How to Configure GSLB Setup with HTTP and SSL Access on NetScaler
A common requirement in a GSLB setup is that you need both HTTP and SSL access to the same set of servers. However, there are some configuration requirements which might not be obvious that can cause problems. Here is a how to guide on how to setup active-active GSLB with both HTTP and SSL access.
GSLB Active-Active Setup
Here are the steps you need to do to setup a GLSB site in active-active mode:
- Create a load balancing virtual servers for HTTP and SSL network traffic.
- Create and bind appropriate services to both the load balancing virtual servers.
- Create the GSLB virtual server for HTTP network traffic on each site. Please Note: Do not create a GSLB SSL virtual server.
- Create both HTTP and SSL GSLB services, and bind the HTTP service to the GSLB HTTP virtual server. Note: The GSLB SSL services are not bound to server, but are necessary for site persistence.
- Bind both HTTP and SSL type of monitors to the GLSB service.
- Select the GSLB load balancing method based on proximity.
Note: To have a balanced load distribution, it is best to specify the load balancing method based on proximity. If we have the load balancing method based on statistics such as least connection, then the service is selected based on the statistics for only the type of service that is bound to the GSLB virtual server. The other service type statistics that is not bound to the GSLB virtual server is not considered and could result in a load distribution that is not balanced. Therefore, it is recommended to select the GSLB load balancing method based on proximity. - To maintain persistence to the same site and to the same server on that site, define persistence for both the GSLB and load balancing virtual server. Configure, Connection Proxy/HTTP Redirect as the persistence type at the GSLB service level to ensure that requests from one session is sent to the same GSLB site.
Note: Experience in the field has shown that Source IP persistence at the GSLB virtual server could lead to a load distribution that is not balanced if most of the client requests are coming from a proxy. Connection Proxy/HTTP Redirect is the recommended persistence option in such scenarios.
After the client requests are sent to a particular site, then the persistence can be maintained to the same server regardless of the access port (HTTP/SSL) by using persistence groups at the load balancing virtual server.
Configuring Site A
Please pay attention and follow these steps to configure Site A:
- Run the following command to enable GSLB and load balancing features on the appliance:
enable ns feature LB GSLB - Add the Authoritative DNS (ADNS) service. ADNS service can be configured with any NetScaler owned IP address (MIP/SNIP). After the ADNS service is configured NetScaler appliance is authoritative for that domain and responds to DNS queries. Run the following command to add ADNS service:
add service adns_svc 192.168.251.205 adns 53 - Run the following command to add the local and remote GSLB site:
add gslb site sitea LOCAL 192.168.251.201 -publicIP 192.168.251.201
add gslb site siteb REMOTE 192.168.253.201 -publicIP 192.168.253.201
Note: GSLB site hosted on a NetScaler appliance is local to that appliance and remote to a different NetScaler appliance. - Run the following command to add the GSLB virtual server with the required load balancing method and service type for the kind of network traffic:
add gslb vserver gvserver-http http -lbmethod RTT - Run the following commands to add HTTP and SSL load balancing virtual servers and bind the services to this server:
add service servera-http 192.168.152.10 HTTP 80
add lb vserver vservera-http HTTP 192.168.251.202 80
bind lb vserver vservera-http servera-http
add service servera-ssl 192.168.152.10 SSL 443
add lb vserver vservera-ssl SSL 192.168.251.202 443
bind lb vserver vservera-ssl servera-ssl - Run the following commands to add HTTP and SSL GSLB services for the local site A:
add gslb service gslbsvca-http 192.168.251.202 HTTP 80 -siteName sitea
add gslb service gslbsvca-ssl 192.168.251.202 SSL 443 -siteName sitea
Note: The local GSLB service should have the same IP address as the load balancing virtual server added in Step 5 of this procedure. - Run the following commands to add HTTP and SSL GSLB service for the remote site B:
add gslb service gslbsvcb-http 192.168.253.202 HTTP 80 -publicIp 192.168.253.202 -publicPort 80 -siteName siteb
add gslb service gslbsvcb-ssl 192.168.253.202 SSL 443 -publicIP 192.168.253.202 -publicPort 443 -siteName siteb - Run the following commands to bind the local and remote HTTP GSLB services to the GSLB HTTP virtual server:
bind gslb vserver gvserver-http -serviceName gslbsvcb-http
bind gslb vserver gvserver-http -serviceName gslbsvca-http
Note: Do not bind the SSL GSLB services. - Run the following command to bind the GSLB virtual server to a domain:
bind gslb vserver gvserver-http -domainName www.whateverdomain.com - Run the following commands to bind both HTTP and SSL monitors to the local and remote GSLB services. This ensures that if one of the service type is marked as DOWN, then the other service type for the same server is also marked as DOWN. This ensures that HTTP and SSL requests are sent to the same service:
bind lb monitor https gslbsvca-http
bind lb monitor http gslbsvca-http
bind lb monitor http gslbsvca-ssl
bind lb monitor https gslbsvca-ssl
bind lb monitor https gslbsvcb-http
bind lb monitor http gslbsvcb-http
bind lb monitor http gslbsvcb-ssl
bind lb monitor https gslbsvcb-ssl - Run the following commands to configure Connection Proxy/HTTP Redirect persistence on the GSLB service:
set gslb service gslbsvca-http -sitePersistence ConnectionProxy
set gslb service gslbsvcb-http -sitePersistence ConnectionProxy
set gslb service gslbsvca-ssl -sitePersistence ConnectionProxy
set gslb service gslbsvcb-ssl -sitePersistence ConnectionProxy
Note: This ensures that the client requests are sent to the same site. - After the requests are sent to a GSLB site, persistence can be maintained to the same server regardless of the HTTP or SSL access port by binding the persistence groups to the load balancing virtual server. Run the following commands to bind the persistence groups to the load balancing virtual server:
bind lb group company vservera-http
bind lb group company vservera-ssl
Configuring Site B
Note: Site B has the same GSLB configuration as site A, the only difference is in the load balancing related configuration.
