StoreFront Load Balancing – Citrix ADC

Last Modified: Nov 7, 2020 @ 6:35 am

This article applies to Citrix ADC 13.0, Citrix ADC 12.1, and NetScaler 12.0. Citrix ADC is the new name for NetScaler. Citrix Gateway is the new name for NetScaler Gateway.

Navigation

Change Log

Monitor

Note: This is a Perl monitor, which uses the NSIP as the source IP. To use SNIP, see Configure to source Citrix ADC FreeBSD data traffic from a SNIP address at Citrix Docs. Alternatively, you can create custom monitors not based on Perl as detailed in Citrix Blog Post Load Balancing Citrix StoreFront LTSR with NetScaler and DISA STIGs.

12.0 build 56 and newer

If your NetScaler 12.0 is older than build 56, jump to the older monitor instructions.

If your Citrix ADC is 12.1 or newer, or your NetScaler 12.0 is build 56 or newer, then do the following:

  1. On the left, expand Traffic Management, expand Load Balancing, and click Monitors.
  2. On the right, click Add.
  3. Name it StoreFront or similar.
  4. In the Type field, click where it says Click to select.
  5. Scroll down and click the circle next to STOREFRONT.
  6. Scroll up to the top of the page and click the blue Select button.
  7. If you will use SSL/TLS/https to communicate with the StoreFront servers, in the Basic Parameters section, check the box next to Secure.

    • If you wish to enable the Check Backend Services checkbox, then see Citrix Service Monitor at Citrix Docs for the service that must be installed on the StoreFront Servers.
      Install-DSServiceMonitorFeature -ServiceUrl "https://localhost:443/StorefrontMonitor"
  8. In the Store Name field, enter the name of your store (e.g. MyStore) without spaces.
  9. Scroll down and click Create.

    add lb monitor StoreFront STOREFRONT -scriptName nssf.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -secure YES -storename Store
  10. Jump to the Servers section.

12.0 older than build 56

If your NetScaler 12.0 is not yet build 56 or newer:

  1. On the left, expand Traffic Management, expand Load Balancing, and click Monitors.
  2. On the right, click Add.
  3. Name it StoreFront or similar.
  4. Change the Type drop-down to STOREFRONT.
  5. If you will use SSL/https to communicate with the StoreFront servers, then scroll down, and check the box next to Secure.
  6. Scroll up, and switch to the Special Parameters tab.
  7. In the Store Name field, enter the name of your store (e.g. MyStore) without spaces.
  8. Click Create.

    add lb monitor StoreFront STOREFRONT -scriptName nssf.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -secure YES -storename Store

Servers

  1. On the left, expand Traffic Management, expand Load Balancing, and click Servers.
  2. On the right, click Add.
  3. In the Name field, enter a descriptive server name. Usually it matches the actual server name.
  4. Enter the IP address of the server.
  5. Enter comments to describe the server. Click Create.
  6. Continue adding StoreFront servers.

    add server SF01 10.2.2.57
    add server SF02 10.2.2.58

Service Group

  1. On the left, expand Traffic Management, expand Load Balancing, and click Service Groups.
  2. On the right, click Add.
  3. Give the Service Group a descriptive name (e.g. svcgrp-StoreFront-SSL).
  4. Change the Protocol to HTTP or SSL. If the protocol is SSL, ensure that the StoreFront Monitor has Secure checked.
  5. Scroll down, and click OK.
  6. Click where it says No Service Group Member.

    1. If you previously created server objects, then change the selection to Server Based, and select the server objects.
      • If you did not create server objects, then enter the IP address of a StoreFront Server.
    2. Enter 80 or 443 as the port. Then click Create.
    3. In the Service Group Members section, click OK.
  7. On the right, under Advanced Settings, click Monitors.
  8. On the left, scroll down to the Monitors section, and click where it says says No Service Group to Monitor Binding.

    1. In the Select Monitor field, click where it says Click to select.
    2. Find your StoreFront monitor. It might be on Page 2.
    3. Click the circle next to your StoreFront monitor.
      • You must click exactly in the circle (there’s no room for error). If you click outside the circle, then the monitor will open for editing instead of being selected. If you accidentally open a monitor, click Close to return to the selection screen.
    4. After the monitor is selected, scroll to the top of the window and click the blue Select button.
    5. Then click Bind.
  9. To verify that the monitor is working, on the left, scroll up to the  Service Group Members section, and click the Service Group Members line.

