location with NS public IP and I now I see the location showing the location field, however, I am not clear on the binding / association of sites and source IPs, how do you tell site 1, these are your prefixes / subnets?, this is just done by creating/importing a db and/or adding custom entries on the respective site?
For example, if I want traffic from 172.16.21.0/24 subnet handled by site 1. what should I do?
Sorry, but I am trying to understand, maybe an example would help.
Thanks again.
Jose
NetScaler should be giving out the GSLB Service IP that is closest to the user’s LDNS Source IP. It needs to know the location of both the GSLB Service and the user to make that determination. I’ve seen some documentation saying “GSLB Site” but it’s meaning is not clear.
If you want specific LDNS Source IPs to always map to a specific location, you can define DNS Policies and bind them globally. Look at the available DNS Actions types.
hi,
could you please help to configure NetScaler GSLB in Active Active based on LDAP Group Extraction for XenDesktop?
Thanks in Advance
Anil
Are you referring to User Farm Mappings in StoreFront? I have some info at https://www.carlstalhood.com/storefront-3-5-configuration-for-netscaler-gateway/#multisite
Thanks Carl for this article, can i configure with GSLB in Active Active with failover if one of site goes down and users will every time connect own home network from anywhere whether it is DR or DC.
Hi Carl,
i want achieve as per this article https://support.citrix.com/article/CTX213091. please help me on this to configure.
Thanks
Anil
Hi Carl,
thanks for this great post, really helpfull in setting up GSLB
Only thing I am wondering if configuration sync is necessary for GSLB? What we are trying to build is another HA pair of VPX in Azure but we do not want to sync our current config of the MPX HA pair to Azure. In Azure we only have setup DC’s and ADFS to sync with our on premise servers so users could authenticate against Office 365
GSLB Sync is not necessary. I usually avoid it because I seem to find issues with it (e.g. pre-existing server objects). Without GSLB Sync, you’d have to replicate the configuration manually.
Great thank you for the quick reply
Thanks Carl. All your write-ups and instructions are always very clear, detailed and easy to follow
Absolute crystal clear write up, when I was going through the article and it really helped me to understand the concept. Thanks again for the article.
Hi Carl,
Is there a way to apply a SSL version redirection when clients connect to URL that is protected by GSLB?
I cannot seem to be able to apply a Responder Policy on GSLB VIP.
Sinerely,
GSLB VIP? You mean a VIP that a GSLB-enabled DNS name resolves to?
GSLB doesn’t use VIPs. GSLB = DNS, so it listens for DNS names, not IP connections.
GSLB returns an IP address. The user’s browser then connects to that IP address. If the IP address is a Load Balancing VIP, then you can configure Responder on that VIP.
Hi Carl,
The IP that GSLB returns is not a LB VIP on NetScaler, is an IP used in a separate appliance. I would like to inspect what version of SSL/TLS the client is using and according to that, redirect to a warning page if not compliant.
I have done this with LB VIPs but with this particular URL using GSLB and returning an IP on a different appliance I was hoping to use the NetScaler to create the Responder/Redirect policy as well.
Can I apply a Responder/Redirect policy to GSLB vserver?
Thanks.
GSLB = DNS Query and DNS Response. No IP. No HTTP.
After GSLB, then an IP connection (and HTTP) is performed to the IP that GSLB returned.
If you proxy the IP connection through NetScaler (LB VIP, or CS VIP), then NetScaler can perform the Redirect.
Traductor de GoogleDesactivar traducción instantánea
inglésespañolfrancésDetectar idiomaespañolinglésfrancésTraducir
Carl buenas tardes
Disculpe la molestia , lo que pasa que estamos tratando de implementar GLSB con NETSCALERS MPX, y la verdad que nos saltaron varios inconvinientes, llamamos a citrix, pero la verdad no quedamos conforme con la expliacion que recibimos. Por eso acudo a ud, ya que siempre responde a las preguntas,
El problema más grande es lo seguiente:
Tenemos 2 sites: que trato de balancear, por GLSB,
Configure GSLB Site
Get Help
Name
SITIO-B
Type
LOCAL
Site IP Address
10.33.0.204
Public IP Address
10.33.0.204
Name
SITIO-A
Type
REMOTE
Site IP Address
10.36.0.204
Public IP Address
10.36.0.204
Name
SITIO-B
Type
LOCAL
Site IP Address
10.33.0.204
Public IP Address
10.33.0.204
Name
SITIO-B
Type
REMOTA
Site IP Address
10.33.0.204
Public IP Address
10.33.0.204
Para ambos sites igualmente tengo un ip privada para adns
Basic Settings
Service Name ADNS
Server Name 10.33.0.204
IP Address 10.33.0.204
Server State UP
Protocol ADNS
Port 53
Comments
Monitoring Connection Close Bit NONE
Basic Settings
Service Name ADNS
Server Name 10.33.0.204
IP Address 10.33.0.204
Server State UP
Protocol ADNS
Port 53
Comments
Monitoring Connection Close Bit NONE
Crie una delegación dns interno para ambos netscalers , me consulta es,
Desde mi DNS publico debo crear una delegación a mi ADNS Service?? Como puedes ver tengo tengo configurado una ip privada para ambos netscalers como ADNS, ya que mis 2 datacenters se comunican por L3 sin necesidad de pasar por internet. Como debo apuntar desde mi DNS público ya mi ip es privada? Haciendo un nat me generado mucho problemas.
