Citrix NetScaler StoreFront Load Balancing

In this post I will show you how to load balance two StoreFront 3.0 servers through NetScaler 11. In this demo I am using two StoreFront servers named StoreFront1 and StoreFront2.

  • StoreFront1 – IP = – Protocol = HTTPS
  • StoreFront2 – IP = – Protocol = HTTPS
  • LB vServer – VIP = – Protocol = SSL

To configure StoreFront load balancing we need the following:

  1. Two or more StoreFront servers
  2. The SSL certificate used to secure communication if StoreFront is using HTTPS. This should be installed on your NetScalers. My StoreFront servers are using HTTPS so certificates apply
  3. StoreFront server objects, service objtcts and monitors
  4. A Load Balanced vServer that users will connect to when accessing StoreFront

Enable Load Balancing by navigating to Configuration -> System -> Settings -> Configure Basic Features.


Tick the box next to Load Balancing and click OK.2-min

Time to add objects for each of your StoreFront servers that you want to load balance. Navigate to Traffic Management -> Load Balancing -> Servers -> Add.3-min

Enter your first StoreFront servers information: Name, IP Address, Create.4-min

Repeat the process for your remaining StoreFront servers.5-min

Once done two server objects that I have just created now show and are enabled.6-min

Navigate to Traffic Management -> Load Balancing -> Monitors -> Add. We need a way of monitoring the two StoreFront servers so that in the event one goes down users are not routed to that failed server. Citrix have a created StoreFront monitor built in to NetScaler which we will use. The monitor is named STOREFRONT.7-min

We will be creating a seperate monitor for each StoreFront server. Within the Standard Parameters tab, enter a name referencing your first StoreFront server. Click the type drop-down box and select STOREFRONT. Enter the Destination IP (your StoreFront servers IP) and the port StoreFront is configured to listen on. My StoreFront servers have been configured to use HTTPS/TCP 443.8-minCheck the Secure check box.58-min

On the Special Parameters tab, enter the name of your Citrix Store and check the boxes for StoreFront Account Service and Check Backend Services. Click OK.9-min

Repeat the same process for your remaining StoreFront servers.10-min

Once done, the two StoreFront monitors are created and ready to be attached to service objects.


Now we need to create those service objects. Navigate to Traffic Management -> Load Balancing -> Services -> Add. 12-min

Enter a name for your service, and attach an existing server object that you created earlier. StoreFront1 will be the first server attached to this service. Click OK.13-min

We need to add the STOREFRONT monitor to the service we are creating. Click underneath Monitors to add the monitor we created for StoreFront1.14-min

Click Add Binding.15-min

Click on Click to select beneath Select Monitor*.16-min

Select the monitor previously created and then click Select.17-min


Click on Bind.19-min

Click Close.20-min

Repeat the same steps to create a service for your remaining StoreFront servers and attach a monitor. Click OK.


Click Close.22-min

Notice both services that I created are in the down state. This is because when configuring the StoreFront monitors I asked the monitor to Check backend services. This is OK and StoreFront monitoring is built in to v3.0 by default but only via HTTP. My StoreFront servers are using HTTPS so the monitor I created earlier is trying to probe the backend services of our server through HTTP. StoreFront prior to v2.6 needed an additional add-on installed to support NetScaler -> StoreFront monitoring. 23-min

The monitoring service is accessible on each StoreFront server over port 8000 as shown below.24-min

To change this to HTTPS. We need to configure the monitor service to use HTTPS instead. On all the StoreFront 3.0 servers perform the following steps.

Run PowerShell as an administrator.


Change directory to the Scripts folder. The location may be different for you depending on your install.26-min

Execute the ImportModules.ps1 PowerShell script.27-min

After the modules have been imported, running the Get-DSServiceMonitorFeature command will confirm the current StoreFront monitor URL and that it is using HTTP.28-min

Now run the Set-DSServiceMonitorFeature -ServiceURL https://localhost:443/StoreFrontMonitor command.29-min

Enter the new HTTPS URL in your web browser to make sure you get a response from the StoreFront monitor service.30-min

Now back on the NetScaler the StoreFront1 service is now up. This is because NetScaler’s monitor can now probe the StoreFront monitoring service via HTTPS.


Both services are up.32-min

So, as a summary we have server objects created which we then attached to services. These services also have monitors bound against them. The remaning piece we need is a Load Balanced vServer. Browse to Traffic Management -> Load Balancing -> Virtual Servers -> Add.33-min

Enter a name, protocol, IP address, and port for your vServer. Click OK.34-min

Click on No Load Balancing Virtual Server Service Binding.35-min

Click Click to select.36-min

Select the two services created earlier for each StoreFront server. Click Select.37-min

Click Bind.38-min

The service members are now bound to the vServer. Click Continue.39-min

Cick on No Server Certificate. We need to bind a certificate that matches the hostname we will use for our vServer, which resolves to the VIP of the vServer.40-min

Click on Click to select.