    1. Right-click a member, and click Monitor Details.
    2. The Last Response should be Success – Probe succeeded. Click Close twice. It’s too bad you can’t edit the monitor from here.
  10. On the left, if you see a Settings section, then click the pencil icon.

    • If you don’t see the Settings section, then on the right, under Advanced Settings, click Settings.
  11. On the left, in the Settings section, check the box for Client IP, and enter X-Forwarded-For as the Header.
  12. Then click OK in the Settings section. Make sure you click OK or your change won’t be saved.
  13. Scroll down, and click Done to finish creating the Service Group.

    add serviceGroup svcgrp-StoreFront-SSL SSL -maxClient 0 -maxReq 0 -cip ENABLED X-Forwarded-For
    
    bind serviceGroup svcgrp-StoreFront-SSL SF01 443
    bind serviceGroup svcgrp-StoreFront-SSL SF02 443
    bind serviceGroup svcgrp-StoreFront-SSL -monitorName StoreFront
  14. If the Service Group is http, and if you don’t have certificates installed on your StoreFront servers (aka SSL Offload), then you’ll need to enable loopback in StoreFront.
    1. In StoreFront 3.5 and newer, you enable it in the GUI console.
    2. In StoreFront 3.0, run the following commands on the StoreFront 3.0 servers as detailed at Citrix Blog Post What’s New in StoreFront 3.0.
      & "C:\Program Files\Citrix\Receiver StoreFront\Scripts\ImportModules.ps1"
      
      Set-DSLoopback -SiteId 1 -VirtualPath /Citrix/StoreWeb -Loopback OnUsingHttp

Load Balancing Virtual Server

  1. Create or install a certificate that will be used by the StoreFront SSL Load Balancing Virtual Server. This certificate must match the DNS name for the load balanced StoreFront servers.

    • For email discovery in Citrix Receiver, the certificate must match discoverReceiver.email.suffix for each email suffix, which can be accomplished by configuring Subject Alternative Names.
  2. On the left, under Traffic Management > Load Balancing, click Virtual Servers.
  3. On the right, click Add.
  4. Name it lbvip-StoreFront-SSL or similar.
  5. Change the Protocol to SSL.
  6. Specify a new internal VIP.
  7. Enter 443 as the Port.
  8. Click OK.

    add lb vserver lbvip-StoreFront-SSL SSL 10.2.2.221 443 -persistenceType SOURCEIP -timeout 60
  9. On the left, in the Services and Service Groups section, click where it says No Load Balancing Virtual Server ServiceGroup Binding.

    1. Click where it says Click to select.
    2. Click the circle next to your StoreFront Service Group.
      • You must click the circle exactly (no room for error). If you click outside the circle, then the Service Group will open for editing. If that happens, click the x on the top right, or click the Done button on the bottom, to return to the selection screen.
    3. At the top of the window, click the blue Select button.
    4. Click Bind.

      bind lb vserver lbvip-StoreFront-SSL svcgrp-StoreFront-SSL
  10. In the Services and Service Groups section, click Continue.
  11. Click where it says No Server Certificate.

    1. Click where it says Click to select.
    2. Click the circle next to the certificate for this StoreFront Load Balancing Virtual Server.
    3. At the top of the window, click the blue Select button.
    4. Click Bind.

      bind ssl vserver lbvip-StoreFront-SSL -certkeyName WildCorpCom
  12. In the Certificates section, click Continue.
  13. On the right, in the Advanced Settings column, click Persistence.
  14. On the left, in the Persistence section, select SOURCEIP. Do NOT use COOKIEINSERT persistence or Android devices will not function correctly. Note: the persistence section in 12.0 build 56 is somewhat different than 12.0 older than build 56.
  15. Set the Persistence timeout to match the timeout of Receiver for Web.
  16. Click OK to close the Persistence section. If you don’t click OK then you will lose the change that you made.
  17. If the Citrix ADC communicates with the StoreFront servers using HTTP (aka SSL Offload, which means SSL 443 on the client-side, and HTTP 80 on the server-side):
    1. If the default SSL Profile is not enabled, then you’ll need to edit the SSL Parameters section on the vServer, and at the top right, check the box next to SSL Redirect. Otherwise the Receiver for Web page will never display.

