Load Balancing Access manager using Citrix Netscaler

Similar Messages

• Load Balancing Exchange 2010 with Citrix Netscaler

  Hi All,
  I have two exchange multirole server(cas/ht/mb) EXCH1 and EXCH2 both are configured in DAG (dag1.example.com) and also both are configured with CAS array (casarray.example.com)
  We have Cirtix Netscaller hardware load balancer. I have to configure Load balancing for CAS array, ActiveSync, OWA, Outlook Anywhere.
  Please guide me through the configuration for citrix netscaler as i am new with Citrix Netscaler.
  Regards,
  Pravin

  Hi,
  In order to resolve this issue more efficiently, I recommend you contact support from Citrix, you might get a better answer there. Thanks for your understanding.
  https://www.citrix.com/community.html
  Best regards,
  Belinda
  Belinda Ma
  TechNet Community Support

• Network Load Balancing - "access denied" when loading configuration information from host2

  We have 2 Windows 2012 R2 servers, both are running on workgroup.
  We set up NLB cluster.  When we open NLB Manager on the server2, then message shows "loading configuration information. Access denied. Error connecting to server1". 
  There is no issue doing this on server1, NLB Manager is able to connect to both servers. We login using default administrator account, both account name and password are the same for 2 servers.
  When we check security event log on server1, there is this strange Audit Failure log using account "test_nlb" from server2 which related to "Access denied" error. Please let us know how to resolve this. Thanks in advance.
        Event ID: 4776
        The computer attempted to validate the credentials for an account.
        Authentication Package:   
  MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
        Logon Account:   
  test_nlb
        Source Workstation:   
  WPAAP2
        Error Code:   
  0xc0000064           
        An account failed to log on.
  Event ID: 4625
  Subject:
      Security ID:       
  S-1-0-0
      Account Name:       
      Account Domain:       
      Logon ID:       
  0x0
  Logon Type:           
  3
  Account For Which Logon Failed:
      Security ID:       
  S-1-0-0
      Account Name:       
  test_nlb
     Account Domain:       
  WPAAP2
  Failure Information:
      Failure Reason:       
  Unknown user name or bad password.
      Status:           
  0xc000006d
      Sub Status:       
  0xc0000064
  Process Information:
      Caller Process ID:   
  0x0
      Caller Process Name:   
  Network Information:
      Workstation Name:   
  WPAAP2
      Source Network Address:   
  192.168.70.45
      Source Port:       
  55136
  Detailed Authentication Information:
      Logon Process:       
  NtLmSsp
      Authentication Package:   
  NTLM
      Transited Services:   
      Package Name (NTLM only):   
      Key Length:       
  0
  This event is generated when a logon request fails. It is generated on the computer where access was attempted.
  The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
  The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
  The Process Information fields indicate which account and process on the system requested the logon.
  The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
  The authentication information fields provide detailed information about this specific logon request.
      - Transited services indicate which intermediate services have participated in this logon request.
      - Package name indicates which sub-protocol was used among the NTLM protocols.
      - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

  Hi Zhong Gang,
  When you are using Network Load Balancing (NLB) Manager, you must be a member of the Administrators group on the host that you are configuring, or you must have been delegated
  the appropriate authority. If you are configuring a cluster or host by running NLB Manager from a computer that is not part of the cluster, you do not have to be a member of the Administrators group on that computer. Please disable your nodes firewall and
  try again.
  The related KB:
  Add a Host to the Network Load Balancing Cluster
  http://technet.microsoft.com/en-us/library/cc753744.aspx
  I’m glad to be of help to you!
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Load balancing RDS Licensing for Citrix

  Hi all,
  Currently we are in the middle of upgrading our Citrix farm from 4.5/2003 to 6.5/2008 R2.  In relation to TS Licensing, we are using per device CALs.  The CALs are split between 2 2003 domain controllers that are published to the forest. 
  Licenses are checked out from both.
  In our test environment for 6.5, I set up the same layout.  I have 2 2008 R2 servers with just the RD Licensing role installed and I installed 500 per device licenses on each to start with.  The servers are not published but I have specified in
  group policy for the 6.5 test environment for the terminal servers to point to the 2 servers.  The plan is shortly before we do go live, add all new licenses, publish them to the forest (because there are other apps that need the licenses beyond Citrix),
  and retire the old license servers.
  Now in the test environment, all licenses are being checked out from the server listed first in the group policy and none from the second server.  I was thinking that they would split between the 2 on their own but I must be mistaken.
  So here are my questions...
  Is there a way to force balancing now while they are only referenced in the GPO for the test farm?
  Once they are published to the forest, does that set it to load balance?
  If no load balancing occurs in either situation, does that mean that licenses will not be checked out on the second server until all licenses have been checked out on the first server?
  Is there a better implementation route I should have followed for 2008 R2?
  Thanks!

  Hi,
  How are things going? I just want to check the status of the issue. If you have any update or concern, please feel free to let us know.
  Best Regards,
  Aiden
  If you have any feedback on our support, please click
  here
  Aiden Cao
  TechNet Community Support

• Load Balancing Portal that uses JPDK portlets

  We are having the following Portal architecture :
  -Browser
  -Firewall
  -Load Balancers
  -Multiple 9iAS middle-tiers (2)
  -DB Server
  We are using Web Providers registered with Portal which calls JPDK portlets.
  We have registered the Web Provider url's, but of course had to
  enter a URL to point to the location of the provider.xml. If we enter the URL specifying a particular 9iAS middle-tier hostname, all requests for the provider from any of the middle-tiers are routed through the one 9iAS server, which places a heavy load on this server.
  Requirement : We want to specify the location of the provider.xml as local to the particular 9iAS server and so call the portlet from the same server, which will spread the load.
  What would be the best way to achieve this ?

  Hi,
  You can very well provide the URL of 'Load balancer' while registering the WebProvider, provided it meets the following condition :
  Condition : For example, your middle-tiers are named 'machineA' & 'machineB'. Your loadbalancer's name being 'loadbalancer'. Say, a user wants to access a file by name 'test.html' which exists in both machineA & machineB and is identical. Let http://machineA/test.html & http://machineB/test.html be the URLS for accessing it.
  The user should get the output after specifying the loadbalancer's name in the place of the 'serverA' or serverB.
  Something like, http://loadbalancer/test.html
  If the condition is satisified, you can register the webprovider with Loadbalancer's URL.
  --Sriram                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       

• ACE load balancing and testing using soapUI

  Hey, I am trying to crowd source a solution for this problem.
  A client is testing using soapUI to an application that is being load balanced via ACE. There are two webservers behind the VIP servicing the client request. When client tests, requests are timing out per the soapUI log. A packet capture was taken and it clearly shows that ACE is not forwarding the HTTP data back to the client. When client tests by bypassing the ACE load balancer, it works fine. But, there are other clients from other applications that are making successful connection to the load balanced application via the VIP.
  Question, is there any thing unique with making HTTP/XML based requests using soapUI? LB configuration is shown below:
  class-map match-all EAI_PWS_9083
    2 match virtual-address 10.5.68.29 tcp eq 9083
  serverfarm host EAI_PWS_9083
    description WebSphere Porduction
    failaction purge
    probe tcp9083
    rserver ESSWSPAPP01 9083
      inservice
    rserver ESSWSPAPP02 9083
      inservice
  policy-map type loadbalance first-match L7_POLICY_EAI_PWS_9083
    class class-default
      serverfarm EAI_PWS_9083
  policy-map multi-match L4SLBPOLICY
  class EAI_PWS_9083
      loadbalance vip inservice
      loadbalance policy L7_POLICY_EAI_PWS_9083
      loadbalance vip icmp-reply active
      appl-parameter http advanced-options CASE_PARAM
  parameter-map type http CASE_PARAM
    case-insensitive

  Hi,
  Your configuration looks fine. I am not familiar with soapUI but if it is like a normal TCP connection followed by HTTP requests, i don't see why this shouldn't work.
  Do you know if there is a difference while using soapUI and normal request using browser?
  Regards,
  Kanwal

• Question about Load Balancing Wireless connections using WLC- F5- ISE

  Hi all,
  Can anyone give me some orientation how the radius auth process/handshake between the WLC and ISE changes once the F5 is installed in the middle in order to perform load balancing?
  We can do some kind of load balancing by configuring different radius servers on each WLC for which, I must configure the same shared secret in the WLC and ISE so the radius request/accept could be processed.
  Now that we have the F5 in the middle, do I need to create/configure the same shared secret in the F5 so radius transactions can be processed by this device?. Based on the following link, I must configure the F5 in the ISE like another NAD device (similar to the WLC) but I do not know if this additional configuration in the ISE includes the Auth parameter to be added in the ISE NAD (F5) configuration.
  How to properly use a load balancer in Cisco's Identity Services Engine
  http://www.networkworld.com/community/blog/load-balancing-cisco-identity-services-engine
  Our sheme is shown next,

  When you covert the pair into SSO, all the APs will go to the ACTIVE unit.  No unit will "live" in the standby unit because this unit will "share" the AP-support license between the two.
  This is the first step you need to get sorted.  Send an email to [email protected] and give them the exact details of what you want to do (i. e.  AP SSO) and then provide the serial number of your nominated active WLC and the serial number of your nominated standby WLC.

• Load Balancing Option while using SOA Direct

  we are SOA Suite and Oracle Service Bus on separate domains/clusters. We will host the OSB Services on cluster which is load balanced using BIG IP. This primarliy load balances http requests. What are the load balancing options when when we make calls from BPEL to OSB. Using http we are good because of BIG IP. What about when if we use SOA-DIRECT?

  here http://download.oracle.com/docs/cd/E17904_01/doc.1111/e15866/soa.htm t says
  "The SOA-DIRECT transport supports the following features: .... Failover and load balancing (not available for services in the Service Callback role"
  but it refers to OSB -> BPEL calls.... you are interested by BPEL -> OSB.... let me search further...

• Remote Desktop update has caused me to no longer be able to access work using Citrix/CAG.  IT found my access to be intact on their end.  What can I do?

  How can I get access to my work after the Remote Desktop Update 3.8.2 blocked my access through Citrix/CAG?

  Can you start Firefox in [[Safe mode]] ?
  You can also do a clean reinstall and download a fresh Firefox copy from http://www.mozilla.com/firefox/all.html and save the file to the desktop.
  Uninstall your current Firefox version and remove the Firefox program folder before installing that copy of the Firefox installer.
  It is important to delete the Firefox program folder to remove all the files and make sure that there are no problems with files that were leftover after uninstalling.
  You can initially skip the step to create a new profile, that may not necessary for this issue.
  See http://kb.mozillazine.org/Standard_diagnostic_-_Firefox#Clean_reinstall

• Load Balance Reverse Poxy using ACE and HTTP Header Sticky

  Dear all,
  I have a reverse proxy that makes HTTP and HTTPS requests to an ACE.
  For implement persistence I want to configure HTTP HEADER Stickyness using the X-Forwarder-For information but I don't know:
  How to implement it ( I'l apreciate a little example about it).
  Which values I need for OFFSET and LENGHT fields.
  Can you help me please?
  Thanks a lot!!

  Hi Cesar.
  Thanks a lot for your answer but I think you misunderstand the question or I'm not explaninig very well
  I don't need to insert anything.
  The serverfarm X will be accesed by a reverse proxy. This reverse proxy already inserts the X-Forearder-From header, so the request from the reverse proxy comes with this header to the serverfarm X.
  The problem is that now, the serverfarm X sticky the client based on source IP. This is a wrong behavior becasue all the request comes form the same source (Reverse proxy) and all the load forwards to the same real IP address.
  This is because I want to change the sticky from source IP to HTTP header and looks for the X-Forwarder-For filed.
  Hop it will clarify the question!

• Load Balancing with ACE using HTTP Header information

  Hello,
  I am trying to setup a class-map using http loadbalance match-all.
  What I want to do is check for the HTTP Host and if it doesnot match the http referer than go to server farm A. if it does match then go to server farm B.
  My problem is the host can be serveral different values as well as the referer. