Citrix NetScaler can be used to load balance various network traffic between servers including HTTP and HTTPS. This article goes through the steps of configuring load balancing and SSL Offloading, which helps reduce the load on the server.
Open a web browser and log on to the NetScaler web management console.
Expand System > Settings and click Configure Modes.
Deselect Layer 3 Mode (IP Forwarding) to prevent the NetScaler from being used as a router and click OK.
Click Configure Basic Features.
Select SSL Offloading and Load Balancing and click OK. Feature that you wish to use must be enabled before they work.
Expand Traffic Management > SSL and click Import PKCS#12 to import an existing PFX SSL certificate file.
Enter the certificate file name followed by the PEM file extension in Output File Name and click Choose File to browse for the PFX file.
Select the file and click Open.
Enter the password used to encrypt the PFX file in Import Password. Select DES or 3DES in Encoding Format and enter the same password or a new one into PEM Passphrase and Confirm PEM Passphrase to encrypt the PEM file.
Expand SSL > Certificates > Server Certificates and click Install to add the newly imported SSL certificate into the NetScaler configuration, so it can be used.
Enter the certificate name in Certificate-Key Pair Name and click Choose File.
Select the PEM file imported in earlier and click Open.
Enter the Password used to encrypt the PEM file and click Install.
Sometimes this warning messages shows up because it initially fails to execute the command on the secondary appliance, only if you have an HA pair configured. The chances are that it will successfully synchronize the appliances anyway. You can check the secondary appliances configuration to make sure the configuration change shows up. Click OK.
The SSL certificate should now appear in the list.
Import the root or intermediate Certificate Authority SSL certificate on to the NetScaler by going to CA Certificates and click Install.
Enter Certificate-Key Pair Name, click on the down arrow for Choose File and clickLocal.
Select the SSL certificate file and click Open.
The SSL certificate should show up in the list.
Go back to Server Certificates, select the SSL certificate imported earlier and click Link from the Action drop-down box. To make sure that the SSL certificate is fully trusted by the client machine it's good idea to link the SSL certificate with the root or intermediate CA certificate that signed it.
The NetScaler should automatically find the Certificate Authority used to sign the SSL certificate. Click OK.
Expand Traffic Management > Load Balancing > Servers to add the servers that will be load balanced by NetScaler and click Add.
Enter the server name in Name, its address in IP Address and click Create.
Enter Name and IP Address and click Create.
Both servers should be listed.
NetScaler tells whether a server is up and running using monitors, which define what network probes to send to the server. You can use existing monitors or create new ones. Select Monitors and click Add.
Enter Name and select the type of monitor to create in Type.
In this case we want the CITRIX-XD-DDC to create a monitor specifically for the XenDesktop XML broker service.
Scroll to the bottom of the page.
Select Secure if the traffic is secured using SSL/TLS otherwise leave it deselected and scroll back up to the top.
Click on Special Parameters, select Validate Credentials and enter the Active Directory user credentials that NetScaler can use to simulate a logon request to make sure the XenDesktop Delivery Controller is responding. Click Create.
The new monitor should show up in the list at the top.
Select Service Groups and click Add. Service Groups specify which servers are going to be load balanced and associates the monitor that is used to probe those server to make sure they are available.
Enter Name and select Protocol from the list.
Scroll down and click OK.
Click No Service Group Member.
Select Server Based and the greater than sign icon for Select Server.
Select all the servers that will be load balanced and click Select.
Enter the Port that the servers listen on.
Click + Monitors.
Click No Service Group to Monitor Binding.
Click on the greater than sign for Select Monitor.
Find the monitor created earlier from the list and select it.
Scroll back up to the top and click Select.
The service group should now appear in the list with a State of ENABLED and an Effective State of UP.
Select Virtual Servers and click Add.
Enter Name, select Protocol, enter IP Address and Port and click OK.
The virtual server should be created.
Click No Load Balancing Virtual Server Service Group Binding.
Click the greater than sign for Select Service Group Name.
Select the service group created earlier from the list and click Select.
Click No Server Certificate. Only available if SSL was selected for the virtual server Protocol.
Click on the greater than sign for Select Server Certificate.
Select the SSL certificate from the list and click Select.
Optionally you can edit the SSL Parameters to remove SSLv3 for better security. Click on the pen icon.
Deselect SSLv3 and click OK.
Click on the disk icon to save the configuration.
That's it you now have a virtual server that load balances SSL traffic between two servers and offloads the SSL/TLS encryption. Both servers are monitored, so if one stops working all traffic is redirected to the remaining one.