Gracias
1598/5000
Carl good afternoon
Sorry for the inconvenience, what happens that we are trying to implement GLSB with NETSCALERS MPX, and the truth that we jumped several inconveniences, we call citrix, but the truth we did not agree with the explanation that we received. That’s why I turn to you, since you always answer the questions,
The biggest problem is the following:
We have 2 sites: I try to balance, by GLSB,
Configure GSLB Site
Get Help
Yam
SITE-B
Type
LOCAL
Site IP Address
10.33.0.204
Public IP Address
10.33.0.204
Yam
SITE-A
Type
REMOTE
Site IP Address
10.36.0.204
Public IP Address
10.36.0.204
Yam
SITE-B
Type
LOCAL
Site IP Address
10.33.0.204
Public IP Address
10.33.0.204
Yam
SITE-B
Type
REMOTE
Site IP Address
10.33.0.204
Public IP Address
10.33.0.204
For both sites I also have a private ip for adns
Basic Settings
ADNS Service Name
Server Name 10.33.0.204
IP Address 10.33.0.204
Server State UP
ADNS Protocol
Port 53
Comments
Monitoring Connection Close Bit NONE
Basic Settings
ADNS Service Name
Server Name 10.33.0.204
IP Address 10.33.0.204
Server State UP
ADNS Protocol
Port 53
Comments
Monitoring Connection Close Bit NONE
Create an internal dns delegation for both netscalers, query is,
From my public DNS should I create a delegation to my ADNS Service ?? As you can see I have a private ip configured for both netscalers as ADNS, since my 2 datacenters are communicated by L3 without having to go through the internet. How should I point from my public DNS and my ip is private? Doing a nat generated a lot of problems
For public DNS, a simple NAT to the ADNS service is all you need. Then delegate the public zone to the ADNS services (public IPs).
What didn’t work?
ADNS is nothing more than creating a DNS server on your NetScaler. The GSLB Services and vServers dictate what IP addresses are given out to DNS queries.
Thanks for the reply Carl,
The problem is generated that at the moment of delegating from my public DNS, it works, but when the test by shutting down one of NS, externally does not solve any name. Maybe some configuration is doing wrong :(, as I said would be an internal GLSB, since the communication is done by L3, but the service that I give (xenapp) is done by the public and internal network that may be happening.
Thank you very much, from Chile!
On that case, you need to bind a monitor to each GSLB Service that checks if the Internet is up or not.
How can I do that? Do I have to add the monitor to the ADNS service? Or in the virtual server GLSB?
Did you delegate to ADNS services in two datacenters?
Yes, internally and externally
Hello Carl,
Can we use Static Proximity method with Private IP addresses for Internal GSLB?
Thanks.
Yes. AppExpert > Location> Custom Entries lets you add private IPs and their location.
Hi Carl,
Have you experienced an issue when you try to do a nslookup on the gateway.com and it timesout? and if you try again it work? Does’t happen all the time, but often enough… below the first time timeouts and second time works
we have 3 sites all ACTIVE/ACTIVE/ACTIVE and we are setup for GSLB dynamic RTT to gateway.test123.com
> gateway.test123.com
Server: dc1.test123.com
Address: 10.13.7.25
DNS request timed out.
timeout was 2 seconds.
*** Request to dc1.test123.com timed-out
> gateway.test123.com
Server: dc1.test123.com
Address: 10.13.7.25
Non-authoritative answer:
Name: gateway.test123.com
Address: 10.13.249.254
Any feedback would be great!
I’ve seen that when firewall doesn’t allow connection from the Local DNS to the ADNS services on all NetScalers. Or there’s some kind of DNS inspection.
Hi Paul,
could you please clarify point 15.Enter the other appliance’s actual GSLB Site IP as configured on the appliance. This IP does not need to be reachable. You mean to say here, the remote site IP/MIP does not need to reachable?
I am getting MEP status down for remote sites on both LBs. Firewall ports are opened from SNIP to remote site IPs.
The scenario is like this..
SiteA:
Local site:
local IP 192.x.x.x public IP: 146.x.x.x Natted —UP
remote sites:
Remote site IP: 146.x.x.x Public IP: 146.x.x.x —-Down
Remote site IP: 192.x.x.x Public IP: 192.x.x.x —- UP
SiteB: Same with different subnets
Local site:
local IP 192.x.x.x public IP: 146.x.x.x Natted —UP
remote sites:
Remote site IP: 146.x.x.x Public IP: 146.x.x.x —UP
Remote site IP: 192.x.x.x Public IP: 192.x.x.x—-Down
can you please tell me where would be issue? Why I am getting MEP down for remote sites?
GSLB Sites support two IPs, the local IP (whatever is configured on the remote appliance), and the public IP. It’s the public IP that needs to be reachable.
If MEP doesn’t come up, do
nstcpdump.sh port 3009
to see the MEP packets from the NetScaler. Are you getting Reset (R flag) packets in return? If so, a firewall is blocking. Port 3009 assumes Secure is enabled on the RPC objects.I have an existing GSLB for XenApp, the domain name is ex remote.company.com I would like to create another GSLB for SSL VPN users using Access Gateway Plug-in ex vpn.company.com What’s the steps to accomplish this, specifically do I need a separate ADNS & MEP or I can use the existing one?
Note: We have a separate VIP for SSL VPN.
You use the same ADNS and MEP for multiple DNS names.
Hello Carl,
Outstanding post..!
Please. I’ll appreciate you could give me some advice for a deployment I am performing these days.
I need to deploy GSLB by using two NS located in two different data centers. I also need to load balance two ISP links on each data center, so the IP in any DNS response going back to the client would belong to any of those ISPs. Here the questions: Do I need to configure one GSLB IP for each ISP? what if I choose an internal SNIP as my GSLB IP (I have a L2 link between the data centers, so no problem)? what is the best practice, to use an internal or external (Internet) SNIP as the GSLB IP?
And there is another one: How much traffic does MEP consume?
I will really appreciate your kind response.
Thanks…
George
Internal SNIP for GSLB Site IP is fine.
However, you’ll need to configure your GSLB Services with Monitors so it can detect if a Internet circuit is reachable or not. You don’t want to hand out an IP address that is not reachable.
Yes Sir. For GSLB services I am using a monitor of type Transparent to check an Internet host throughout the upstream routers.
I am wondering whether I need to create the GSLB Site by using both ISP´s public segments IPs (as the GSLB IP), so the MEP will travel across the two links of Internet or not. I also wonder if MEP messages would consume a big part of the channel.
Thanks
GSLB Site is just MEP. You can certainly route it across the Internet, or leave it internal. In any case, you need some method of detecting Internet availability on the other side.
Carl any thoughts about this article – https://loadbalancer.org/blog/gslb-why-do-global-server-load-balancers-suck
Carl,
Thank you so much for such a nice and concise post!
This definitely got me up and running with my Netscaler GSLB setup.
Cheers!
Hi Carl,
Can I do GSLB with just one Netscaler SDX per site? Currently I have 4 different sites?
Thank you for the wonderful guideline as always.
Yes. HA pairs are not required.
