Load Balancing Citrix Delivery Controllers with NetScaler

To Load Balance via NetScaler you need a Standard ADC license at minimum. This post will show how to load balance the Delivery Controllers and ensure their services are health monitored by using NetScaler built-in monitoring. The Delivery Controllers will use HTTPS for communication.

If you have not already enabled Load Balancing, right-click Load Balancing within NetScaler and choose Enable.

First create server objects for each of your Delivery Controllers. Navigate to Traffic Management -> Load Balancing -> Servers -> Add.

Enter a name and the IP of your Delivery Controller. Click Create. Do the same for your remaining Delivery Controllers. Now each server object will go in to a Service Group. Navigate to Traffic Management -> Load Balancing -> Service Groups -> Add. Specify a name and choose SSL as the protocol. You can configure HTTP/80 but I like to secure the XML broker communication and it is recommended for security. Click OK. Click on No Service Group Member to bind a members to this Service Group. Click Click to select. Select your Delivery Controller server objects, click Select. Now enter 443 as the port. Click Create. Click OK. Expand Monitors. Click on No Service Group to Monitor Binding. Click on the + symbol. Enter a name and under Type choose CITRIX-XD-DDC. Towards the bottom of the Standard Parameters tab check Secure. Click on the Special Parameters tab. Here you can validate credentials against your Delivery Controllers. This is just an added monitoring capability to ensure the Delivery Controllers are online even if the standard monitor probe is successful. Click Create. Click Done. The new Service Group shows as UP. A load balanced certificate needs to be installed on your Delivery Controllers and additional work binding that SSL certificate and the Citrix Broker Service together needs performed. If the Delivery Controllers have IIS then you use that to do your certificate to HTTPS bindings however most Delivery Controller installs are on a dedicated machine and does not run IIS. See https://jgspiers.com/securing-ddc-xml-broker-communication-over-https/ Now we create the Load Balanced vServer. Navigate to Traffic Management -> Load Balancing -> Virtual Servers -> Add. Specify a name, set the protocol as SSL and enter an IP. Click OK. Click No Load Balancing Virtual Server ServiceGroup Binding to bind the Service Group to this Virtual Server. Click on Click to select. Select the Service Group. Click Select Click Bind. Click Continue. Click No Server Certificate. Click on Click to select. Select the Load Balanced certificate that is also installed on the Delivery Controllers. In my case, it matches the URL of ddclb.jgspiers.com. Click Select. Click Bind. Expand Method. Choose ROUNDROBIN and click OK. Click Done. The Virtual Server reports UP and is ready to be used. Within StoreFront make sure you specify the Load Balanced FQDN against your stores.


34 Comments

  • Bilal Aslam

    January 19, 2017

    To best of my understanding this statement is not correct. “To Load Balance via NetScaler you need an Enterprise ADC license at minimum”

    Reply
    • George Spiers

      January 19, 2017

      You are right – that is just a mistake on my end. You need Standard or higher.

      Reply
      • SaaJ

        October 13, 2017

        I am guessing we could use a Netscaler VPX Express to achieve this. Any disadvantages in doing this? Would the 5mbs limit be a blocker?

        Thanks.

        Reply
        • George Spiers

          October 13, 2017

          Yes VPX Express can do that and 5Mbps will only become a blocker if DDC Load Balancing tries to comsume more than that 🙂 I’m not sure how much bandwidth brokering consumes, but would bet it is very minimal.

          Reply
          • Dayo

            October 1, 2018

            I have a 10MB Citrix ADC Platinum, is this sufficient enough servicing 80 users?

          • George Spiers

            October 8, 2018

            I would say yes. Typically light connections can consume around 50Kbps. You should deploy a trial, run a small PoC, and deploy NMAS to capture some metrics before purchasing any license.

    • Joshua Corder

      April 9, 2020

      George, great articles.
      Question
      Is it possible to use netscalers without storefront servers?
      In other words
      Are there features built into netscalers where the netscaler presents it’s own “web url” that points directly to the delivery controllers?
      I ask because I want to turn off the storefront HDX optimal routing and have the netscalers handle the proximity redirection.
      Using AAA groups
      Then I want to have AAA group for one domain that points to one farm
      Then another AAA group for another domain that points to it’s own farm
      With GSLB active/active onto using proximity method

      Reply
      • Joshua Corder

        April 9, 2020

        Or
        Maybe have a storefront load balancer with all 4 storefronts
        2 from one datacenter
        And 2 from the other datacenter
        And then on the gateway vip have all 4 delivery controllers
        And the session policy point to the storefront load balancer vip

        Reply
        • George Spiers

          July 11, 2020

          That is not uncommon, especially when datacentres are close.

          Reply
      • George Spiers

        July 11, 2020

        There used to be Web Interface functionality but nothing new.

        Reply
  • Martin Meier

    March 14, 2017

    Can this LB vServer also be used as STA on NetScaler Gateway and on StoreFront Remote Access configuration?

    Reply
    • George Spiers

      March 14, 2017

      Nope you can’t use load balanced names for STA. You’ll have to use the FQDN of one or more DDCs.

      Reply
  • Joeke van der Velde

    May 15, 2017

    Maybe a bit of a newbie question, but i’m wondering:

    What are the user rights the “service_ddc” account needs under special parameters?
    Are they only Citrix rights within Citrix Studio? Or maybe a few AD rights?

    I can’t find it anywhere, so it looks like i’m the only one who doesn’t know.. :-p

    Reply
    • George Spiers

      May 15, 2017

      Hi Joeke
      It is just a standard domain user account you need.

      Reply
      • Joeke van der Velde

        May 15, 2017

        Thx George!

        Reply
  • berks

    October 17, 2017

    Hi JG, just want to thank you, your articles are always fantastic and always appreciate the effort you put in.

