Citrix Netscaler 10 Summary Notes – Getting Started – Day 6

Load Balancing


  • Distributes client requests across multiple servers to optimize resource utilization
  • Prevents bottlenecks
  • Configuration:
    • Define a virtual server that proxies multiple servers in a server farm
    • Balance the load
  • Provides traffic management from Layer 4 (TCP and UDP) through Layer 7 (FTP, HTTP, and HTTPS)
  • Load balancing algorithms are used to determine how to distribute the load among servers
    • Least Connections method – default

How it works:

  • Client initiates a connection to the server
  • Virtual server terminates client connection
  • Virtual server initiates new connection to selected server or reuses connection to load balance
  • Entities:
    • Virtual server
      • Represented by IP, port and protocol
      • VIP is usually a public address
      • Clients connect to its address
      • Represents a bank of servers
    • Service
      • Logical representation of a server or an application running on a server
      • Identifies server’s IP, port, protocol
      • Bound to virtual servers
    • Server object
      • Represented by IP
      • Created when a service is created
      • IP address of the service is used as the name of the object
    • Monitor
      • Tracks health of services
      • Priodically probes the servers bound to each service
      • Failure, to respond within a specified timeframe and specified number of probes, service is marked as down. Load balancing is performed among other servers


  • Enable load balancing
enable feature lb

show feature

System>Settings>Modes and features>change basic features>load balancing > check > ok>enable
  • (optional) create server object
  • Create services or service groups
add service <name> <IPaddress> <serviceType> <port>
  • (optional) create monitors
  • Create virtual servers
add lb vserver []
  • Bind service to virtual servers
bind lb vserver

show service bindings <serviceName>
  • (optional) assign weights to service –
  • Load balancing method will use the weight to select a service
  • (Optional) Configure basic persistance settings – for sessions that have to maintain connections to particular servers. For initial connection to the server, the appliance uses the configured load balancing method to select the server, subsequent connections from the same client are to that specific server. Persistance overrides the load balancing methods once the server is selected. If service is down, appliance uses load balancing method to select new service then connects persistantly to that service for subsequent requests from the same server. If service state is out-of-service, the service serves only the outstanding requests for a specific shutdown period but does not allow new connections. Once shutdown period is up, existing connections are terminated.
    • Max 250K persistance connections for Source IP, SSL Session ID, Rule, DESTIP, SRCIPDESTIP
    • persistant connections are allowed until the memory limit for CookieInsert (if timeout is not 0), URL passive, Custom Server ID
    • If persistance cannot be maintained because of lack of resources, appliance uses load balancing methods to select server
    • Persistance is maintained for a configured period of time depending on type
    • If persistance is enabled on a group of servers, the requests are directed to the same selected server regardless of which virtual server in the group receives the request. If configured time ends, then any vserver in the group can be selected for incoming requests.


  • cookie persistance
    • NetScaler adds an HTTP cookie into the Set-Cookie header field of the HTTP response:
<NSC_XXXX>= <ServiceIP> <ServicePort>

<nsc_xxxx> vserver ID (from vserver name)

 IP add of service in hexadecimal (encrypted by netscaler when sent. decrypted on receipt)

<ServicePort>  port of the service in hexadecimal

(encrypted by netscaler when sent. decrypted on receipt)
  • Cookie contains info for the service to which the http requests should be sent
  • Client stores cookie and uses it in subsequent requests. If it is not allowed to store cookies, persistance is not honoured in subsequent requests
  • Netscaler checks the cookie and uses it to  select the service for the requests
  • Can be used on HTTP and HTTPS vservers
  • By default HTTP cookie version 0 is sent (Netscape specification). Can also send RFC 2109  HTTP cookie version 1
  • Timeout can be configured
    • If HTTP cookie version 0 (mostly used)
      • Expiration = current GMT time on a NetScaler + Timeout
    • If HTTP cookie version 1
      • Expiration = Max-Age attribute of the HTTP cookie is sent by netscaler to the client. client calculates the value
    • Value = 0 Netscaler does not specify expiration time. Value depends on client and becomes invalid if the software is shut down
      • Persistance does not use system resources
      • unlimited number of persistant clients supported
System > Settings > HTTP Parameters

set lb vserver -persistenceType COOKIEINSERT

show lb vserver

Traffic Management > Load Balancing > Virtual Servers> select vserver > Open
  • URL PASSIVE persistance (Persistance  Based on Server IDs in URLs)
    • Netscaler extracts server iD (IPadd and port in hexa) from server response and adds it to the URL query of the client request
    • Netscaler extracts server ID in subsequent requests and uses it to select server. If unable to extract ID, then netscaler uses load balancing method to select server
    • Requires either of the following configurations:
      • payload expression
      • policy infrastructure expression
    • Not affected by timeout value. persistance maintained as long as SID can be extracted
    • Does not consume system resources
    • Can be unlimited number of persistant clients
set lb vserver -persistenceType URLPASSIVE