      set ssl vserver lbvip-StoreFront-SSL -sslRedirect ENABLED -ssl3 DISABLED
    2. If you have enabled the Default SSL Profile, then you’ll either need to edit the Default SSL Profile to include the SSL Redirect option, or create a new custom SSL Profile with the SSL Redirect option enabled, and then bind the custom SSL Profile to this vServer.
  18. If you haven’t enabled the Default SSL Profile, then perform other normal SSL configuration including: disable SSLv3, disable TLS v1.0, disable TLS v1.1,, bind an A+ Cipher Group, and enable Strict Transport Security.
    bind ssl vserver lbvip-StoreFront-SSL -certkeyName MyCert
    
    set ssl vserver lbvip-StoreFront-SSL -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED -tls12 ENABLED
    
    unbind ssl vserver lbvip-StoreFront-SSL -cipherName ALL
    
    bind ssl vserver lbvip-StoreFront-SSL -cipherName custom-ssl-labs
    
    bind ssl vserver lbvip-StoreFront-SSL -eccCurveName ALL
    
    bind lb vserver lbvip-StoreFront-SSL -policyName insert_STS_header -priority 100 -gotoPriorityExpression END -type RESPONSE

When connecting to StoreFront through load balancing, if you want to put the server name on the StoreFront webpage so you can identify the server, see Nicolas Ignoto Display server name with Citrix StoreFront 3.
Server name is displayed

SSL Redirect – SSL Load Balancing vServer Method

Users must enter https:// when navigating to the StoreFront website. To make it easier for the users, enable SSL Redirection.

This procedure details the SSL Load Balancing vServer method of performing an SSL redirect. An alternative is to use the Responder method.

  1. On the left, under Traffic Management > Load Balancing, click Virtual Servers.
  2. On the right, find the SSL Virtual Server you’ve already created, right-click it, and click Edit.
  3. In the Basic Settings section, click the pencil icon.
  4. Click the More link.
  5. In the Redirect from Port field, enter 80.
  6. In the HTTPS Redirect URL field, enter your StoreFront Load Balancing URL (e.g. https://storefront.corp.com).
  7. Scroll down, and click Continue twice.

    set lb vserver lbvip-StoreFront-SSL -redirectFromPort 80 -httpsRedirectUrl https://storefront.corp.com
  8. Note: this method does not show you that the Virtual Server is listening on both port 80 and 443. If you look in the Virtual Servers list, you only see port 443, when actually it’s also listening on port 80.

StoreFront Base URL

  1. Create a DNS Host record that resolves to the new StoreFront Load Balancing VIP.
  2. The DNS name for StoreFront load balancing must be different than the DNS name for Citrix Gateway. Unless you are following the Single FQDN procedure.

  3. In the Citrix StoreFront console, right-click Server Group, and click Change Base URL.
  4. Enter the new Base URL in https://storefront.corp.com format. This URL must match the certificate that is installed on the load balancer. Click OK.
  5. Right-click your store, and click Manage Receiver for Web Sites.
  6. Click Configure.
  7. On the Advanced Settings page, in the third row, change Enable loopback communication to OnUsingHttp. This tells StoreFront to not use the load balancer for inter-server communication.

Subscription Replication Load Balancing

If you have multiple StoreFront Server Groups (usually in separate datacenters), you might want to replicate subscriptions (favorites) between them. StoreFront subscription replication uses TCP port 808. To provide High Availability for this port number, load balance TCP port 808 on the StoreFront servers. See Configure subscription synchronization at Citrix Docs for more information.

  1. On the left, expand Traffic Management, expand Load Balancing, and click Service Groups.
  2. On the right, right-click your existing StoreFront service group, and click Add.

