LDAP Load Balancing with Citrix NetScaler

Using NetScaler you can set up Load Balancing for LDAP traffic or LDAPS. In this guide, I am using LDAP however the majority of steps for LDAPS will be similar.

NetScaler Gateway direct authentication to StoreFront instead of using LDAP policies – http://www.jgspiers.com/netscaler-gateway-authentication-direct-storefront/

For LDAPS you need to make a modification to the nsldap.pl monitor and ensure certificates exist on your LDAP servers.

I have two Active Directory servers configured for this guide:

  1. DC.citrixpro.co.uk (192.168.0.101)
  2. DC2.citrixpro.co.uk (192.168.0.108)
  3. LDAP port = TCP 389
  4. A NetScaler Gateway with LDAP Profile attached which will link to the new load balanced VIP when created

Enable Load Balancing by navigating to System -> Settings -> Configure Basic Features.

1-min

Check the box next to Load Balancing and click OK.2-min

Servers need to be created for each LDAP server partaking in load balancing. Navigate to Traffic Management -> Load Balancing -> Servers -> Add.

3-min

Configure the first server with a name, and the IP address of your first LDAP server and click OK.4-min

Repeat the process for any remaining LDAP servers.5-min

Both LDAP servers have been created and are shown as enabled.6-min

Next, create a Service Group. Navigate to Traffic Management -> Load Balancing -> Service Groups -> Add.7-min

Give the Service Group a name, specify TCP as the protocol and click OK.8-min

Click on No Service Group Member to add Service Group members.

9-min

Check the radio box for Server Based and then click on Click to select.

10-min

Select the recently created LDAP servers and click on Select.

11-min

Specify the port as 389 and click Create.12-min

Click on OK.13-min

We need to add the LDAP monitor to the Service Group. The LDAP monitor is one built by Citrix and binds to the 389 port to ensure LDAP is functioning. Click on the Monitors box to the right.14-min

Click on No Service Group to Monitor Binding to add a monitor.15-min

Click on Click to select.16-min

Click on Add.17-min

Specify an appropriate name and under Type select LDAP. Enter a destination port of 389.18-min

Click on the Special Parameters tab and under Script Name select nsldap.pl. Under Base DN enter your domain name in LDAP format. Under Bind DN and Password enter the details of an account you want the monitor to use when binding to LDAP. This should be a service account with user privileges and the password should not expire. Click OK. The Dispatcher Port and Dispatcher IP fields will automatically be filled in after clicking OK so do not be concerned if these are blank.19-min

Select the LDAP monitor you created.20-min

Click Select.

21-min

Click Bind.22-min

Click Close.23-min

The Service Group now has a monitor attached. Click Done.24-min

If we go back to Traffic Management -> Load Balancing -> Service Groups and click on the newly created Service Group. Click Actions.25-min

Click Manage Members.26-min

Both LDAP members appear and we can see that the Service Status is Up. The monitor is successfully able to bind to LDAP over TCP 389 at this time.27-min

Navigate to Traffic Management -> Load Balancing -> Virtual Servers -> Add.28-min

Specify a Name, set the Protocol as TCP, specify an IP address (VIP) and then specify the Port as 389. Click OK.29-min

Click No Load Balancing Virtual Server ServiceGroup Binding.30-min

Click Click to select.

31-min

Click the Service Group we created earlier and click Select.32-min

Click Bind.33-min

The Service Group has been attached to the vServer. Click Continue.34-min

Click on the Method box to the right of your screen.35-min

Under Load Balancing Method select ROUNDROBIN and click OK.36-min

Click Done.37-min

The new Load Balanced Virtual Server is created and in the Up state.38-min

Now that we have a load balanced LDAP vServer for use, we can use it to authenticate users against for example, NetScaler Gateway. I have a NetScaler Gateway vServer created in Basic Mode for ICA Proxy. I also have an LDAP policy attached to the vServer, however the LDAP policy currently only points to a single Domain Controller. What I can now do is point the policy to the new Load Balanced VIP instead.

Navigate to NetScaler Gateway -> Policies -> LDAP.39-min

Click on the Servers tab. Click on the available LDAP server and click Edit. Add a new one if you need.40-min

Under IP Address specify the new Load Balanced LDAP vServer VIP. Click OK.

41-min

Save your running configuration.42-min

For the first test, using a web browser, I’ve gone to the NetScaler Gateway address of https://netscaler.citrixpro.co.uk. I have logged on using the administrator account.43-min

Using WireShark and an nstrace on the NetScaler, during authentication you can see traffic flowing between the LDAP server DC (192.168.0.101), the SNIP (192.168.0.250), the VIP (192.168.0.227) and NetScaler NSIP (192.168.0.211).  If you look closely, all communication to LDAP is via the SNIP. If you don’t have LDAP load balanced, the NSIP is used for communicating to a single LDAP server.44-min

For the second test I have authenticated with a different user account.45-min

Again WireShark captures authentication traffic for the different account. Notice the 192.168.0.108 address involved in the authentication process. This is the DC2 LDAP server and proves the ROUNDROBIN load balancing method is working.46-min


Leave a Reply