Thursday, February 6, 2014

HTTP Reverse Proxy using Citrix NetScaler VPX Express

Part 4 in a series

So far: the first three parts of this series dealt with the introduction of a problem (multiple servers behind a NAT firewall that use the same port) and solution (Citrix NetScaler VPX Express); laying the groundwork for configuring the solution; an overview of what we'll be configuring.

Because it is possible to set up content switching with a single host (the degenerate case), this is the method we'll begin with. While it doesn't really do much for us, simply repeating the steps for a second (and subsequent) will result in a working solution. Other guides lay down the steps with two hosts already in mind, and teasing apart the pieces to apply it to your situation might be more difficult.

Groundwork

Some planning must be done prior to doing this setup. The first is a set of IP addresses that you'll need to have handy. This post will use the following addresses; substitute them with your own:
HostIP
CS Virtual Server192.168.106.37
Target Server A192.168.106.38
Target Server B192.168.106.39

Enable Features

The bare-bones install of the NetScaler has a number of features enabled, but the ones we need for content switching are disabled. Open the System configuration tree and select Settings

Select "Configure basic features" and make sure the following features are enabled (checked):
  • Load Balancing
  • Content Switching
If you selected "Traffic Management" in the left menu before and after enabling the feature, this is what you'd see:
Default, features disabled
LB and CS enabled
Begin the setup by expanding "Load Balancing" under "Traffic Management" and select "Servers":

In the center section, click [Add...] and create the server. The "Server Name" is an identifier used in the NetScaler; it does NOT have to be the FQDN or short name for the server.


Then switch to the Services option

and create a protocol-specific entry for the server, including a monitor
(I like to use http because it doesn't require any customization; a custom http-ecv monitor can be created to check for the explicit function of the target server, but that's beyond the scope of this series).

I also recommend using a naming convention that includes the type of object you're creating ('svc' for the service) and the protocol it's tied to ('http'); that will make it more obvious where a given object comes from when you see them bound in other places.

Switch to the Virtual Servers menu


and click [Add...] to build the virtual server.

Make sure you uncheck the "Directly Addressable" option; this eliminates the need to give the virtual server its own address (we want to give an address to the Content Switching virtual server) and select the service we just created.

Switch to the Content Switching menu and select "Policies"


Click [Add...] to create a policy to trigger sending the traffic based on the hostname used in the HTTP header.

Select the Virtual Servers option under Content Switching

and click [Add..] to create a new virtual server.
This server gets the IP address to which we'll be forwarding traffic.

Click "Insert Policy" to insert a new policy

Select the new policy from the drop-down, then pull down the list of targets, selecting the new load balancing server. You will get a warning about the "Goto Expression"

Select [Yes], then [Create] to make the server.

At this point, your setup should function for the first server you configured!

Now: go back to the step for creating the outside server and repeat except for creating a new Content Switching server.




Now: Open the existing server

and add another policy, using the new server's policy and LB virtual server entry:




You can test this internally by either updating your DNS server entries or adding a line to your machine's HOSTS file:
192.168.106.37 serverA serverB

Point your browser at http://serverA after you make the change, and voila!, you get to the target. Switch to http://serverB, and you get that target instead.

Once you've verified the functionality from the inside, update the forwarding on your NAT firewall and test using an outside address (eg, use a cell phone that's not on your home WiFi).

Parts in this series:

32 comments:

  1. Thanks for this post and now i understand this on how to configure this as a reverse proxy. I have few below queries on this
    > can we install this application in physical windows server(DMZ) if yes then please installable direct link and documentation on how to install.
    > shall we configure this for the particular URL based interns of entire system port.

    ReplyDelete
    Replies
    1. This is the showstopper to one of our client.

      Delete
    2. 1) No. NetScaler VPX is a virtual appliance. Versions from Citrix can be acquired that run on ESXi, HyperV and XenServer. If you really, really want bare metal, Citrix sells a line of NetScaler boxes, but none of them have the no-charge licensing like VPX Express.
      2) I have no idea what you're asking in this second part.

      Delete
    3. Thanks Jim,

      Even we find out the solution for it and it will support the port based revers proxy.

      Delete
  2. Thanks for this, it's a really good basic introduction. Just what I needed :)

    ReplyDelete
  3. Love your articles on the NetScaler VPX. We're already using it as a load balancer for a VMWare View environment.

    What we'd like to do next is to replace our old MS ISA server. What it's primarily doing is URL redirection thru our firewall because it can't differentiate different URL calls to the same port number. This sounds like a perfect way to do this...However, I don't see the need to build load balancing into the appliance if all I'm going to do is take a data stream from the firewall and route it to one of a number of servers based on the URL. Am I missing something? thanx...

