Citrix Web Interface WI load balance

Posted by citrix on January 4, 2009
Adam Wu I know how to do WI load balance on our internal WI web server using WIN2k3 NLB. However I would like to know how to implement load balance on an external WI.

We have an WI 2.0 web server with SSL installed residing in the DMZ. CSG is also resides in the DMZ with two ticketing servers residing internally in our network. How do I load balance the WI? and what are the ways to do it. TIA for any help
Adam Wu I’m a little confused and hope you can explain a little further. Sorry for my ignorance but I’ve never done this before. So let say my current external IP is 12.xxx.xxx.21 with ssl installed, I would install a second external WI with IP 12.xxx.xxx.22 and import the same ssl cert? and assign a virtual ip to both WI?

My users connect to the WI by typing https://webserver.domain.org. How does it get route to the appropriate WI?

TIA
Adam Wu Thanks for your help. It’s much clearer now. I just spoke to my infrastructure and network admin, he strongly oppose using NLB over load-balancing switches. I would use load-balancing switches too if we have the money.
Matthew Kramer Hi,
I guess this is a common problem that people come across. I too am eager to have my WI servers balanced with MS NLB. My servers are 2003 with dual nics. I have reviewed the information in creating a NLB cluster and have was able to pare my machines fairly quickly with the Built in NLB manager. my config is as follows:
Both servers Have the WI and secure gateway installed. The Certs are the same. Both running IIS.

Web1- NIC1: 192.168.1.2 NIC2: 192.168.12
Web2- NIC1: 192.168.1.3 NIC2: 192.168.13
Virtual IP: 192.168.1.250
Cluster type: Unicast
Port Rules:
all cluster IP
80- Load: equal Afinity: None
443- Load: 100% Afinity: Single

NIC2 on both machinces are my Cluster NIC’s or as MS calls them, Deticated IP adapters.

Both servers have the same cert installed and work fine as individual WI servers communicating on the NIC1 IP’s I tested this by linking our public IP to NIC1 separately on each server.

The Problem I have is when I route the Public IP to the virtual IP 192.168.1.250. The webservers work great but when I go to launch the apps, SSL is not happy. Seems SSL is not getting routed to the right place or is not communicating correctly. For kicks, I routed the SSL port to one of the servers NIC1 (192.168.1.3) for example and then SSL worked so I know SSL is just not getting to the right place somehow with NLB.

One think to note is that the router we are currently on does not have the webservers in the DMZ. There is port forwording going on from the Public IP to the Virtual NBL IP. Not sure if this is critical. Also The NBL cluster is running in Unicast mode which Im not sure if this is best, but is recommended for dual nic setups.

If anyone has any insite on what might be my prob, I would much appreciate the input.
Category: Web Interface