    1. Change the Service Group name to indicate that it’s for Favorites (aka Subscriptions) Replication on TCP port 808.
    2. Change the Protocol to TCP.
    3. Scroll down, and click OK.
    4. In the Service Group Members section, click where it says No Service Group Member.
    5. Change the selection to Server Based, and select the StoreFront servers.
    6. Enter 808 as the port. Then click Create.
    7. Click OK to close the Service Group Members section.
    8. On the right, under Advanced Settings, click Monitors.
    9. On the left, scroll down, and in the Monitors section, click where it says No Service Group to Monitor Binding.
    10. Click where it says Click to select.
    11. Click the circle next to the tcp monitor.
      • You must click the circle exactly (no room for error). If you click outside the circle, then the monitor will open for editing. If this happens, click the Close button to return to the selection screen.
    12. At the top of the window, click the blue Select button.
    13. Click Bind.
    14. Click Done to close the Service Group.

      add serviceGroup svcgrp-StoreFront-FavRepl TCP
      bind serviceGroup svcgrp-StoreFront-FavRepl SF01 808
      bind serviceGroup svcgrp-StoreFront-FavRepl SF02 808
  3. On the left, under Traffic Management > Load Balancing, click Virtual Servers.
  4. On the right, right-click the existing StoreFront Load Balancing vServer, and click Add.

    1. Change the name to indicate that this Virtual Server is for Favorites (aka Subscriptions) replication.
    2. Change the Protocol to TCP.
    3. Specify the same VIP that you used for SSL Load Balancing of StoreFront.
    4. Enter 808 as the Port.
    5. Click OK.
    6. In the Services and Service Groups section, click where it says No Load Balancing Virtual Server ServiceGroup Binding.

    7. Click where it says Click to select.
    8. Click the circle next to your StoreFront Subscription Replication Service Group.
      1. You must click the circle exactly (no room for error). If you click outside the circle, then the Service Group will open for editing. If this happens, click the x on the top right, or click the Done button on the bottom, to return to the selection screen.
    9. After selecting the Service Group, at the top of the window, click the blue Select button.
    10. Click Bind.
    11. In the Services and Service Groups section, click Continue to close the section.
    12. Scroll down, and click Done to close the Virtual Server. There’s no need for persistence or redirects.

      add lb vserver lbvip-StoreFront-FavRepl TCP 10.2.2.201 808 -persistenceType NONE
      
      bind lb vserver lbvip-StoreFront-FavRepl svcgrp-SF-FavRepl

CLI Commands

Here is a list of Citrix ADC CLI commands for StoreFront Load Balancing:

# SSL Global Parameters
# ---------------------
set ssl parameter -denySSLReneg NONSECURE

# SSL Cipher Group
# ----------------
add ssl cipher custom-ssllabs-cipher
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 -cipherPriority 1
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256 -cipherPriority 2
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384 -cipherPriority 3
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256 -cipherPriority 4
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1-ECDHE-RSA-AES256-SHA -cipherPriority 5
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1-ECDHE-RSA-AES128-SHA -cipherPriority 6
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384 -cipherPriority 7
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1.2-DHE-RSA-AES128-GCM-SHA256 -cipherPriority 8
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA -cipherPriority 9
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA -cipherPriority 10
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1-AES-256-CBC-SHA -cipherPriority 11
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1-AES-128-CBC-SHA -cipherPriority 12


# Cert
# -----
add ssl certKey WildcardCorpCom -cert WildcardCorpCom.pfx -key WildcardCorpCom.pfx -inform PFX -passcrypt "Passw0rd"

# Load Balancing Global Parameters
# --------------------------------
enable ns mode FR L3 Edge USNIP PMTUD ULFD
set ns param -cookieversion 1 -timezone
set ns tcpParam -WS ENABLED -SACK ENABLED
set ns httpParam -dropInvalReqs ON

# Servers
# -------
add server SF01 10.2.2.17
add server SF02 10.2.2.18

# Service Groups
# --------------
add serviceGroup svcgrp-StoreFront-SSL SSL -maxClient 0 -maxReq 0 -cip ENABLED X-Forwarded-For -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO
bind serviceGroup svcgrp-StoreFront-SSL SF01 443
bind serviceGroup svcgrp-StoreFront-SSL SF02 443
bind serviceGroup svcgrp-StoreFront-SSL -monitorName StoreFront
bind ssl serviceGroup svcgrp-StoreFront-SSL -eccCurveName P_256
bind ssl serviceGroup svcgrp-StoreFront-SSL -eccCurveName P_384
bind ssl serviceGroup svcgrp-StoreFront-SSL -eccCurveName P_224
bind ssl serviceGroup svcgrp-StoreFront-SSL -eccCurveName P_521

add serviceGroup svcgrp-StoreFront-SubRepl TCP -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -cltTimeout 9000 -svrTimeout 9000 -CKA NO -TCPB NO -CMP NO
bind serviceGroup svcgrp-StoreFront-SubRepl SF01 808
bind serviceGroup svcgrp-StoreFront-SubRepl SF02 808
bind serviceGroup svcgrp-StoreFront-SubRepl -monitorName tcp


