Part 4 in a series
So far: the first three parts of this series dealt with the introduction of a problem (multiple servers behind a NAT firewall that use the same port) and solution (Citrix NetScaler VPX Express); laying the groundwork for configuring the solution; an overview of what we'll be configuring.
Because it is possible to set up content switching with a single host (the degenerate case), this is the method we'll begin with. While it doesn't really do much for us, simply repeating the steps for a second (and subsequent) will result in a working solution. Other guides lay down the steps with two hosts already in mind, and teasing apart the pieces to apply it to your situation might be more difficult.
Because it is possible to set up content switching with a single host (the degenerate case), this is the method we'll begin with. While it doesn't really do much for us, simply repeating the steps for a second (and subsequent) will result in a working solution. Other guides lay down the steps with two hosts already in mind, and teasing apart the pieces to apply it to your situation might be more difficult.
Groundwork
Some planning must be done prior to doing this setup. The first is a set of IP addresses that you'll need to have handy. This post will use the following addresses; substitute them with your own:
Host | IP |
---|---|
CS Virtual Server | 192.168.106.37 |
Target Server A | 192.168.106.38 |
Target Server B | 192.168.106.39 |
Enable Features
The bare-bones install of the NetScaler has a number of features enabled, but the ones we need for content switching are disabled. Open the System configuration tree and select Settings
Select "Configure basic features" and make sure the following features are enabled (checked):
- Load Balancing
- Content Switching
If you selected "Traffic Management" in the left menu before and after enabling the feature, this is what you'd see:
Default, features disabled |
LB and CS enabled |
Begin the setup by expanding "Load Balancing" under "Traffic Management" and select "Servers":
Then switch to the Services option
and create a protocol-specific entry for the server, including a monitor
(I like to use http because it doesn't require any customization; a custom http-ecv monitor can be created to check for the explicit function of the target server, but that's beyond the scope of this series).
I also recommend using a naming convention that includes the type of object you're creating ('svc' for the service) and the protocol it's tied to ('http'); that will make it more obvious where a given object comes from when you see them bound in other places.
Switch to the Virtual Servers menu
and click [Add...] to build the virtual server.
Make sure you uncheck the "Directly Addressable" option; this eliminates the need to give the virtual server its own address (we want to give an address to the Content Switching virtual server) and select the service we just created.
Switch to the Content Switching menu and select "Policies"
Click [Add...] to create a policy to trigger sending the traffic based on the hostname used in the HTTP header.
Select the Virtual Servers option under Content Switching
and click [Add..] to create a new virtual server.
This server gets the IP address to which we'll be forwarding traffic.
Click "Insert Policy" to insert a new policy
Select the new policy from the drop-down, then pull down the list of targets, selecting the new load balancing server. You will get a warning about the "Goto Expression"
Select [Yes], then [Create] to make the server.
At this point, your setup should function for the first server you configured!
Now: go back to the step for creating the outside server and repeat except for creating a new Content Switching server.
Now: Open the existing server
and add another policy, using the new server's policy and LB virtual server entry:
In the center section, click [Add...] and create the server. The "Server Name" is an identifier used in the NetScaler; it does NOT have to be the FQDN or short name for the server.
Then switch to the Services option
and create a protocol-specific entry for the server, including a monitor
(I like to use http because it doesn't require any customization; a custom http-ecv monitor can be created to check for the explicit function of the target server, but that's beyond the scope of this series).
I also recommend using a naming convention that includes the type of object you're creating ('svc' for the service) and the protocol it's tied to ('http'); that will make it more obvious where a given object comes from when you see them bound in other places.
Switch to the Virtual Servers menu
and click [Add...] to build the virtual server.
Make sure you uncheck the "Directly Addressable" option; this eliminates the need to give the virtual server its own address (we want to give an address to the Content Switching virtual server) and select the service we just created.
Switch to the Content Switching menu and select "Policies"
Click [Add...] to create a policy to trigger sending the traffic based on the hostname used in the HTTP header.
and click [Add..] to create a new virtual server.
This server gets the IP address to which we'll be forwarding traffic.
Click "Insert Policy" to insert a new policy
Select the new policy from the drop-down, then pull down the list of targets, selecting the new load balancing server. You will get a warning about the "Goto Expression"
Select [Yes], then [Create] to make the server.
At this point, your setup should function for the first server you configured!
Now: go back to the step for creating the outside server and repeat except for creating a new Content Switching server.
Now: Open the existing server
and add another policy, using the new server's policy and LB virtual server entry:
You can test this internally by either updating your DNS server entries or adding a line to your machine's HOSTS file:
Point your browser at http://serverA after you make the change, and voila!, you get to the target. Switch to http://serverB, and you get that target instead.
192.168.106.37 serverA serverB
Once you've verified the functionality from the inside, update the forwarding on your NAT firewall and test using an outside address (eg, use a cell phone that's not on your home WiFi).
Parts in this series:
- Intro to using a reverse proxy
- Getting NetScaler VPX going in your lab
- Intro to Content Switching in the NetScaler
- Configure a basic content-switching application (HTTP) (this post)
- Configure an advanced content-switching application (SSL-SSL proxy)
Thanks for this post and now i understand this on how to configure this as a reverse proxy. I have few below queries on this
ReplyDelete> can we install this application in physical windows server(DMZ) if yes then please installable direct link and documentation on how to install.