Carl,
Having a hard time getting the custom location working for static proximity. When I create the service it shows as that locations; however when I ping/nslookup from an ip in that range it does not respond with the correct ip. I think I am missing something simple.
1. Add custom location (do I need lat/long)?
2. Add services (location shows correct
3. Creat VIP with static proxoimty and bind the services to the vip
4. Sync gslb
5. Both vips show up
GSLB Proximity is based on the client’s DNS server’s IP, not the actual client IP, unless you are running 11.1 with ECS enabled. https://docs.citrix.com/en-us/netscaler/11-1/gslb/configure-EDNS0-client-subnet.html
The custom location should be in a format like NA.US.CA.San Jose.ATT.Citrix
An easy way to test is to create a GSLB Service with an IP in the range and Basic Settings section should show the correct Location.
If you don’t specify coordinates, I think it uses the location to determine proximity.
Carl
Greate Article. Quick question as I am using the GeoIpCountryWhoIs.csv from Geolite. How do you go about update or addng an IP range? We have some users that are being sent to the UK that reside in the US. Their DNS servers are also locatd in the US however the IP Range isn’t defined in the CSV, so my thought was to add it.
Is it as simple as pulling the file from my netscalers, adding the IP info in the format that it is looking for and re-upload the file to the netscaler?
Custom Entries doesn’t work? https://docs.citrix.com/en-us/netscaler/11/traffic-management/gslb/configure-static-proximity/add-custom-entries-static-proximity-db.html
I haven’t tried that yet. The thought was to have it all in one place. Let me try that now
That doesn’t seem to work, do I need to restart something for it to take affect?
OK, so I did some digging and cleared the persistence sessions from that IP range to this vserver and it seems to be working , Doing some testing on it now.
Instead of using Custom, couldn’t I just update the csv file? If so do you need to run a “reload” command for that?
Sorry for the flurry of questions and I appreciate the help
I know you can reload from the CLI. Maybe in the GUI you can browse to the file and import it again. The advantage of separate entries it that you can download an updated file later and not worry about adding your custom entries again.
Hey Carl
Can you have two VPXs in a HA pair on the primary site and then a standalone VPX on the secondary DC ?
Can you see any issues ?
For GSLB, yes. One site can be an HA pair and the other site can be a standalone appliance. I’ve done this several times.
Thanks for the article.
We have 20 sites, with GSLB setup in the 2 main data centers. For the 18 consisting of users, we would like to setup load balancing based on source ip, ie. we would like sites 1-9 to go to Site A and sites 10-18 to go to Site B. We would also want auto failover.
Can we set a preferred Site based on source ip?
Thanks
One method is Static Proximity and add Private IP ranges with the Geo Location. Then NetScale will choose the closest.
Another option is DNS Views, which are the result of DNS Policy, which can be based on Source IP.
Or in newer builds of 11.0, there’s Content Switching for GSLB.
Hi Carl,
Great post! I have succesfully configured Glsb Active-Passive on my services, now I’m planning to configure views to return internal IPs to LAN users, I do have one question about it:
Do I have to configure one view per gslb service? meaning this:
glsb svc dc1 local -dns view
gslb svc dc1 remote -dns view
gslb svc dc2 local -dns view
gslb svc dc2 remote -dns view
Thanks!
You can use the same View for multiple services. In each service, bind the View and specify the IP you want to return.
Hi Carl,
I have 3 Sites (IN,US,UK). Each site has 1 NS. I am just confused what entry I need to do manually and what information will sync.
My assumption/understanding is:
Configure ADNS manually on all 3 Netscalers (NS-IN, NS-US, NS-UK)
Confiure manually all 3 sites (local + Remote) on all 3 NS and enable SSH.
Configure GSLB Services (Local+ Remote) on 1 NS (lets say NS-IN).
Configure GSLB Vserver on NS-IN.
GSLB service & GSLB VServer configuration will be synced on rest 2 when we start GSLB config sync.
Thanks in Advance.
Vipin Tyagi
That looks correct to me.
You can also click “View GSLB Configuration” and manually copy the commands from one site to another.
Configuring Domain Binding receive a error: “A proxy record cannot be assigned to the domain”
Does the DNS record already exist on the appliance? I assume you have DNS Proxy already configured. Go to Traffic Mgmt > DNS > Records and there’s a place to flush proxy records.
Hi Carl, a quick question… I´m planning to implement a GSLB DR environment for only one CS Service, I have implemented GSLB Active – Active with static proximity but I have a doubt regarding the DNS Delegation on a DR environment, assuming my domain is gslb.company.com i would delegated to gslb1.company.com and gslb2.company.com, my NetScalers are configured as ADNS so they will answer that call, but as this is supossed to be a DR environment I dont completlely understand how DNS is going to work because my DR NetScaler will also have the domain on its virtual server isnt? what i mean is:
NetScaler Main
GSLB VSRV Main Domain “gslb.company.com” -Service Local
GSLB VSRV DR Domain “gslb.company.com” -Service Remote
GSLB Service Local “CS Service”
GSLB Service Remote “CS Service DR (configured on DR NS)”
A record gslb1.company.com
A record gslb2.company.com
NetScaler DR
GSLB VSRV Main Domain “gslb.company.com” – Service
GSLB VSRV DR Domain “gslb.company.com”
GSLB Service Local “CS Service DR”
GSLB Service Remote “CS Service (configured on Main NS)”
A record gslb1.company.com
A record gslb2.company.com
My question is under this configuration how will the NetScaler DR wont answer a DNS query if everything is going to be “up”?
Best Regards, thank you very much in advanced.
DNS and CS are two different things.
DNS should always be delegated to both appliances. The ADNS services on both sides should be receiving DNS queries.
Once the DNS query makes it to NetScaler, the GSLB config determine what IP is given out in the response. You typically bind the DNS names to the active GSLB vServer, which has the active GSLB service. There’s also a backup GSLB vServer with a backup GSLB service as described in this article.
Once GSLB responds with an IP address, then the user’s browser will connect to the IP, which is only on the Active side.
Hi Carl, thank you very much for your response.