# Load Balancing Virtual Servers
# ------------------------------
add lb vserver lbvip-StoreFront-SSL SSL 10.2.5.221 443 -persistenceType SOURCEIP -timeout 60 -cltTimeout 180 -redirectFromPort 80 -httpsRedirectUrl "https://storefront5.corp.com"
bind lb vserver lbvip-StoreFront-SSL svcgrp-StoreFront-SSL

add lb vserver lbvip-StoreFront-SubRepl TCP 10.2.5.221 808 -persistenceType NONE -cltTimeout 9000
bind lb vserver lbvip-StoreFront-SubRepl svcgrp-StoreFront-SubRepl


# SSL Virtual Servers
# -------------------
set ssl vserver lbvip-StoreFront-SSL -ssl3 DISABLED -HSTS ENABLED -maxage 1576800000
unbind ssl vserver lbvip-StoreFront-SSL -cipherName ALL
bind ssl vserver lbvip-StoreFront-SSL -cipherName custom-ssllabs-cipher
bind ssl vserver lbvip-StoreFront-SSL -certkeyName WildcardCorpCom
bind ssl vserver lbvip-StoreFront-SSL -eccCurveName P_256
bind ssl vserver lbvip-StoreFront-SSL -eccCurveName P_384
bind ssl vserver lbvip-StoreFront-SSL -eccCurveName P_224
bind ssl vserver lbvip-StoreFront-SSL -eccCurveName P_521

Related Posts

67 thoughts on “StoreFront Load Balancing – Citrix ADC”

  1. Hi Carl,

    I’ve followed all of your documentation to the letter. I have an internal StoreFront VIP and a gateway set up on the ADC. Everything appears to be fine, except when I try to log in using my domain credentials, I immediately get sent back to the login screen. There is no error stating my credentials are invalid, and when I run cat aaad.debug, it shows a healthy LDAP bind while logging in. It seeks out my username from AD and everything APPEARS to be good. Support was not too helpful. Do you have any suggestions? I’m on a deadline XD. I know LDAPS is functioning because I am able to log into the management interface with my credentials. The abovementioned cat aaad.debug was run while attempting to authenticate to the StoreFront gateway hosted on the ADC. I’m desperate for assistance, and the forums don’t seem to have what I’m looking for.

    1. Is the second logon a Gateway logon page or is it a StoreFront logon page. What do you see in StoreFront Server > Event Viewer > Applications and Services > Citrix Delivery Services? I’m assuming the Session Policy points to the correct StoreFront address?

      Do you have other Gateways and other Session Policies that might be interfering? Is ICA Proxy set to ON in the Session Profile? Authorization = ALLOW?

      1. So, it isn’t a second login, more like there’s some sort of loop, and it loops right back to the original login page. I do not see anything in the event log on the StoreFront server.

        I have the two policies. One “Receiver for Web” and one “Receiver Self Service”

        The storefront servers:

        storefront1.contoso.com
        storefront2.contoso.com

        I have a DNS entry named storefront.contoso.com with both StoreFront server IP addresses behind it.

        For the StoreFront VIP in the ADC, I have a certificate bound to that with storefront.contoso.com, and that load balancing virtual server is configured for SSL.

        The gateway is supposed to be internal-only.

        It is called citrix.contoso.com and the IP is 192.168.0.51.

        I have a DNS entry for the the address that is associated with the gateway virtual server, and a valid certificate bound to it (with the correct subject alternative name).

        1. Return to logon can be for several reasons. If you have multiple gateways and are not persisting to the correct gateway. A Responder is doing a redirect. Session Policy or Authorization Policy doesn’t allow logon. Session Policy points to a StoreFront address that is not persistent.

          Do you see anything in /var/log/ns.log?

          1. You’re the man, Carl. Had a typo in my session policy. It’s difficult to notice when you have a capital i and a lowercase L right next to each other 🙂

            Found it based on your recommendation to look at ns.log. Thank you SO MUCH!!