Click on StoreFrontCertificate. Click Select. Obviously here your certificate will be called something different.42-min

Click Bind.43-min

The StoreFront certificate has now been attached to the vServer. Click Continue.44-min

Expand Method and Persistence. A load balancing method and persistence type must be defined.45-min

Under method select ROUNDROBIN. You can also choose other methods such as LEASTCONNECTION which would normally be my preferred choice however for this demo I am selecting ROUNDROBIN. I’ll be able to test the Round Robin feature later to make sure load balancing is working as expected. Click OK.46-min

Under Persistence choose SOURCEIP.47-min

Click Done.48-min

The new StoreFront vServer is up and online.49-min

Save your running configuration.50-min


Ensure you have an internal DNS A record pointing to the StoreFront Load Balanced vServer VIP. This is part of the URL that users will use to connect to StoreFront/Receiver for Web. This hostname A record must match the subject name of the certificate attached to the Load Balanced vServer.52-min

Now with DNS resolution in place enter the Receiver for Web address in to your web browser. Your connection request will be load balanced through NetScaler and Receiver for Web will display.53-min

Once authenticated you can now access your published applications and desktops.54-min

To test that the ROUNDROBIN load balancing method is working, you can enter the URL which shoud resolve to the default IIS web page by default hosted by either of your StoreFront servers. The first request sent me to StoreFront2. I edited the iis-85.png image file and wrote StoreFron2 on the image using paint and did the same over on StoreFront1. This made it easy to identify which server I was being connected to.55-min

The next request directed me to StoreFront1 as expected.56-min

Alternatively on the NetScaler you can look at the statistics of your Load Balanced vServer and services. Keeping an eye on the Service Hits, Requests, and Responses will indicate which StoreFront server is taking the hit. Here you can see the difference between service hits on StoreFront 1 to StoreFront2, which is a result of persistency. If no persistency was set against general web servers for example, the service hits would in most cases be the same.57-min


  • Anonymous

    May 20, 2016

    thank you

    • VanT

      February 23, 2017

      This is by far the most detailed Load Balancing guide! Thanks for your work mate!

  • Saaj

    October 20, 2017

    I have configured storefront load balancing as described here and all services are up (green). However, my storefront does not load balance to the other server when one of the back end servers are down. My VIP will show as down with both back end servers in a down state. I have load balancing method configured as LEASTCONNECTION. I have the correct license with LB enabled and I am able to access storefront using the VIP.

    • George Spiers

      October 20, 2017

      So you have two backend services and if one goes down it brings the entire LB vServer down? Are you using the default-tcp monitors or specific ones?

      • Saaj

        October 21, 2017

        Thanks for responding George. We are not using the TCP monitors just the storefront monitors.

        • George Spiers

          October 21, 2017

          When one service goes down, it brings the other service down too?

          • Saaj

            October 23, 2017

            Yes, the entire VIP is showing as down and users are unable to access storefront via VIP. They can however still access via direct SF IP (once I change DNS).

          • George Spiers

            October 23, 2017

            Go to System -> Licenses. Is there a green tick beside Load Balancing?
            If yes, go to System -> Settings -> Configure Basic Features. Make sure Load Balancing is checked.
            If yes, disable Service 1. Does it bring down Service 2? And vice-versa, does disabling Service 2 bring down Service 1? Also I mean disable the service at NetScaler level. Don’t actually bring the back-end server down.

          • Saaj

            October 25, 2017

            The load balancing licenses are active and the feature is enabled.

            Below are some interesting findings:
            When I disable service group member 1 on NS, the VIP is shown as PARTIAL-UP and I am able to access SF and vice-versa. When I disable one of the servers on NS, the VIP is shown as UP and I can access SF. When I take one of the back-end servers down, the VIP is shown as DOWN and I am unable to access SF. I have created a HTTP monitor as well which shows as PARTIAL-UP when the back-end server is down but the storefront monitor is coming up as fully down.


          • George Spiers

            October 25, 2017

            Do you only have one StoreFront monitor for both backend StoreFront services and if so, have you entered an IP under “Destination IP”? If so, remove it.

  • Saaj

    October 25, 2017

    If IIS is stopped on either server, the VIP is still UP. However I was unable to access SF using VIP when IIS was stopped on one of the servers. I could access with IIS off on the other server.

    I have configured individual SF monitors for each server with their IP address in destination IP and port 443. Both servers are in the same service group and both monitors are up when VIP is up.

    • George Spiers

      October 25, 2017

      You only need one monitor assigned to the Service Group. Create one single StoreFront monitor and do not include anything within Destination IP. Since the monitor is assigned to the Service Group, it knows which back-end services it should be probing. This should resolve your issue.

      • Saaj

        October 25, 2017

        In fact I had just tried doing this after I sent my previous message. I have created a single SF monitor and assigned it to the service group but the issue still remains. The service, VIP all are up but still can’t access SF using VIP when one of the servers is down. All my monitors have the secure option selected and the name of the store specified under special parameters with check back end services option selected.

        • George Spiers

          October 25, 2017

          Time to run through a process of elimination. Create a new LB vServer and bind the existing services to this and see if the new vServer also goes down when one service goes down. Also build two additional testing IIS servers, services and a new LB vServer for example and see if they experience the same issue.

        • George Spiers

          October 25, 2017

          If you have two StoreFront servers in a Server Group, you create an LB vServer, Service Group and single StoreFront monitor attached to the Service Group. You do not experience this behaviour, it is not normal without extra configurations. I suggest you review your complete setup and possibly start again from scratch.


Leave a Reply