I guess my confussion is regarding to the actual state of the virtual servers, let´s say, in an active/passive environment I have two virtual servers (one active and one passive) on each data centers, Public DNS has delegated dns responses to IP Site 1 (main) gslb1.company.com and IP Site 2 (dr) gslb2.company.com, I understand the gslb is the one who takes care of decide which netscaler is going to answer to that gslb.company.com query but my confussion is that as far as I understand the four gslb vservers (one main and one dr on each data center) are going to have an effective state UP and both main virtual servers (one in the main dc and one in the dr dc) are going to be bind to the gslb.company.com how would the gslb is going to be able to know which one is the main site ??, or this may be my error, perhabs only the main virtual server on the main dc has to be bound to the gslb.company.com??
Thanks in advance!
Both NetScalers will respond to DNS queries no matter how GSLB is configured. Since both NetScalers handle the DNS queries, both NetScalers must have the same GSLB configuration.
When the query comes in, GSLB will decide which IP address to give out. The DNS name is bound to only one GSLB vServer, which has one GSLB Service. It’s the IP of the GSLB Service that is returned. If this Service is up, that’s the IP that is returned. If this Service is down, then the Backup GSLB vServer will kick in and it’s GSLB Service IP will be returned.
Hi Carl, thank you very much for your comments, so, please correct me if I am wrong, as I am using the active/passive – backup vserver method I understand I will have this configured:
-Both NS should have A records for gslb1.company.com and gslb2.company.com (users will look for gslb.company.com)
-Both NS will have one gslb vserver bound to domain gslb.company.com with one gslb local service and this gslb vserver will have a backup gslv vserver (remote service)
-I will see all of my four services (two local and two remote) as UP
-As I want all traffic always going to my main site and only in a disaster the traffic should go to my backup site Im assuming I have to find a way to keep my local service on my backup site marked as down as long as my local service on my main site is up??
As GSLB is the one deciding which NS is going to accept traffic from users Im affraid my backup site would accept traffic as it’s services will be marked as up, Im not sure If I should not bound my backup site virtual servers to the domain or If I should user reverse monitors
Thanks
Do gslb1 and gslb2 resolve to your ADNS services? If you’re hosting DNS on a different DNS server then you don’t need these records on your NetScaler.
What are the four services? In typical active/passive there’s only two on each appliance.
You should have two GSLB vServers on each appliance. One has the DNS name (gslb.company.com) bound to it. The second vServer is backup for the first vServer. As long as the first vServer is up, only the primary IP will be given out. The second vServer will ignored until the first one is down.
On the appliance with the active VIP, the primary GSLB service will be local. On the appliance with the passive VIP, the primary GSLB service will be remote.
Your Citrix Partner can whiteboard this for you and verify your configuration.
Hi Carl, Thank for your response, I was able to clarify my doubts on that. I do have an other question regarding DNS Delegation, I understand that on my public DNS I have to delegate
(On Public DNS)
company.com to
gslb1.company.com – ADNS Public IP Site 1
gslb2.company.com – ADNS Public IP Site 2
I gues I have no problems on that, but I guess I have to add A Records on both NetScaler, where should i target those records?
(On NetScaler)
gslb1.company.com – Private ADNS IP Site 1
would it be something like that?
Best Regards!
You do not need gslb1.company.com A record on any NetScaler. The gslb1 and gslb2 records go on your existing DNS servers.
Hi Carl, thank you very much, great post !, great help !
How does the ADNS site tie to the GSLB site? Unless there the same IP?
There is no direct relationship. The IPs can be same or different.
Thank you Carl.
You are a very talented guy.
Hey Carl,
You said “Delegate the individual record. For example, delegate gateway.corp.com to the two NetScaler ADNS services (gslb1.corp.com and gslb2.corp.com).”
My question is where is gslb1.corp.com and gslb2.corp.com set up at to receiver DNS quires?
Once you delegate it to the authoritative DNS server ( what part in the NetScaler knows its gslb1.corp.com and gslb2.corp.com?
I have 2 sites I am trying to set up GSLB to the NetScaler Gateway. The process is straight forward, its the connection points I am getting lost on.
Do I setup the NetScaler Gateway on each site first like you would normally do, If GSLB was not a option.
Then each site having its own public IP for the Gateway piece.
Then come back around and configuration GSLB, and then maybe these is where it all ties in?
So based on what I am reading. I will need 2 public IP at each site?
1 for External DNS that is nat’d to sites that will be the SNIP/MEP.
1 for the Access Gateway side on sites?
Based of what you said, I assume I need 2 at each site?
◦One public IP that is NAT’d to the SNIP that is used for ADNS and MEP. You only need one ADNS/MEP IP no matter how many GSLB names are configured.
◦One public IP that is NAT’d to a Load Balancing, SSL Offload, Content Switching, or NetScaler Gateway VIP.
Everything I am reading is saying create the same setup at site 2 as site 1. When the say this, There talking about different Public IP address correct? Just need to Site config the same I am assuming?
You create A records for gslb1 and gslb2 that resolve to your ADNS services. NetScaler does not need to know these names. They can be anything.
Yes, each site needs two unique public IPs – one for ADNS/MEP, one for the VIP. Each site is usually setup the same except the IPs are different.
Great post, Why do we need two public IPs per site, if ADNS / MEP and the target service (like CAG) used different TCP/UDP ports ? is it a Netscaler limitation ? (we can’t share public IP usage for different netscaler Service ?)
You can certainly do Port Address Translation instead of NAT.
I’m currently working on internal gslb. How to test the failove? From the services section I marked one site as down. Nslookup of url gave me IP address of second site from non authorative name server. Enabling them gave IP address of site1. Is this the way to test or any other way of testing?
What is GSLB monitoring? If an LB vServer, you could disable the LB vServer. Or disable the services behind the LB vServer. Or turn off the servers behind the LB vServer.
Hi Carl,
This article is very helpful. I’m planning to setup a environment using NS. Below is what I plan for. Please let me know if you find something is not correct & also help me with the questions:
1. Internally load-balance storefront of different sites using NS (2 devices) load-balancing using https without GSLB
2. For external users, I will have active/passive setup using GSLB for site A & Site B
3. Site A & site B will connect to VIP of internal load-balancing server (which I already configured in Step1)
4. If site A goes downs Site B will be still able to connect to load-balancer using NS
5. I will use DNS view to use same URL for internal & external connections
Questions:
1, Do you see any issues with the above setup?
