Binding many NetScaler Gateways to a content switching vServer on Citrix NetScaler, Method 2

By Johannes Norz
8 February 2021
4 Min read
In Tricks
Add comment
B

Or: Admin partitions

Update, March 2021: It does not work with current versions

This is a workaround for a well-known problem in NetScaler: Binding NetScaler Gateways to content switching vServers.

This solution does not follow Citrix best practices. Avoid using it, if you can!

My solution will work with NetScaler 11.1 upward.

The Problem

Up to 11.0, it was impossible to bind a NetSaler Gateway to a Content Switching vServer. By now (firmware versions 12) this is limited to a single NetScaler Gateway. This limitation may be an obstacle to overcome in certain environments. Most companies nowadays suffer from a lack of public IPs. But most of all: Users don’t like complex environments with tons of different URLs to handle, one for mobile devices, one for PCs, one for trusted, one for untrusted devices, and so on. Instead, they want to use a single URL for all use cases.

Content switching may mitigate this issue by hiding very different configurations behind a single URL. But this is not true for NetScaler Gateways. In days of old we could not bind any gateway to a content switching vServer at all, now (starting from version 11) we can bind a maximum of one gateway to it.

Why may one gateway not be enough? First of all, it is complexity. It may confuse you if you have to bind tons of different scenarios to one gateway. In my real-world experience, I see often buggy environments being buggy, as complexity may overwork the admins. But there may also be technical reasons. One of my customers would have to bind aproximately 50 LDAP sources of customers and partners. All of them are geographically dispersed and some of them may even be misconfigured and therefore slow. Logon to the last ADs in the list would be painful. Splitting the gateway up into some gateways would speed up things very much.

The solution

I already posted a solution for NetScaler 10 using the ANY service. There are pros and cons to it, most of all, it does not work anymore. My new solution is using admin partitions.

What’s great about it?

Well, this one is much closer to a supported solution!

And there are downsides for sure?

You’re right! There is a serious downside: We need an external router. Sorry for that.

How to bind multiple Citrix NetScaler Gateways to a single Content switching vServer

Prerequisites

We need:

  • NetScaler with sufficient bandwidth (VPX, MPX, VPX, CPX, BLX).
  • a router
  • 3 subnets

Traffic flow:

I assume the external firewall is 192.168.0.1/24. The internal firewall is 192.168.3.1/24.

The external firewall forwards traffic from 1.2.3.4 (external IP) to 192.168.0.2 (Content Switching vServer)

The Content Switching vServer 192.168.0.2 splits traffic based on the hostname to 3 NetScaler Gateways (192.168.2.10, 192.168.2.11, 192.168.2.12) These gateways are available via a router 192.168.1.100

why do we need a dedicated router?

There is no chance to directly send traffic from one partition to the other.

Creating the admin partition

Just follow my guide to set up admion partitions.

FacebookXEmailLinkedInWhatsAppPinterest

About the author

Johannes Norz

Johannes Norz is a Citrix Certified Citrix Technology Advocate (CTA), Citrix Certified Instructor (CCI) and Citrix Certified Expert on Application Delivery and Security (CCE-AppDS).

He frequently works for Citrix international Consulting Services and several education centres all around the globe.

Johannes lives in Austria. He had been borne in Innsbruck, a small city (150.000 inhabitants) in the middle of the most beautiful Austrian mountains (https://www.youtube.com/watch?v=UvdF145Lf2I)

View all posts

Add comment

Read more

By Johannes Norz 8 February 2021
Add comment

Recent Posts

Recent Comments