> shall we configure this for the particular URL based interns of entire system port.
This is the showstopper to one of our client.
Delete1) No. NetScaler VPX is a virtual appliance. Versions from Citrix can be acquired that run on ESXi, HyperV and XenServer. If you really, really want bare metal, Citrix sells a line of NetScaler boxes, but none of them have the no-charge licensing like VPX Express.
Delete2) I have no idea what you're asking in this second part.
Thanks Jim,
DeleteEven we find out the solution for it and it will support the port based revers proxy.
very good, thanks!
ReplyDeleteThanks for this, it's a really good basic introduction. Just what I needed :)
ReplyDeleteLove your articles on the NetScaler VPX. We're already using it as a load balancer for a VMWare View environment.
ReplyDeleteWhat we'd like to do next is to replace our old MS ISA server. What it's primarily doing is URL redirection thru our firewall because it can't differentiate different URL calls to the same port number. This sounds like a perfect way to do this...However, I don't see the need to build load balancing into the appliance if all I'm going to do is take a data stream from the firewall and route it to one of a number of servers based on the URL. Am I missing something? thanx...
Great Article.
ReplyDeleteJust to be clear Target Server A IP 192.168.106.38 ist shwon as 192.168.106.21
and Target Server B 192.168.106.39 is shown as 192.168.106.22, right?
Correct, IPs are not correct on first introduction @ Groundwork.
DeleteI finally get it! Thanks! :)
ReplyDeleteSam | Techrich Network Corporation
This comment has been removed by the author.
ReplyDeleteAttractive, post. I just stumbled upon your weblog and wanted to say that I have liked browsing your blog posts. After all, I will surely subscribe to your feed, and I hope you will write again soon! 1337x
ReplyDeleteIf you've ever accessed the Internet from an office environment,chances are your communications passed through a proxy. You may not already know what a proxy does. The only IP address an Internet host is aware of is the IP address of the proxy. torrentz2
ReplyDeleteThis is valuable since when you are associated with the Proxy, your IP (just as your other individual data) is covered up. https://themersclub.com
ReplyDeleteI blog frequently and I truly thank you for your content. This article has truly peaked my interest. I will take a note of your blog online grocery app in dubai and keep checking for new information about once a week. I opted in for your Feed too.
ReplyDeleteFor any Internet user, choosing their Internet service provider (ISP) is an important step that provides them with a fast, secure Internet connection. When choosing an ISP, there are many details you should pay attention to, and you will also have to make several decisions. So, before you decide that you want to have nothing more than affordable access to the Internet, research the details about the different types of services that an Internet service provider can provide you with. Unblock Kickass
ReplyDeleteI am always searching online for articles that can help me. There is obviously a lot to know about this. I think you made some good points in Features also. Keep working, great job free vpn
ReplyDeleteIf you don’t know how to activate the remote management of the router.You can find it here router setting.
ReplyDeleteI’m going to read this. I’ll be sure to come back. thanks for sharing. and also This article gives the light in which we can observe the reality. this is very nice one and gives indepth information. thanks for this nice article... pandavpn
ReplyDeleteExpressVPN also offers a feature they call MediaStreamer. This is basically a smart DNS service that is ideal for unblocking content and accessing your favorite streams. This is a great solution if you are wanting to use a VPN for Apple TV, gaming systems, or other devices that do not normally support VPN apps.
ReplyDeleteThe search engines and other Internet users will also be kept from accessing our personal information. love it
ReplyDeleteI visit your blog regularly and recommend it to all of those who wanted to enhance their knowledge with ease. The style of writing is excellent and also the content is top-notch. Thanks for that shrewdness you provide the readers! digitogy
ReplyDeleteI am very much pleased with the contents you have mentioned. I wanted to thank you for this great article. proxies cheap
ReplyDeleteThe article is very professional, thank you very much for your sharing, there is a question is it really safe to use a proxy now? ExpressVPN中国评测
ReplyDeleteMany problems can be solved by a good vpn, some VPN information is recommended to read Gearvpn
ReplyDeleteYou must pay special attention to the security of free VPNs. You cannot risk your privacy in order to save money. Well-known VPNs on the market generally have good security, such as PandaVPN
ReplyDeleteWhat to do after connecting to a foreign network: see here
ReplyDeleteThere is no doubt that using a VPN is safe
ReplyDeleteVPN can hide your IP address, improve wifi security, prevent DNS leaks,
我一般都使用免费VPN翻墙,自用的免费VPN分享大家,此外,如果我想看Netflix VPN的话,我会用一些便宜VPN观看Netflix以及Disney PLus。
ReplyDeleteSo we were delighted when VPN软件 went above and beyond the call of duty in our Netflix VPN testing. Unlike most others 科学上网, it got us full access to exclusive content in the US, Germany and UK (as well as to BBC iPlayer in the latter). Of course VPN试用 is going to stop you from too many massive binges
ReplyDeleteOnly the best VPN排行can offer all those features and more for a great price. A VPN软件 is easy to use and has plenty of server locations that you can choose from, so you can enjoy the wanted internet freedom免费VPN.
ReplyDelete保护隐私安全和解锁限制,可以试试使用VPN,免费vpn就可以,不过最好还是选择一些便宜好用的vpn,这样还可以看电影,看奈飞,磁力下载,看youtube
ReplyDelete