Thursday, February 6, 2014

HTTP Reverse Proxy using Citrix NetScaler VPX Express

Part 4 in a series

So far: the first three parts of this series dealt with the introduction of a problem (multiple servers behind a NAT firewall that use the same port) and solution (Citrix NetScaler VPX Express); laying the groundwork for configuring the solution; an overview of what we'll be configuring.

Because it is possible to set up content switching with a single host (the degenerate case), this is the method we'll begin with. While it doesn't really do much for us, simply repeating the steps for a second (and subsequent) will result in a working solution. Other guides lay down the steps with two hosts already in mind, and teasing apart the pieces to apply it to your situation might be more difficult.

Groundwork

Some planning must be done prior to doing this setup. The first is a set of IP addresses that you'll need to have handy. This post will use the following addresses; substitute them with your own:
HostIP
CS Virtual Server192.168.106.37
Target Server A192.168.106.38
Target Server B192.168.106.39

Enable Features

The bare-bones install of the NetScaler has a number of features enabled, but the ones we need for content switching are disabled. Open the System configuration tree and select Settings

Select "Configure basic features" and make sure the following features are enabled (checked):
  • Load Balancing
  • Content Switching
If you selected "Traffic Management" in the left menu before and after enabling the feature, this is what you'd see:
Default, features disabled
LB and CS enabled
Begin the setup by expanding "Load Balancing" under "Traffic Management" and select "Servers":

In the center section, click [Add...] and create the server. The "Server Name" is an identifier used in the NetScaler; it does NOT have to be the FQDN or short name for the server.


Then switch to the Services option

and create a protocol-specific entry for the server, including a monitor
(I like to use http because it doesn't require any customization; a custom http-ecv monitor can be created to check for the explicit function of the target server, but that's beyond the scope of this series).

I also recommend using a naming convention that includes the type of object you're creating ('svc' for the service) and the protocol it's tied to ('http'); that will make it more obvious where a given object comes from when you see them bound in other places.

Switch to the Virtual Servers menu


and click [Add...] to build the virtual server.

Make sure you uncheck the "Directly Addressable" option; this eliminates the need to give the virtual server its own address (we want to give an address to the Content Switching virtual server) and select the service we just created.

Switch to the Content Switching menu and select "Policies"


Click [Add...] to create a policy to trigger sending the traffic based on the hostname used in the HTTP header.

Select the Virtual Servers option under Content Switching

and click [Add..] to create a new virtual server.
This server gets the IP address to which we'll be forwarding traffic.

Click "Insert Policy" to insert a new policy

Select the new policy from the drop-down, then pull down the list of targets, selecting the new load balancing server. You will get a warning about the "Goto Expression"

Select [Yes], then [Create] to make the server.

At this point, your setup should function for the first server you configured!

Now: go back to the step for creating the outside server and repeat except for creating a new Content Switching server.




Now: Open the existing server

and add another policy, using the new server's policy and LB virtual server entry:




You can test this internally by either updating your DNS server entries or adding a line to your machine's HOSTS file:
192.168.106.37 serverA serverB

Point your browser at http://serverA after you make the change, and voila!, you get to the target. Switch to http://serverB, and you get that target instead.

Once you've verified the functionality from the inside, update the forwarding on your NAT firewall and test using an outside address (eg, use a cell phone that's not on your home WiFi).

Parts in this series:

10 comments:

  1. Thanks for this post and now i understand this on how to configure this as a reverse proxy. I have few below queries on this
    > can we install this application in physical windows server(DMZ) if yes then please installable direct link and documentation on how to install.
    > shall we configure this for the particular URL based interns of entire system port.

    ReplyDelete
    Replies
    1. This is the showstopper to one of our client.

      Delete
    2. 1) No. NetScaler VPX is a virtual appliance. Versions from Citrix can be acquired that run on ESXi, HyperV and XenServer. If you really, really want bare metal, Citrix sells a line of NetScaler boxes, but none of them have the no-charge licensing like VPX Express.
      2) I have no idea what you're asking in this second part.

      Delete
    3. Thanks Jim,

      Even we find out the solution for it and it will support the port based revers proxy.

      Delete
  2. Thanks for this, it's a really good basic introduction. Just what I needed :)

    ReplyDelete
  3. Love your articles on the NetScaler VPX. We're already using it as a load balancer for a VMWare View environment.

    What we'd like to do next is to replace our old MS ISA server. What it's primarily doing is URL redirection thru our firewall because it can't differentiate different URL calls to the same port number. This sounds like a perfect way to do this...However, I don't see the need to build load balancing into the appliance if all I'm going to do is take a data stream from the firewall and route it to one of a number of servers based on the URL. Am I missing something? thanx...

    ReplyDelete
  4. Great Article.

    Just to be clear Target Server A IP 192.168.106.38 ist shwon as 192.168.106.21
    and Target Server B 192.168.106.39 is shown as 192.168.106.22, right?

    ReplyDelete
    Replies
    1. Correct, IPs are not correct on first introduction @ Groundwork.

      Delete