    Reply
    • George Spiers

      October 17, 2017

      Thank you Berks! It’s always nice to receive some positive feedback on how I am helping out and I am glad you are making good use of the content.

      Reply
  • Engin

    March 15, 2018

    Hi,
    Wondering what you use for STA address when configuring Storefront when you get a common cert for delivery controller LB VIP address and use it on delivery controllers.
    That is, ddclb.domain.com is showing LB VIP IP and it’s used in Storefront delivery controllers page with port 443. But when you add a Netscaler, STA addresses are: https://ddc01.domain.com/scripts/ctxsta.dll, etc..
    Thanks,

    Reply
    • George Spiers

      March 16, 2018

      You can use port 80 for STA communication which is what I do.
      Alternatively another server outside of the DDC Load Balancing group can serve as the STA server over port 443, or you could possibly use a SAN certificate on DDCs.

      Reply
  • Daniel Alcocer

    August 7, 2018

    a question, I have my VIP with which I made the LB of the delivery, this vip must answer by name? that is to say I must assign an alias to the VIP, for example my ip is 192.168.10.25 (VIP) this must have a name. example

    192.168.10.25 = dclb.domain.com

    Reply
    • George Spiers

      August 8, 2018

      Using DNS names is always best practice.

      Reply
  • Richard

    December 12, 2018

    In the past when you load balanced XML the persistence was NONE for DDC is it now Source IP

    Reply
    • George Spiers

      December 12, 2018

      Actually there is no need for persistence. I must have copied that config from another load balancing article. I’ve removed it!

      Reply
  • Anonymous

    May 15, 2019

    Hi George

    I followed your guide but the storefront keep generating Event ID 4003 and temproalry removign my servers from the active servers but it is online and monitoring are green for both DDC

    None of the Citrix XML Services configured for farm MyFarm are in the list of active services, so none were contacted.
    The Citrix XML Service or the Citrix servers may be unavailable or temporarily overloaded: 503 Service Unavailable. This message was reported from the XML Service at address http://ddc2.mydomain.local/scripts/ctxsta.dll [CtxSTAProtocol.TRequestTicket]. The specified Secure Ticket Authority could not be contacted and has been temporarily removed from the list of active services.

    Can you advise on how to overcome this issue?

    Reply
    • George Spiers

      May 16, 2019

      Your Store is pointing at the load balanced address and not individual Delivery Controllers?

      Reply
  • Anonymous

    March 17, 2020

    Hi i’ve follow your steps however when i access the storefront through my Virtual Gateway i don’t see any apps. then i read that you cannot put Load Balance VIP at STA on Virtual Gateway, my question is if you put DDC FQDN how do we know the DDC is load balanced?

    Reply
    • George Spiers

      May 19, 2020

      Can your StoreFront servers access the DDC VIP? For STA, you can point at single FQDNs.

      Reply
  • Syed

    April 21, 2020

    Hi George, great article and thanks for your efforts.

    I have a quick question. Can we setup the DDC LB vServer as SSL vServer and configure the Delivery Controllers/Service Group on Port 80? Does this configuration work?
    I’ve configured my environment this way and am having connectivity issues. (Storefront screen post logon is blank and doesn’t display any icons for published apps or desktops)

    Would appreciate your response.
    Syed

    Reply
    • George Spiers

      September 9, 2020

      Hello
      Yes this is possible and fairly simple to configure. You will have:
      1. SSL vServer for DDC, with backend Service Group on HTTP/80
      2. Certificate bound to SSL vServer matching Controller LB address e.g. ddc.domain.com
      3. StoreFront pointing to LB address e.g. ddc.domain.com over HTTPS/443
      4. DNS configured to resolve LB address e.g. ddc.domain.com to the VIP, and it is resolvable by StoreFront servers

      If still failing, the Citrix Delivery Services event logs should give pointers.

      Reply
  • Anonymous

    July 13, 2022

    I keep getting “no apps or desktops available..” when after login to the storefront page. The service group shows UP state, monitor assigned is Citrix-XD-DDC, when I checked the monitor details, both DDCs are validated by the monitor (green). I Created Load Balancing vServer using SSL, and the certificate was installed, vServer shows UP (green). All are looking good (green). However, as soon as I replaced the individual DDCs with the DDCs LB VIP in the storefront, the enumeration fails with the error message stated above. when listing DDCs individually, using HTTPS, enumeration succesful again.. ,

    Reply
    • Sandy

      May 8, 2023

      I had this issue too. I changed my default cipher to a more narrowed down list of secure ciphers and then it worked.

      Reply
  • Naz

    September 13, 2022

    Hey Goerge,
    Forever grateful for all you do for the community!

    In this XDDC LB article, you setup the vServer using SSL… do you forsee any issues if I use SSLBRIDGE instead?

    Rationale:
    I want to avoid SSL certs where it is not needed.
    I dont mind the DDCs doing the secure encrpyt/decrypt. unless you see a benefit not doing so?
    Another reason, since LB’ing DDC, it appears to have added 3-4 seconds to the initial Storefront enumeration post successful Gateway authentiation.
    WIthout going through an LB, this takes under a second for SF to remunerate.

    Regards,
    N.

    Reply
  • Rick

    September 29, 2022

    If I have two delivery controllers, do they HAVE to be load balanced by netscaler or is the storefront functionality enough?

    Reply
  • Nick

    October 15, 2023

    Doubtful I’ll get a reply this late in the game but if I have two storefront servers that I’m load balancing with the Netscaler and I also have four xenapo servers I want to load balance – will I need to create a new load balance vserver for xenapp? I guess I’m confused to the flow of data. From storefront vserver to xenapp.

    Reply

Leave a Reply to George Spiers Cancel reply