2. In your MEP section, point 7 I see you used public IP address. My assumption is, that I will get four IP addresses from my network team. 2 for ADNS & 2 for Public VIP. These IP address will be something like 64.xx.xx.xx public IP. This will pass through external firewall & will be Nat’ed. So I will get a 4 public Nat’ed IPs say something like 10.xx. which I will use as Nat’ed public IP in step 7. Is my understanding correct?
Thanks,
Balaji
The public IP for ADNS is different than the public IP for NetScaler Gateway. If two sites, that’s four public IPs. NAT is fine.
MEP uses the public IPs for ADNS so I can detect an Internet outage in the remote datacenter.
The problem with DNS Views is that you can’t have a different failover config for internal vs external. I prefer to use a CNAME on internal. If the Single FQDN is citrix.company.com, internally I CNAME it to citrixinternal.company.com and configure GSLB for that internal DNS Name. That lets me have different GSLB configs for the external name vs internal name. Otherwise, if remote site loses Internet, then the internal name would failover too.
Hi Carl,
Great post, this really helped me out with GSLB.
I do have one question do you have any thing on GSLB based on source ip\subnet e.g. user on subnet 10.0.0.0 gets DataCenter1 and users on subnet 10.1.1.1 gets DataCenter2 and also data centers are chosen based on group membership?
Thanks
Brenton
For Source IP load balancing, you have a few choices: DNS Views, Static Proximity Load Balancing, and GSLB Content Switching. I recently did one using GSLB Content Switching so I could have active/passive for each source IP range. GSLB Content Switching is an 11.0 feature. DNS Views are not easy to have different active/passive for source IPs. That leaves static proximity (Geo database plus custom locations).
AD group membership is not included as part of the DNS query so GSLB can’t use that criteria. Where are you performing authentication? The redirect or proxy would need to occur after authentication. Here’s a sample solution where the web app selects the datacenter – https://www.citrix.com/blogs/2014/11/10/accurately-direct-xenappxendesktop-users-to-a-correct-location-based-datacenter/
Thanks Carl,
Ill give those a go. I’m testing with NS 10.5 at the moment so might upgrade them to NS 11 so I can use the content switching.
For the AD group membership this will be when I GSLB an exchange environment. Ill use AAA for authentication and GSLB that? if that works.
If active/active then you’ll probably need site persistence.
When creating the GSLB service and pointing to my CS vserver, there is no Server IP. (but lets me add something for the public address. The CS policy/actions are bound to the vserver which go back to non-addressable LB vservers. So when I try to create the GSLB service, it errors with “Invalid IP.”
I tried create a CS vserver with Target Type: GSLB, but when I try to use my policy/actions. I get an error “CS Policy has no action or CS action doesn’t have targetVserver”
What might I be doing wrong.
Can you throw in some ideas on some of the GSLB verificaiton test cases
Are you asking how to test GSLB? One method is to disable the underlying LB vServers and see what DNS response you get.
Hi Carl,
Cluster Netscaler running 10.5 Build 58.11 and DR Netscaler running 11.0 (don’t remember build, I will re-check and tell you know later). Besides I used nstrace on DR Netscaler and found that it didn’t use port 3009 instead of 3011 although I set the remote site’s RPC address to Secure option and SNIP as source IP. Moreover, in pcap file, I just see one MEP connection (no more) with source IP 127.0.0.1 and destination IP is its SNIP instead of remote site. Firewall opened TCP port 3008-3011 and SSH. But this issue was caused by Firewall because Firewall doesn’t see any MEP connection.
Carl
I have a NetScaler in DC and DR. In GSLB I have 2 VServers for LOCAL SITE and 2 more for REMOTE SITE. The reason of having 2 VServers is that one of them is related to Web load balancing and the other to Gateway 2F Authentication. Both REMOTE SITE VServers are configured as BackupVServer for the LOCAL respectively.
When the loadbalancing Web Server VIP is down, therefore LOCAL GSLB WebServer VServer is STATE down, the LOCAL GSLB Authentication VServer keeps replying to the requests. In this case the VServers replying to the client requests’ are GSLB LOCAL Auth VServer and GSLB REMOTE WebServer VServer. (Authentication Page is not giving any errors, it is once again waiting for another Authentication).
My question is:
what monitor shall I bind to the GSLB LOCAL Auth VServer in order to stop responding when the GSLB LOCAL WebServer VServer is down? (also need to bind another monitor the other way round).. I need both LOCALs working together and REMOTE as well when LOCAL is down.
Thanks for you continuous articles
Manuel
Where VServers are mentioned, i think these need to be replaced by the word SERVICES
Thanks
When creating monitors, you can specify a Destination IP and Destination Port. Create a separate monitor for both services. Then bind both to the GSLB service. If either monitor goes down then the service goes down.
Or you can configure the local VIP to be active/passive. If the local LB services are down then the local VIP sends to remote LB services.
Thanks for the prompt reply Carl.
Not sure on the below:
”
Or you can configure the local VIP to be active/passive. If the local LB services are down then the local VIP sends to remote LB services.
”
For Local VIP do you mean Traffic Mgmt -> Load Balancing -> Virtual Server ?
To clarify, I have one LB VIP with the Web Server as Backend.
Yep. Create two LB vServers, each pointing to different back end servers. One of the LB vServers has the VIP and points to server in local datacenter. The other LB vServer has no VIP (not Directly Addressable) and points to server in remote datacenter. Then open the primary LB vServer, add the Protection section, and specify the other LB vServer as Backup. It uses local if up, remote if local is down.
If I am understanding correctly, sorry if not, this will still use the GSLB Local Site Authentication VServer. Let’s keep pretending that in GSLB Local VServers, the WEB VServer is down. Therefore one VServer is being used from the LOCAL and another from the REMOTE.
I think I need to better understand how monitors work. Do you suggest to monitor the LB VServer or the Backend Server?
Manuel
Monitor the LB vServer. That way you can change the LB vServer config without having to change the GSLB monitor.
Hi Carl
Unfortunately this is still not working 🙁
To clarify, in Site 1 I have 2 GSLB VServers, one with LB Vserver and another one for 2 factor authentication. When the LB Vserver is down, external connections are replied as following:
– LB vserver from SITE 2
– Auth Server from SITE 1
Authentication is unsuccessful since replies have to be both comin from the same site (GSLB Vservers). Any other ideas how can I bind the monitors pls? GSLB VServers are configured as Active/Passive with the protection option for both.
