NetScaler Load Balance multiple ports on same vServer

Have you ever created different Load Balancing Virtual Servers for the same service because multiple ports are required? Fancy sending multiple or ranges of ports through the same vServer instead? This is also possible and easy to implement.

As a result, I’ve produced this quick post just to show how it is possible.

When you are creating a Load Balancing Virtual Server, choose ANY under Protocol or you can choose TCP/HTTP etc. if for example you are working with multiple ports using the same protocol. Under Port type *. Continue on with the creation of the LB vServer.

1-minWhen you have the Load Balancing Virtual Server configured how you like, click on the edit icon next to Basic Settings. 2-minThe requirement is to create a listen policy so the Load Balancing Virtual Server only listens on specific ports that you specify. Use a command such as CLIENT.TCP.DSTPORT.EQ(8080) || CLIENT.TCP.DSTPORT.EQ(80). You can add as many ports as you like. Click Continue. 3-minNow the Virtual Server will only listen and answer on ports 8080 and 80. 4-min

If you have a range of ports you can use a command such as CLIENT.TCP.DSTPORT.BETWEEN(8080, 8090).


29 Comments

  • J. Hoffmann

    January 13, 2017

    Hi George,

    found a link to your site with Carl’s weekly news. First of all: great work, we all need guys like you and Carl, otherwise we mostly won’t be able to implement all those Citrix products and components! Thumbs up, indeed!

    I’m with NetScaler since 2008 and in the meantime part of the PTEC community, but never knew about that feature desrcibed above. It’ll really help me (and so others) in the future.

    Again, I really appreciate your work – many thanks for sharing, btw.

    Regards,
    Jochen (https://www.linkedin.com/in/jochenhoffmann).

    Reply
  • George Spiers

    January 13, 2017

    Hi Jochen

    Thanks for your comment and glad I can be of help! You are right, community produced information is critical and it’s great that we can all help each other.

    Take care

    Reply
  • Joe Khalil

    April 5, 2017

    Hi George
    Will this method map the port to the server at the back-end using that port?

    example: I create a LBVS with ANY protocol and * for ports then specify 9834 and 9835 in the policy. I then bind server A which uses service port as 9834 and server B with service that uses port 9835. Will traffic then be directed to specific servers? thanks

    Reply
  • George Spiers

    April 6, 2017

    Hi Joe if both servers listen on unique ports i.e. Server A listens on port 9834 but does not listen on port 9835, you’ll need to create a two vServers for each port. This method is for servers that use multiple ports together, so the vServer has a port of * and the services also have a port of *.

    Reply
    • Joe Khalil

      April 6, 2017

      thank you, yes indeed both servers listen on different ports. server A on 9834 only and server B on 9835 only. I tried the ANY protocol on the Load balancer side with * for ports and on the service for server A I put the port as 9834 and the service for server B port 9835 and tested connection and if I came in on 9835 I was still getting directed to Server A. So there is no port mapping using this method. I think my route will be a content switch server. thanks for your help!

      Reply
  • Alex Chen

    June 6, 2017

    very like!
    Thank you!

    Reply
  • Keith S

    August 22, 2017

    Is there anyway to do this with a Content Switching vserver?

    Also, is there any way to set multiple IP addresses for a vserver? I have a couple services where I use an internal IP AND a public IP for same service. Would there be a way for me to assign 2 IP’s to a single cs vserver without having to duplicate a bunch of configs?

    Reply
    • Keith

      August 22, 2017

      I’m a tool. I see that it is the same on CS vservers. I just never use the GUI so I didn’t realize at first I needed to expand the more settings option at first. I still am curious about the second part of my question.

      Reply
      • George Spiers

        August 22, 2017

        You can assign a public IP (Service) to one LB vServer, and an internal IP (Service) to another vServer and bind them to the same CS vServer, then use expressions to direct traffic to either one based on your requirements. You could also assign both internal and external services to the same LB vServer and attached that single LB vServer to the CSW, but keep in mind NetScaler will then Load Balance connections so you have to configure as to how you want Load Balancing to occur. I am going to assume that you have to send certain traffic to public and certain traffic to internal, so you would be best having two LB vSevers attached to the CSW.

        Reply
  • Aditya

    September 29, 2017

    Hi man,
    Thank for this explanation. I was currently working with similar Infra. This really help me understand this deployment.

    Reply
  • Matt G

    November 8, 2017

    Hi George,

    I use the NetScaler’s for Load Balancing of many different services, but one of the main one’s in StoreFront. At present, I use two LB vServers for StoreFront – one on 443 and one on 80. The port 80 vServer has a Responder Policy bound to ensure all HTTP requests get pushed to HTTPS. Have you ever used (or in theory, do you believe it would work) the logic you’ve documented above to:

    1. Create a single StoreFront LB vServer that listens on Port 80 & Port 443.
    2. Create a Responder Policy bound to the LB vServer, but use the same “CLIENT.TCP.DSTPORT.EQ(80)” query as part of the Policy expression to ensure the Responder Policy only works for HTTP request.

    Just curious, as it seems like a cool way to potentially do this.