  2. Good afternoon, Karl.
    If I specify StoreFront URL via Https: in Citrix Gateway Settings
    then through the browser all Citrix Gatawey works fine, the work tables are launched. And if through citrix WorkSpace displays the message “failed to get your apps from storage”

    Http works well everywhere.
    what could be the problem?

  3. Hey Carl, thanks for the wealth of knowledge you provide. Should Client Idle Timeout under traffic settings also be set to the same value as our persistence settings and storefront web timeout?

    1. I usually don’t change that setting. If the TCP connection drops, the browser can easily create a new TCP connection. It’s persistence that matters.

  4. “This is a Perl monitor, which uses the NSIP as the source IP.” Is this still valid for NetScaler 13.0.52? When I check my ldaps monitor I can see it is using nsldap.pl script for the monitor. But unter my storefront monitor I don’t even have the option to choose a script.
    How do I know which monitors are using perl scripts and therefore NSIP as source?

  5. Hi Carl – this might be a silly simple question, but I am setting up a new 12.1 netscaler to replace an older one. storefronts are all still staying the same. In doing the load balancing, I’m paranoid about adding the two storefront servers and ‘enabling’ them, before going live with the new netscaler’s LB vsip (i plan on using the same vsip though, so as to not have to change a bunch of firewall rules).

    If I ‘enable’ the two storefronts in the monitoring section, on the new netscaler, is that going to cause problems since they’re the same two IP addresses already being connected to and monitored on the old netscaler? Or should it not matter and this is safe to do?

    1. You can have as many VIPs as you want connecting to the same servers. The new NetScaler will send probes. But otherwise the new NetScaler won’t be used unless somebody sends traffic to the new VIP. I typically modify my HOSTS file to test new VIPs.

  6. Hi Carl,

    What causes one of the members to be classified as down? I’m trying to simulate the server being up and the port reachable, but storefront not responding, I’ve shut down the following services but the member still reports up

    • CitrixConfigurationReplication
    • CitrixCredentialWallet
    • CitrixDefaultDomainService
    • Citrix Peer Resolution Service
    • CitrixServiceMonitor
    • CitrixSubscriptionsStore
    • CitrixTelemetryService

    We have had situations in the past and it’s caused issues where storefront wasn’t responding but the server was up and the port was open.

    1. No. StoreFront chooses the STA server. Gateway needs to connect to the same STA server that StoreFront chose. Gateway does this by looking up the unique ID for each STA server.

  7. Hi Carl

    I need one clarification, can we configure Multiple URI to one store and configure the same in NSG?
    Please give me some steps on this one.

    Regards
    HM

  8. Hi carl,

    I want to use NetScaler Gateway connect to NetScaler Load Balance, then connect to Virtual Desktop.

    Which Integrate With Citrix Product should I select?
    Unified Gateway?XenMobile? or XenApp and Desktop?

    How to configure it?

  9. Hi Carl,

    I setup a netscaler vpx as load balance.
    But,when I add a Service Group is failed.

    a storefront is down
    I monitor details of StoreFront,
    the storefront —— Failure- Probe failed.

    I add a ping monitor, it is ok. NetScaler to StoreFront network is ok.
    I can use the storefront connection to desktop.

    What should I do?

    1. How is your StoreFront monitor configured? StoreFront monitor uses NSIP as the source IP so make sure routing is correct. Make sure “Check Backend Services” is not checked. For SSL, make sure “Secure” is checked.

  10. Hi Carl,

    Thank you for this wonderful article.

    I have a situation where load balancer configured for Storefront servers with Source IP persistence and i notice that load on the services [3 SF servers] is not consistent.

    Checked the persistence counters and could confirm the same that persistence hits are seen uneven on all 3 services which could be expected as the traffic to this load balancer will come via internal users and also via Gateway [where source will always be SNIP]

    Considering the request coming via 2 ways [as mentioned above] to the load balancer vip. What would be the best persistence method to use on LBVIP [for storefront services] to make the load consistent to the LBVIP ?

    Regads
    Himanshu Aggarwal

    1. Persistence always causes uneven load balancing.

      If you don’t have any Android devices, then Cookie Insert persistence might work.

      1. Hi Carl,
        Thank you for your response.

        If I use the Cookie-Insert persistence type then cookie set by the LB NetScaler will be sent to the client via NetScaler gateway – will there be any issues with it ?
        Is there any other way to cater this situation ?