Please pay attention and follow these steps to configure Site B
- Run the following command to enable GSLB and load balancing features on the appliance:
enable ns feature LB GSLB - Run the following command to add ADNS service:
add service adns_svc 192.168.251.205 adns 53 - Run the following commands to add remote and local GSLB sites:
add gslb site sitea REMOTE 192.168.251.201 -publicIP 192.168.251.201
add gslb site siteb LOCAL 192.168.253.201 -publicIP 192.168.253.201 - Run the following command to add the GSLB virtual server with a load balancing method that is not based on statistics but on the proximity methods:
add gslb vserver gvserver-http http -lbmethod RTT - Run the following commands to add the virtual servers for both HTTP and SSL for load balancing the services at site B and to bind the service to virtual server:
add service serverb-http 192.168.152.11 HTTP 80
add lb vserver vserverb-http HTTP 192.168.253.202 80
bind lb vserver vserverb-http serverb-http
add service serverb-ssl 192.168.152.11 SSL 443
add lb vserver vserverb-ssl SSL 192.168.253.202 443
bind lb vserver vserverb-ssl serverb-ssl - Run the following commands to add HTTP and SSL GSLB services for the local site B as a local GSLB service:
add gslb service gslbsvcb-http 192.168.253.202 HTTP 80 -siteName siteb
add gslb service gslbsvcb-ssl 192.168.253.202 SSL 443 -siteName siteb
Note: The local GSLB service should have the same IP as the load balancing virtual servers added in the Step 5 of this procedure. - Run the following commands to add HTTP and SSL GSLB service for the remote site B:
add gslb service gslbsvca-http 192.168.251.202 HTTP 80 -publicIP 192.168.251.202 -publicPort 80 -siteName sitea
add gslb service gslbsvca-ssl 192.168.251.202 SSL 443 -publicIP 192.168.251.202 -publicPort 443 -siteName sitea - Run the following commands to bind the local and remote HTTP GSLB service to the GSLB HTTP virtual server.
bind gslb vserver gvserver-http -serviceName gslbsvcb-http
bind gslb vserver gvserver-http -serviceName gslbsvca-http
Note: Do not bind the SSL GSLB services. - Run the following command to bind the GSLB virtual server to a domain:
bind gslb vserver gvserver-http -domainName www.whateverdomain.com - Run the following commands to bind HTTP and SSL monitors to the local and remote GSLB services. This ensures that if one of the service type is marked as DOWN, then the other service type for the same server is also marked as DOWN. This ensures that HTTP and SSL requests are sent to the same service:
bind lb monitor https gslbsvca-http
bind lb monitor http gslbsvca-http
bind lb monitor http gslbsvca-ssl
bind lb monitor https gslbsvca-ssl
bind lb monitor https gslbsvcb-http
bind lb monitor http gslbsvcb-http
bind lb monitor http gslbsvcb-ssl
bind lb monitor https gslbsvcb-ssl - Run the following commands to configure Connection Proxy/HTTP Redirect persistence on the GSLB service:
set gslb service gslbsvca-http -sitePersistence ConnectionProxy
set gslb service gslbsvcb-http -sitePersistence ConnectionProxy
set gslb service gslbsvca-ssl -sitePersistence ConnectionProxy
set gslb service gslbsvcb-ssl -sitePersistence ConnectionProxy
Note: This ensures that the client requests are sent to the same site. - After the requests are sent to a GSLB site, persistence can be maintained to the same server regardless of the HTTP or SSL access port by binding the persistence groups to the load balancing virtual server. Run the following commands to bind the persistence groups to the load balancing virtual server:
bind lb group company vserverb-http
bind lb group company vserverb-ssl