    ReplyDelete
  4. Great Article.

    Just to be clear Target Server A IP 192.168.106.38 ist shwon as 192.168.106.21
    and Target Server B 192.168.106.39 is shown as 192.168.106.22, right?

    ReplyDelete
    Replies
    1. Correct, IPs are not correct on first introduction @ Groundwork.

      Delete
  5. This comment has been removed by the author.

    ReplyDelete
  6. Attractive, post. I just stumbled upon your weblog and wanted to say that I have liked browsing your blog posts. After all, I will surely subscribe to your feed, and I hope you will write again soon! 1337x

    ReplyDelete
  7. If you've ever accessed the Internet from an office environment,chances are your communications passed through a proxy. You may not already know what a proxy does. The only IP address an Internet host is aware of is the IP address of the proxy. torrentz2

    ReplyDelete
  8. This is valuable since when you are associated with the Proxy, your IP (just as your other individual data) is covered up. https://themersclub.com

    ReplyDelete
  9. I blog frequently and I truly thank you for your content. This article has truly peaked my interest. I will take a note of your blog online grocery app in dubai and keep checking for new information about once a week. I opted in for your Feed too.

    ReplyDelete
  10. For any Internet user, choosing their Internet service provider (ISP) is an important step that provides them with a fast, secure Internet connection. When choosing an ISP, there are many details you should pay attention to, and you will also have to make several decisions. So, before you decide that you want to have nothing more than affordable access to the Internet, research the details about the different types of services that an Internet service provider can provide you with. Unblock Kickass

    ReplyDelete
  11. I am always searching online for articles that can help me. There is obviously a lot to know about this. I think you made some good points in Features also. Keep working, great job free vpn

    ReplyDelete
  12. If you don’t know how to activate the remote management of the router.You can find it here router setting.

    ReplyDelete
  13. I’m going to read this. I’ll be sure to come back. thanks for sharing. and also This article gives the light in which we can observe the reality. this is very nice one and gives indepth information. thanks for this nice article... pandavpn

    ReplyDelete
  14. ExpressVPN also offers a feature they call MediaStreamer. This is basically a smart DNS service that is ideal for unblocking content and accessing your favorite streams. This is a great solution if you are wanting to use a VPN for Apple TV, gaming systems, or other devices that do not normally support VPN apps.

    ReplyDelete
  15. The search engines and other Internet users will also be kept from accessing our personal information. love it

    ReplyDelete
  16. I visit your blog regularly and recommend it to all of those who wanted to enhance their knowledge with ease. The style of writing is excellent and also the content is top-notch. Thanks for that shrewdness you provide the readers! digitogy

    ReplyDelete
  17. I am very much pleased with the contents you have mentioned. I wanted to thank you for this great article. proxies cheap

    ReplyDelete
  18. The article is very professional, thank you very much for your sharing, there is a question is it really safe to use a proxy now? ExpressVPN中国评测

    ReplyDelete
  19. Many problems can be solved by a good vpn, some VPN information is recommended to read Gearvpn

    ReplyDelete
  20. You must pay special attention to the security of free VPNs. You cannot risk your privacy in order to save money. Well-known VPNs on the market generally have good security, such as PandaVPN

    ReplyDelete
  21. What to do after connecting to a foreign network: see here

    ReplyDelete
  22. There is no doubt that using a VPN is safe
    VPN can hide your IP address, improve wifi security, prevent DNS leaks,

    ReplyDelete
  23. 我一般都使用免费VPN翻墙,自用的免费VPN分享大家,此外,如果我想看Netflix VPN的话,我会用一些便宜VPN观看Netflix以及Disney PLus。

    ReplyDelete
  24. So we were delighted when VPN软件 went above and beyond the call of duty in our Netflix VPN testing. Unlike most others 科学上网, it got us full access to exclusive content in the US, Germany and UK (as well as to BBC iPlayer in the latter). Of course VPN试用 is going to stop you from too many massive binges

    ReplyDelete
  25. Only the best VPN排行can offer all those features and more for a great price. A VPN软件 is easy to use and has plenty of server locations that you can choose from, so you can enjoy the wanted internet freedom免费VPN.

    ReplyDelete
  26. 保护隐私安全和解锁限制,可以试试使用VPN,免费vpn就可以,不过最好还是选择一些便宜好用的vpn,这样还可以看电影,看奈飞,磁力下载,看youtube

    ReplyDelete