I tried to bind a TCP monitor (Port: 443 – Destination: LB Vserver) to GSLB VServer Auth of Site 1 so that if LBVserver is down on Site1, GSLB VServer for Auth will go down as well… no luck ! 🙁
sorry again for getting back with no success !
Manuel
The GSLB Service for Auth in Site 1 should have a monitor that checks the LB vServer in Site 1.
If the LB vServer goes down, does the GSLB Service go down? If not then we need to fix the monitoring configuration.
And did you configure the monitor on both NetScalers?
By default, if monitors are bound to the GSLB Service then MEP is ignored.
If all GSLB services (including backup services) for a GSLB vServer are down then the GSLB vServer will give out IPs anyways. There’s a setting on the GSLB vServer to disable this behavior. But since only one GSLB service is down, the backup vServer with the backup Service should be given out. You can confirm by running nslookup directly with the ADNS service on the same appliance.
I have a monitor configured on GSLB Service for Auth but when LB VServer is down, it will still remain UP.
Monitor is only bound to one Netscaler GSLB Service Auth. Shall I do the same with the other GSLB Service Auth in Site 2?
Binding a similar Monitor on NS2 still no luck.
Monitor:
Type: TCP
Interval: 5 Sec
Dest IP: IP of the LB Vserver
Response Time Out: 2 Sec
Des Port: 443
Down Time: 10 Sec
Dynamic Down time: 0 Sec
Retries 3
Res Time Out Threshold: 0
SNMP ALert: 0
Success Retires: 1
Failure Retries 0
Check Boxes: Enabled and Secure
this monitor is bound to the GSLB VServer for Auth that need to go down on LB Vserver failure
So your LB vServer goes down meaning you can’t telnet to it? If so, then your GSLB Monitor should also go down.
Is your LB vServer configured with protocl TCP_SSL? If not then you don’t need Secure checked.
You might have to call support so they can check your config.
Great insight. Hoping you can shed some light on this one. I am running multiple services on a single ip (not http but rpc). I want to only mark my gslb VIP up if ALL the services using that A record are available. If the LB VIP that is on tcp:135 or tcp:5000 is down, I cannot mark my gslb vip down. the user would get the ip for the VIP but be deadended because the LB VIP is down. Thanks.
Is this one GSLB Service? Are you able to bind multiple monitors to the GSLB service so that if either one goes down then the GSLB service goes down, which means the GSLB vServer might go down (if only one service is bound).
In F5 GTM there is the concept of service dependence. The only way I could find to do in NS is to add both services to the VIP and add a monitor on the “main” service to check the port on the “other” service. Not very elegant. Am I missing something? Thanks.
Great article, thanks! I have two quick questions if you don’t mind.
1. I’m using an active/passive configuration, but it’s not clear to me if I need to set up the passive Netscaler with the “backup” vserver.
2. Should the primary Netscaler go down, then come back, is there a way for it to automatically switch back to using the primary? If there is I haven’t been able to find it.
Thanks so much!
Jeff
In an HA pair, only one node is active so you only perform the configuration on the one node. GSLB assumes separate HA pairs or separate standalone nodes.
In active/passive GSLB, if active service is down then the passive IP is given out. Once active is back up it should only be giving out the active IP. Are you saying it still gives out the passive IP?
Thanks for responding Carl.
Yes, I’m attempting to set up a single Netscaler at two sites, on being the primary and one the passive/backup. I want all traffic to go to the primary site unless the service or connectivity is down. I’m testing this by restarting the primary Netscaler, and when I do the secondary Netscaler responds, however when the primary comes back on line the secondary continues to respond.
Just a thought – could it be that they’re not exchanging their MEP traffic?
Sorry to pick your brain, I’m a “noob” with the Netscaler appliances. I do appreciate any feedback you have to offer.
Thanks!
-Jeff
TCP connection? If so those are long-lived. I don’t think NetScaler will terminate them. You can manually terminate them and maybe the client software will try to do another DNS request.
For HTTP, those are short-lived so DNS queries are more frequent and thus should fail back quicker.
Ultimately you need to run nslookup to see what IP address GSLB is handing out.
Hi Carl,
Thank you for sharing good knowledge. I prepare to deploy GSLB for my customer. They have two datacenter: one has two Citrix NS appliances running cluster and one has an appliance. So have any problem with deploying gslb in this case? If possible, please tell me detail. Thank you so much
I’ve never tried it but I suspect it will work. You should be able to configure GSLB Sites like normal. Metric Exchange Protocol is the only communication between the two appliances.
Hi Carl,
I have two sites: DC and DR. Each site has a Citrix appliance located in DMZ and Citrix virtual server being public via a Router (VIP not a public address).
I want to configure GSLB load balancing for a public web service on two sites. So when creating each GSLB site on Citrix, Do I have to use which IP in “Public IP Address” field of Create GSLB Site Item or blank? I don’t understand your description above :(. Please tell me more details or give a simple example about creating gslb step. Thank you
The Public IP field is the actual address given out to the DNS query. If you don’t enter anything in that field, then it will give out the GSLB Service IP instead. the GSLB Service IP is typically used for monitoring if the Service IP is being hosted on one of the NetScaler appliances that are participating in Metric Exchange Protocol. If the website is not hosted on a NetScaler then you can enter anything for your GSLB service and bind monitors to the service.
Hi Carl,
I prepare to configure GSLB for my system which has two datacenter: DC and DR. Now my system doesn’t have
any public DNS Server put the datacenter, so all services are being resolved via DNS Server of service provider.
Besides I have a tpb1.vn domain and need to configure gslb for the services of this domain,example: web service.