        Regards
        Himanshu

  11. Once again you saved me from incomplete documentation and misinformed support agents. Thank you. Please keep up the good work.

  12. Hi Carl,

    Our External Storefront Url was not working, we have had configured multifactor authentication for external users but it was not passing through Passcode although our base url is working fine so is our internal Url.
    After verifying all our connections we just rebooted Storefront servers and it start working.

    It so wired but the Change we have done was MS patches. So is that can be a reason for service failure or should drill down further. I Don’t see any suspected event log.

    Regards,
    Anupam

  13. Hi!

    I try to configure my storefront load balancing but monitor dont work.
    Last Response “FAILURE.PROBE FAILED”

    Netscaler 12.0 56.20

    any idea?
    Is a new configuration NS is empty only basic configuration

    thanks

    1. STOREFRONT monitor uses NSIP as Source IP. Can NSIP communicate with the StoreFront servers?

      Does a generic TCP monitor work?

      1. Hi!

        Yes TCP monitor works , ping too but for example https says: “Failure- Http response code 404 received”

        but…..Storefront servers are not in the same VLAN that NSIP but they can communicate without problem

        I have:
        Stf Vlan: 172.16.13.x
        subet ip NS : 172.16.13.x
        NSIP 172.16.10 x

        Thanks

  14. Hello Carl,

    i need your help please

    i followed your guide and i have some questions:

    1) Is it need to change something else on netscaler side except what reffered to your guide? For example XenApp & XenDesktop profile storefront URL?

    2) In which way Netscaler Gateway understand that is a virtual server configured for load balancing?

    2) If i understand well after the Base URL change i must bind the Load Balanced URLs certificate (lets say wildcart ) on default web site on both Storefronts ?

    Thank you in advance

    1. Just point the Gateway Session Policy/Profile to the Load Balanced FQDN or Load Balanced VIP.

      If your StoreFront servers are standalone (not installed on Delivery Controller), then yes. Otherwise, if installed on Delivery Controller, then the certificate should match the Delivery Controller name so you can enable HTTPS between StoreFront and the Delivery Controller.

      1. Thank you very much about this recommendation

        but before proceed with above step i must resolve the below, late me make you a small description of config

        i have created the Load balanced vServer and everything is up ( here i used the same Wildcart Certificate as on Netscaler Gateway VIP)

        i changed the base URL to resolve on Load Balanced DNS

        i followed your above step about certificates on Storefront Servers ( SF+DDC on same server)

        but when i browse the load balanced URL from Storefront Servers i receive certificate warnings (Mismatched Address – The certificate presented by this website was issued for different website)

        and when i browse or trying connection internally from receiver from any other locations i receive “the site not exists”

        Note: I use Azure ILB for the load balancing but i believe that as Monitor, Service and vServer are UP the problem not reside on this part of config

        What do you thing?

        I will appreciate very much your opinion on how to resolve this as i am in the middle of migration

        1. There shouldn’t be any need to browse to the load balanced FQDN from the StoreFront server, especially if you set loopback processing to OnUsingHttp.

          Browser works from different machine? Only Receiver doesn’t work? Is the StoreFront Console > Base URL an https:// URL?

          1. Loopback processing is enabled to OnUsingHttp

            Neither browser neither Receiver Works from any other machine except on two Storefront Servers

            Yes the base URL is https

            Any idea?

  15. Hi Carl,
    Just wondering if you have seen after upgrading to Netscaler 12, receiver cant authenticate (your apps are not available at this time). thinks the internal beacon is on the outside network and then after a few minutes decides it is on the internal network and then allows the user to log in. Resetting receiver allows it to work.

      1. Hi Carl,
        Just the internal network accessing through Citrix Receiver. In the receiver logs it shows as internal beacon is OUTSIDE and then after 2 minutes decides it is INSIDE.

        I have just worked around it now by using another netscaler load balancer in another location on v10.5 with almost identical configuration for the storefront load balancer.

        The issue just started occurring after a netscaler upgrade to v12

  16. Hi
    If SSL protocol is used for LB instead SSL-Bridge, it means Ns will have to handle SSL processing. Can we use SSL Bridge instead?

