NetScaler Gateway to Load balanced storefront

[Paul Maintone]

Hi

 

So wondering if anyone can help with something as I cant seem to find any resources on the web!

 

Basically I have a NetScaler Gateway Virtual Server (VIP - 192.168.1.1) that currently uses a session profile that points to a single storefront server (192.168.2.1). I have built another for resilience (IP 192.168.2.2)

 

I have then created a Load balanced Virtual server (VIP - 192.168.1.2) that load balances the 2 servers.

 

What I am trying to do is point the session profile for the netscaler gateway (VIP - 192.168.1.1)

at the load balancer config (VIP - 192.168.1.2) so that the storefront servers are load balanced for the Netscaler remote access.

 

Problem is I get 'Internal Server' Error after the netscaler authentication.

 

The NetScaler Gateway VS works fine with the session profile pointing at one server and the load balanced config works fine as well, but when I try to make the 2 work together it fails.

 

Does that makes sense what I am trying to achieve? if so any ideas? I believe this used to work on earlier versions of NetScaler

 

Thanks Paul

[Paul Blitz1709158559]

What protocol is the LBVS? What protocol are you using the the session profile (http? https?). Is the certificate trusted?

[Christian Cornelsen1709152196]

It seems that the NetScaler Gateway cannot reach your LBVS?

 

1st: Check it when you enter in your Session Profile one of the "real" StoreFront's

2nd: If' its work check it with the IP from the LVBS

 

If nothing work, please check your Firewall :)

[Paul Maintone]

Hi,

 

Thanks for the responses.

 

The protocol is HTTPS as is on the server which has a trusted wildcard certificate. It works direct to the SF servers, just not to an address on the same netscaler. I am using DNS on the NS to resolve a name to an IP on the same appliance.

 

Thanks Paul 

[Paul Maintone]

So, I manage to fix it by changing the subnet that the LBVS uses.. 

 

Basically, it will only work if I put the VIP for the LBVS on the internal SNIP subnet and leave the NGVS on the external VIP subnet.

 

Thanks Paul

[Paul Blitz]

Ah, I guess if Netscaler doesn't have a (source) IP (with suitable connectivity) to the VIP for the LBVS, then it's going to have a problem.

 

By moving the VIP to the backend network - where you DO have a suitable IP (SNIP) - it can talk to itself ok.

[Jitendra Kumar]

Hi Paul,

 

How to point the session profile for the netscaler gateway VIP  at the load balancer config VIP  so that the storefront servers are load balanced for the Netscaler remote access. I am not able to find such option in session profile. Please could you help me.

[CarlStalhood]

Edit the Session Profile. On the Published Applications tab is the Web Interface address field. Change the hostname portion of the URL to the LB VIP.

[Jitendra Kumar]

Hi Carl,

 

So you mean to say change the host name of storefront to LBVS IP just before the /Citrix/Store ?

 

Like the session profile has https://storefront/Citrix/Store and I need to change it to https://LBVS VIP/Citrix/Store ?

[CarlStalhood]

Yes.

[Jitendra Kumar]

In this case do I need to change the base URL on storefront console to point to LBVS VIP or FQDN ?

[CarlStalhood]

StoreFront Base URL should point to a FQDN that resolves to a load balancing VIP. Note: changing the base url might not update your existing Workspace app clients that already added the store.

[Jitendra Kumar]

Hi Carl,

Hi ,

 

I have pointed https://storefront.testlab.test to LBVS VIP now I am getting Cannot Complete your request error, I even did not see login screen when I browse https://storefront.testlab.test . When I access internally storefront with host name I can see login screen and can login and can see resources.

[CarlStalhood]

What errors do you see in StoreFront Server > Event Viewer > Applications and Services > Citrix Delivery Services?

[Jitendra Kumar]

No error in StoreFront Server > Event Viewer > Applications and Services > Citrix Delivery Services

[CarlStalhood]

If you're seeing that error on Gateway, then your ADC can't connect to the Web Interface address specified in the Session Profile. Maybe it can't resolve a DNS name.