Part 3 in a series
In the first part of the series, I discussed the problem facing a user with a single outward-facing public IP address, when he/she wants to host multiple services behind a NAT router that use the same port. My proposed solution is the Citrix NetScaler VPX Express, for which I documented the installation and initial configuration in the second part.
Content Switching, NetScaler-style
Before diving into the configuration steps, I thought it would be helpful to diagram the interconnections and data flow when a content switching setup is completed; I sure could have used it when I started down the path of figuring this out for myself...
- Load Balancing Server
- A host external to the NetScaler, specified by name and IP address
- Load Balancing Service
- A specification of the sort of traffic (protocol & port) that a Server is expecting, and that the NetScaler is switching. One or more "monitor" rules should be attached to the service so that the NetScaler can determine whether the target server is actually available.
- Load Balancing Virtual Server
- A specification of an "internal" endpoint used by the NetScaler to route traffic. In the case of SSL traffic, a copy of the target server's private key and certificate chain will enable SSL offload.
- Content Switching Policy
- A definition or rule that is used to identify or select traffic in order to correctly forward requests.
- Content Switching Virtual Server
- An IP+Port+Protocol specification that the NetScaler uses to listen for incoming traffic. This address is where your NAT router will forward the traffic to be switched. The CSVS has its own SSL certificate pair, and can thus decrypt and review all incoming requests against policies and take action.
- An external request is received by the NetScaler on the IP and Port configured as a Content Switching virtual server.
- The NetScaler inspects the traffic and if it matches a policy rule, forwards the traffic to the target configured for the rule.
- The target Load Balancing server accepts the traffic, passing it along to the server+service specified.
- The internal server receives a request as if it were being originated from the NetScaler's Subnet IP.
- If the first policy rule didn't match, subsequent policy rules are evaluated, sending traffic to targets at the first match. If no policy rules match, a default target may be configured; otherwise, traffic is discarded.
Content Switching elements are configured in the reverse order of traffic flow:
- Load Balancing Virtual Servers
- Content Switching Virtual Server(s)
- When using multiple Content Switching Virtual Servers, each Policy—by name—can only be configured for one CSVS at a time. As long as they have different names, however, they can have the same matching criteria (eg: HTTP.REQ.HOSTNAME.EQ("fqdn")).
- One-to-many relationships can exist between a target server and CS Policies; you don't have to go crazy building complex boolean logic into the expressions, just add additional Policies pointing at the same target.
- A variant of SSL Offload (SSL_BRIDGE) is not possible when using Content Switching. SSL_BRIDGE cannot inspect the headers used by the client in order to know where to send the traffic.
Parts in this series:
- Intro to using a reverse proxy
- Getting NetScaler VPX going in your lab
- Intro to Content Switching in the NetScaler (this post)
- Configure a basic content-switching application (HTTP)
- Configure an advanced content-switching application (SSL-SSL proxy)