So I want to ask you about DNS configuration steps that I did as below:
1. Configuring on CPANEL of service provider:
– Create sub-domain of tpb1.vn domain: gslb.tpb1.vn
– Add two NS records to delegate subdomain:
gslb.tpb1.vn. IN NS ns1.gslb.tpb1.vn ; primary DNS for sub-domain
gslb.tpb1.vn. IN NS ns2.gslb.tpb1.vn ; secondary DNS for sub-domain
– Add two glue record
ns1.gslb.tpb1.vn. IN A 1.1.1.1 ; Public IP of Citrix in DC
ns2.gslb.tpb1.vn. IN A 2.2.2.2 ; Public IP of Citrix in DR
– Add CNAME record for eache service, in example is web service:
http://www.tpb1.vn. IN CNAME http://www.gslb.tpb1.vn ;
2. Configuring DNS on Netscaler
– Create a gslb.tpb1.vn zone on two Netscaler appliances
add dns zone gslb.tpb1.vn -proxyMode YES
– Create A record for http://www.gslb.tpb1.vn on two Netscaler appliances
add dns addRec http://www.gslb.tpb1.vn 3.3.3.3 ; Public IP of Web server
add dns addRec http://www.gslb.tpb1.vn 4.4.4.4 ; Public IP of Web server
Please help me review all DNS configuration steps above and please let me know if there is wrong anything
Thank you so much!
For Step 2, that’s normal DNS round robin, not GSLB. I assume you will implement GSLB later? If so, you’ll have to delete the existing Address records before GSLB can be configured.
Hi Carl,
Sorry about describing unclearly.
Yes, I assume that gslb was implemented. And I want to ask about DNS delegation. So with my configuration above, was anything wrong? Do I just need to delete the existing A record for web service before gslb for this service?
Thank you!
Yes. You can do either GSLB, or DNS Address Records, but not both. An A-record type GSLB vServer will conflict with an existing DNS Address Record. After the domain is bound to the GSLB vServer you’ll see a new DNS Address Record of type GSLB.
Otherwise the delegation looks fine.
Hi Carl,
I am configuring gslb but meeting two prolems. Please help me:
– in DC, two netscaler running cluster. I can just create SNIP but cannot assign it management access option, also SSH access. I also tried to set in one node but impossible.
– when creating gslb site including local and remote on cluster netscaler (DC) and on netscaler (DR), MEP status is DOWN. I editted source IP of remote netscaler in RPC is SNIP using ADNS and Site IP, also ticked Secure option. But MEP still not changed.
What build?
Hi Carl,
Cluster Netscaler running 10.5 Build 58.11 and DR Netscaler running 11.0.63.16. Besides I used nstrace on DR Netscaler and found that it didn’t use port 3009 instead of 3011 although I set the remote site’s RPC address to Secure option and SNIP as source IP. Moreover, in pcap file, I just see one MEP connection (no more) with source IP 127.0.0.1 and destination IP is its SNIP instead of remote site. Firewall opened TCP port 3008-3011 and SSH. But this issue was caused by Firewall because Firewall doesn’t see any MEP connection.
Hi Carl,
I resolved my problem and configured GSLB Active-Active. MEP status is OK, ADNS also OK. Now I am meeting an issue with a test case: assume that backend server of a site is DOWN. Client request sometimes still query to the backend server DOWN. Thus, the connection dropped. Other test case like Site Down is OK.
In each site, I created two gslb services and link them to LB virtual servers. I continued to create a gslb virtual server in each site and link to two gslb services. Of course, each gslb virtual server had a domain name.
So please help me and let me know if there is something wrong. Thank you
If LB vServer is down then GSLB service should also be down. When the client performs a DNS query then GSLB should no longer give out the down GSLB service. Unless all GSLB services are down. Then GSLB will probably give out something.
DNS clients and DNS servers will cache DNS responses. The default for GSLB is 5 seconds but other devices might increase that timeout. Or if it’s a long-lived TCP connection then GSLB going down won’t affect the TCP connection.
Or are you asking about a server that GSLB is not directly monitoring? You can add as many monitors as you want to your GSLB services.
Hi Carl,
I think don’t need explicit monitor for gslb services because MEP status is OK.
When disabling LB vserver in DR Site, GSLB Service linking to this LB vserver DOWN. But GSLB vserver in DR still UP because of remote GSLB service (in DC Site) UP. If only one backend server DOWN, all GSLB vservers are still UP. So may GSLB still give out the service with IP Public of DR Site? Thus, the service is unavailble if client connects to IP Public of DR Site? In case, how does gslb operates right?
GSLB is only involved in DNS queries. If users connect directly to IP addresses then GSLB won’t help.
If multiple GSLB services are bound to a GSLB vServer and if all of them are down then I’ve seen GSLB give out an IP anyways. There is an option called EDR that might stop this: “Do not send any service’s IP address in response”.
In my case, two gslb services are bound to a gslb vserver. When disabling DR lb vserver linking to a gslb service, the gslb service will be Down. But another gslb service still available, so gslb vservers of two sites are Up. It means that all dns queries send to two sites are always responded. So assume that a backend server is Down, gslb may operate wrong when netscaler returns IP public of this server. Can you give me an advice for this issue, Carl?
It works! There is really no difference. It is just dependant upon the MEP communication coming across!
Hello Carl,
Great article as usual. I don’t believe port 22 needs to be open to the GSLB public IP of the two NetScalers as suggested in this configuration. This will open a security vulnerability to the pubic IP space. I did verify with Citrix and they agreed it is not necessary. Only port 3009 and 3011 needs to be open for the GSLB Site Metric MEP Status to function.
Thanks,
Steve
Correct. Port 22 is for GSLB Config Sync if you’re able to get that feature to work.
Carl, can you verify that your screendumps and explanations are correct for section Metric Exchange Protocol,16-21? It might only be me, but it is confusing me on what IPs to be entered. I can’t get the status to be active as it keeps being marked as “down”
Configuring MEP can be a pain sometimes, especially when firewalls and NAT are involved.
Run
nstcpdump.sh port 3009
to verify that traffic is being sent and which IP is the source IP. Also check the firewall logs to see if anything is being blocked.For public DNS, I usually route MEP across the Internet so I can detect an Internet outage on the other side. This usually requires NAT and firewall rules and make sure the default gateway is configured correctly or at least add a static route through the Internet to the other side.
Hi Carl. Thank you for the nice article!
I have a question for you. I have two sites with active active GSLB setup. Is it still possible to do a redirect to a work in progress URL, in case both sites are down? If so, can you please tell me how to do achieve it?
Thanks
One option is to setup a GSLB service that points to the backup URL. Setup a GSLB vServer for this backup GSLB service. Then edit your primary GLSB vServer and set the backup vServer.
Hi Carl.
First of all thanks for such excellent documentation.