    Thanks

    Matt

    Reply
    • George Spiers

      November 9, 2017

      Interesting indeed but I do not think it will work as the LB vServer must have a certificate, and you’ll therefore need to use protocol SSL rather than protocol ANY to achieve Layer 7 Load Balancing.

      Reply
  • Aaron Rguez

    July 18, 2018

    Hello George,
    I am reading this thread almost one year later and although it is very helpful does not provide me an answer to a problem that I am experiencing. I am hoping you can enlighten me. I load balance two proxy servers via a Vserver (http 80), it is working fine until I get a user request that includes a high port in the fqdn ie. http://www.fqdn.com:xxxx if I bypass the vServer and send the request directly to one of the proxy servers the requests is handled correctly. I can only assume I have a configuration issue in the netscaler but I am not really sure what it should be.

    I look forward to your feedback. Thank you, in advance.

    Regards,

    Aaron

    Reply
    • George Spiers

      July 18, 2018

      Does your Proxy LB vServer listen to the high port a client is trying to connect on? If not set to do so, it won’t handle the request.

      Reply
  • Aaron Rguez

    July 19, 2018

    Hello George, Proxy VServer listens on port 80 — client browsers send every request to port 80. so far standard behaviour…
    Proxys send the request to fqdn and correct high end port, We see the request go out on our edge firewalls but no success on getting the website to respond – if same url goes to the proxy we get the wensite to work. It seems like the original client IP is lost (just a wild guess)

    Reply
  • Aaron Rguez

    July 19, 2018

    I will however try and place the high end port as you suggest

    Reply
    • Aaron Rguez

      July 19, 2018

      Hello George, changed vserver to listen to TCP on all ports. Websites with high port on the fqdn are now working.
      Thank you very much for your time.

      Reply
      • George Spiers

        July 20, 2018

        Good stuff.

        Reply
  • Gregor

    August 2, 2018

    Hi George,

    Thanks for the article. How does persistency work with this configuration? Will the Netscaler ensure all requests from Client A are going to Server1 for port 888 and port 999? Or could port 888 end up going to Server1 and port 999 to Server2?

    Reply
    • George Spiers

      August 2, 2018

      All traffic should be persisted to a specific backend server. For example, source IP persistency may end up assigned to Server1.

      Reply
  • Wolfgang Baere

    August 16, 2018

    Hi George,

    Simple question – I am difficulty finding on where to actually create the listen policy in build 12.0 58.15 – I have fished through some of the rewrite, responder, filter, log auditing, etc. but nothing that explicitly lists “Listen Policy Expression”

    Reply
    • Rob

      September 25, 2018

      You can find “Listen Policy Expression” under the Load Balancing Virtual Server. Click on More to expand more options.

      Reply
  • Ray

    October 23, 2019

    How do you go a out creating the same services on the same ports but have different evc monitoring?
    We have a large web farm that has many sites. I read about priority load balancing but not sure this will work.

    Reply
    • Keith

      October 24, 2019

      I’m not sure I completely understand what you’re asking. But I use a CS vserver with SNI for SSL. You then create multiple lb vservers that correlate to the different services. a content switch then says if “$x” url then go to this lb vserver etc…

      Reply
    • George Spiers

      November 10, 2019

      Create different Service Groups with the same Protocol, Members and ports. Each Service Group can have a unique monitor.

      Reply
  • Anonymous

    October 26, 2019

    We have 2 web servers with multiple sites that use host headers.
    Example:
    Site 1 is on 443 that is a host headers to site1.web.com. site1.web.com resolves to a lb vserver. The service on the NS is 443. Which has a tcp monitor.
    Repeat this 7 times, bit site2, site3 so on.
    Each site has it’s on lb vserver, but all are tied to the same service 443 and same monitor. I’m trying

    Reply
  • Ray

    October 26, 2019

    I hit submit to fast. Sorry

    So I have 2 web servers with multiple sites that use host headers.
    Example:
    Site 1 is on 443 that is a host header is site1.web.com. site1.web.com resolves to a lb vserver. The service on the NS is 443. Which has a tcp monitor.
    Repeat this 7 times, but site2, site3 so on.
    Each site has it’s on lb vserver, but all are tied to the same service 443 and same monitor. I’m trying seperate them all out on each service with each monitor. But the service can be on used once due to the IP already in use. I’m not 100% how to do this. I thought I could tie all 7 monitor with different health checks to the service but from what I’m reading the weights calculation might now allow this.

    Reply
  • Gerad Parent

    July 14, 2022

    Hello Folks,
    Hopefully this thread is not dead and I can get a little guidance here. I have created a load balancer using this technique. I also use * for the port on the service side. My expectation is that there would be no port translation going on, i.e. if I browse to https://randomurl.domain.com:8008 I would connect to https://randomurl.domain.com:8008, but it seems to be connecting me to different ports on the backend within my port range. Can somebody clarify how to make sure the back end connection to the server uses the port the client types into their browser.

    Reply
  • Pat Zen

    November 22, 2023

    Very helpful, thanks.

    One question though. Can UDP and TCP be mixed in one policy?

    Reply

Leave a Reply to George Spiers Cancel reply