show lb vserver

Traffic Management > Load Balancing > Virtual Servers
  • (optional) basic configuration – protection settings
    • URL redirection – notifies of vserver (HTTP and HTTPS) malfunctions. Can be a local or remore link. Netscaler uses HTTP 302 redirect
      • Redirects can be:
        • Absolute URL – HTTP redirect is sent to the configured location, regardless of the URL specified in the incoming HTTP request
        • Relative URL (domain name) – HTTP redirect is sent to a location after appending the incoming URL to the domain configured in the redirect URL
      • incase a backup server is configured, backup virtual server takes precedence over the redirect URL.
      • redirect is used when both primary and backup vservers are down
set lb vserver -redirectURL

show lb vserver

Traffic Management > Load Balancing > Virtual Servers > select server > open >
  • Backup vserver – takes over incase the primary vserver fails
    • It is a proxy and is transparent to client
    • Can be configured:
      • when a vserver is created
      • when the optional parameters of an existing vserver are changed
    • a backup server can be configured for another backup server (maximum cascading depth = 10)
    • if no backup and no redirect url, an error message is displayed
    • Backup server takes precedence over a URL redirect if both are configured
set lb vserver [-backupVserver ]

show lb vserver

Traffic Management > Load Balancing > Virtual Servers
  • Verify config
  • Verify stats
stat lb vserver



  • Means of optimizing bandwidth usage
  • Netscaler gets requests from clients and checks to see if clients accept compressed data
  • Appliance receive HTTP response from server and checks to see if compressable, if so – compresses, modifies header to show compression type then forwards to client
  • Policy based feature
    • Policy filters requests and responses to check which responses can be compressed and specifies type of compression to apply to response
    • There are several built in policies
    • Can create custom policies
  • Some Multipurpose Internet Mail Extensions (MIME) types that can be compressed
    • text/html
    • text/plain
    • text/xml, text/css
    • text/rtf
    • application/msword
    • application/
    • application/
  • Multipurpose Internet Mail Extensions (MIME) that Cannot be compressed:
    • application/octet-stream
    • binary
    • bytes
    • compressed image formats : GIF and JPEG


1) Enable globally – not enabled by default.

enable ns feature CMP

show ns feature

System > Settings > Modes and Features > change basic features > check compression > OK > Enable

2) Enable it on each service that will provide responses that need to be compressed

set service -CMP YES

show service <name>

Traffic Management > Load Balancing > Services > select service > advanced > settings> compression > OK

3) (If applicable)Bind compression policy to the loadbalancing vservers. If load balancing is not enabled, then compression will apply to the whole traffic that passes through the appliance. If bound, the compression policy will be evaluated only by this service.

(bind|unbind) lb vserver -policyName

show lb vserver

Traffic Management > Load Balancing > Virtual Servers > select vserver > policies > compression  > insert policy > OK

4) Verify configuration

Securing Load Balanced traffic ( SSL Offload)


  • offloading CPU-intensive SSL encryption and decryption tasks from the local web server to the NS. This allows the servers to process a greater number of requests.
  • Improves performance of sites that conduct SSL transactions
  • Ensures secure delivery of web applications
  • SSL works seemlessly with some HTTP and TCP data


1) Enable SSL Offloading. SSL entities can be configured before enabling SSL, but they become active only when SSL is enabled.

enable ns feature SSL

show ns feature

System > Settings > Modes and features > Change basic features > SSL Offloading > OK  > enable

2) Configure HTTP or TCP services to represent the applications on the server. Services are disabled until netscaler can reach the server and monitor it.

add service <name> (<IP> | <serverName>) <serviceType> <port>

show service <name>

Traffic Management > SSL Offload > Services > Add >

3) Configure SSL vserver. The server will intercept encrypted traffic, decrypt it and send it to the services bound

add lb vserver []

show lb vserver

Traffic Management > SSL Offload > Virtual Servers > Add >

4) Bind the services to the SSL  vserver

bind lb vserver

show lb vserver

Traffic Management > SSL Offload > Virtual Servers > Services  > select > OK

5) Create (if already not there) and add SSL certificate key pair. The certificate is used to identify the server during SSL handshake. NS supports RSA/DSA certificates of up to 4096 bits

  • Certificate must be paired with key for it to be used
  • Cert and Key are stoored in /nsconfig/ssl/
add ssl certKey -cert [-key ]

show sslcertkey

Traffic Management > SSL > Certificates > Add >

6) Bind SSL certkey to vserver

bind ssl vserver -certkeyName

show ssl vserver

Traffic Management > SSL Offload > Virtual Servers > select server > SSL settings >

7) Configure Optional parameters

(In the case of Outlook Web Access OWA Servers) . Only for HTTP based traffic

  • Create an action to enable SSL OWA support
add ssl action -OWASupport ENABLED

show SSL action <name>

Traffic Management > SSL > Policies > Add >
  • Create a policy to apply the action
add ssl policy -rule -reqAction

show ssl policy

Traffic Management > SSL > Policies > Add >
  • Bind the policy to the SSL virtual server
bind ssl vserver -policyName

show ssl vserver

Traffic Management > SSL Offload > Virtual Servers > select server >


  • application switching and traffic management features
  • application acceleration features
  • application security and firewall features
  • application visibility feature.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s