I am trying to configure GSLB in a test environment. I have 4 netscalers, 2 GSLB appliances and 2 gateways (fully working with Storefront using cVPN and receiver for web)
My GSLB services are pointing to the 2 gateway VIPs on the other appliances in the same DMZ.
The gateway vServers are set to SSL 443 and have server and CA certs bound. They are also both known to be working as I can use them to log into receiver for web.
Initially, I chose HTTPS 443 as my service monitor type on the two GSLB services and this gave me a state of down for both.
I suspected the monitor was the cause so changed it to ping (def working) just to prove this was the case. The state changed to up.
Now I have an effective state of down for the services and the GSLB vServer shows as UP.
Any thoughts as to why the HTTPS monitor didnt work and cannot probe the gateway vServers?
Also any ideas why the effective state of the services is still down even though I have changed the service monitor to ping? I cannot think of why this should be the case.
There should be no problem with SSL communication between the GSLB appliances and gateway appliances. They are in the same DMZ and there is no firewall, routing or NATing between them.
I believe I read some where a while back that GSLB services should point to an LB vServer?
Can they not simply point to gateway vServers instead?
Do I need the added complication of another vServer just to talk to my gateway vServers behind?
Any thoughts you have and the benefit of your greater GSLB experience would be most gratefully received.
Mark
This appears to be a similar thread – http://discussions.citrix.com/topic/370448-storefront-monitor-in-gslb-service-keeps-showing-down/
HTTPS monitor for Gateway will get a 302 response and will fail. You’ll need to create a new monitor that accepts a 302 response.
Effective State comes from MEP. Since you’re not using MEP for monitoring it will always be down. http://support.citrix.com/article/CTX125846
hello i see that some NS version (like 11.0) has some builtin CSV file to build the geo database Citrix_Netscaler_InBuilt_GeoIP_DB.csv
(maxmind)
is this file available for the other NS 10.5 version ?
Regards
I don’t think so. But you’re welcome to download a file and import it.
Hi Carl
Thanks a lot for the post, very helpful.
I have a question about #12 under GSLB Services, you mentioned DR site and to set it as Remote. Is it done this way because we are trying to go for an active\passive setup?
Should I do the same thing if Im going for an active active setup?
For active/passive, you need to know if the active side is up but usually you don’t care if passive is up or not. So you are only required to add the active service. However, if you are doing the Backup vServer method of active/passive then you do need to add the passive GSLB service so it can be bound to the passive Backup vServer. You can optionally disable monitoring on the passive GSLB service.
For active/active, you need to monitor the service in both sites so you would add GSLB services for both locations. And you’d need to make sure that the GSLB service monitoring is configured correctly.
Hi, Carl
Very nice article, thanks a lot!
Hi Carl
Thanks for this good article. Can you please help me understanding my requirement of how many IP’s I need ?
I have 2 sites, lets say SiteA and SiteB
SiteA has two netscalers: Netscaler1 and Netscaler2
Site B has two netscalers: Netscaler3 and Netscaler4.
SiteA has Virtual IP 1 which is a HA of Netscaler1 and 2
Site B has Virtual IP 2 which is a HA of Netscaler 3 and 4
So, to setup GSLB. I believe GSLB service 1 would be linked to VIP 1
and GSLB Service 2 would be linked to VIP 2
I am trying to understand how many Public ip’s I need and natted to which Internal ip’s ?
The only new IPs are for the ADNS services. Otherwise you should already have VIPs. GSLB Service = public IP NAT’d to LB or CS VIP.
Hi Carl,
Could i have 1 Nestcaler GSLB as ADNS for some domains and as DNS proxy for other domains at the same time.
My use case is: If i have to run single tier GSLB for both external and internal domain
GSLB as ADNS for subdomain of external.example.com
GSLB as DNS proxy for internal.example.com (so that proxy DNS request to Active Directory DNS server)
DNS Proxy = DNS Load Balancing. I don’t think I’ve done both on the same appliance but I don’t see why it won’t work. ADNS will send back Negative replies for queries it can’t resolve locally. DNS Load Balancing will forward DNS queries that NetScaler can’t resolve locally.
Great write up as usual. You state that you need a minimum of two public IP’s per Data Centre for GSLB. My thoughts are a single public IP will do the job as each of the required services run on different ports. No?
Correct. You can use Port Address Translation to translate UDP 53 to the ADNS service IP, 22,3008-3011 to the SNIP and 80/443 to the VIP.
Hi Carl,
Thanks for your quick response. I looked into doing this with DNS views and I think it will work, however it does complicate the setup somewhat. For example, each backend LB VS needs to have its own real private IP (not 0.0.0.0) and then if I create a global DNS view for external IP ranges, an IP for this view needs to be bound to each GSLB VS that is accessed externally.
Joe
Hi Carl,
Thanks for the great write up.
I have a question about using GSLB with Content Switch VIP’s that support multiple FQDN’s. Lets say I have a CS vip at each site, and 2 backend LB objects at each site. The CS sends traffic to the applicable LB based on FQDN. Is it possible to have GSLB manage each FQDN independently, as opposed to using a single GSLB VS that includes both FQDN’s? It doesn’t seem to let me use the same public IP for multiple GSLB VS objects, even though the public IP is of the CS which has policies to detect the FQDN in the traffic. I’d like to be able to use a single CS vip (at each site), then failover a single FQDN to the backup GSLB site while keeping the other FQDN at the primary site.
Please let me know if you would like me to provide any additional details.
Joe
Hi Joe,
That’s an interesting question. Maybe something with DNS Views and DNS Policies? To manually failover one DNS name, bind a DNS policy for that DNS name that specifies a DNS View that is configured in the GSLB Service with the other datacenter’s public IP.
Try posting your question to http://discussions.citrix.com
Hi Carl, Thanks for nice explanation. I have a question about GSLB. I am designing Xendesktop solution with two DC’s. But the users will be split across two DCs and users are homed to particular DC (based on their location). Failover to other DC is not required.
In this scenario, Is GSLB necessary to load balance connections? if yes, can you please let me know what benefit it can offer? (The user group A, for example has their resources only in DC A and similarly for B)
If you don’t need failover for either group then the only benefit is that you have one DNS name instead of two different DNS names. This helps with support so they don’t have to ask the user which DNS name they are using.
Thanks for the nice post!