    1. StoreFront requires insertion of X-Forwarded-For. NetScaler can’t do that if it’s not unencrypting the traffic.

  17. Hi Carl,

    I followed your guide to setup load balancing on NetScaler 12 for two StoreFront servers. After done all the steps, the effective state of StoreFront monitor is showing DOWN. For further troubleshooting, I added other monitors.

    Ping – Success – ICMP echo reply received.
    http – Failure – TCP connection successfull, but application timed out.
    https – Failure – HTTP response code 302 received.
    StoreFront – Failure – Probe failed.

    So if I only keep Ping monitor, the load balancing does work. Also I can successfully connect to each StoreFront server by their DNS or IP. Thank you in advance for your help.

    1. StoreFront monitor uses NSIP as the source IP, not the SNIP.

      You can do an HTTP probe to /Citrix/Store/discovery. Or add 302 as a valid response.

      1. Hi Carl, thank you for your reply. To be honest, I am pretty new to the NetScaler. By any chance, could you explain further about your previous reply? In our case, 10.1.52.50 is NSIP, 10.1.52.51 is SNIP and 10.1.52.91 is load balancing vip for storefront, but I am still very confused about where to correct my settings. Please advise. Thank you very much.

        1. Hi, I had a similar issue, that took hours to diagnose.

          My Store Name was “Citrix StoreFront” but the actual store name doesn’t include spaces.
          The best way to find your store name is to try to login to citrix, then you will see the store name in the URL.
          ie: https://gateway.domain.com.au/Citrix/CitrixStoreFrontWeb/
          the store name here is: “CitrixStoreFront”

          Very frustrating.

        2. Another possibility that I just ran into with NS 10.5 – the way the StoreFront monitor works has changed with newer versions of NS and SF. So in 10.5 an older StoreFront implementation was working fine, monitor probes succeeded. But newer storefront servers were failing the monitor probe. I had a dev NS running 12.1 and it worked fine straight away with the new SF servers. There is also reference to the change (though not too much detail) in CTX207988. So what I did was copy the /netscaler/monitors/nssf.pl from 12.1 as “custom_nssf.pl” on 10.5. It works just fine. I couldnt figure out how to pick the custom script from the gui, but the following command-line works:
          set lb monitor Custom-storefront STOREFRONT -scriptName custom_nssf.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -LRTM ENABLED -deviation 0 -interval 5 -resptimeout 2 -downTime 30 -secure YES -storename Store

          Note: I think the requirements on newer versions of StoreFront support as far back as NS 10.5, so the above may not work on 10.1

  18. Hi Carl

    I have implemented your setup for load balancing but I get a “Unable to launch your application…..Cannot connect to the Citrix XenApp server. There is no xenApp configured on the specified address.” when launching the Xendesktop session. Where did i go wrong?

    1. Is NetScaler Gateway or HDX Optimal Routing configured on the StoreFront server?

      Save the ICA file and look for Address or SSLProxyHost. If Address, your client machine access it on TCP 2598 and 1494?

      1. Netscaler gateway is configured on the storefront. I’ve saved the ICA file and it shows an address. Client machine has ports open as it works on our older citrix environment. I followed the setup for single FQDN. I have created an internal DNS to resolve to my VIP on the netscaler load balance virtual server.

        1. The SSLProxHost should point to an FQDN that resolves to a NetScaler Gateway VIP, not a Load Balancing VIP.

          1. Address= points to a private IP of a VDA. Controller tells the VDA to prepare for a session, which opens port 2598 on the private IP. Maybe do a wireshark trace to see if there’s traffic between the client and the VDA.

          2. Just double checking, when i implement the store front load balancing, do i still need the netscaler gateway xendesktop setup i.e. use the wizard to set up initial connection to store front?

          3. If i explain what I’m trying to achieve, hopefully you can guide me to the right path. I am setting up a netscaler so that mainly external users can access our xendesktop load balanced across two store fronts. I had assumed this article is meant for external users. I hope you can guide me to the correct method to use to achieve this. Thanks.

  19. Hi Carl,

    I have 3 StoreFront servers on 7.12 that are load balanced using a Stingray appliance. Can these be rebooted one at a time during production without dropping any user connections to XenApp or XenDesktop users?

    1. ICA connections don’t go through StoreFront. ICA goes directly from Receiver to VDA, or is proxied by NetScaler Gateway. Rebooting StoreFront would only reset a user’s web session in RfWeb.

Leave a Reply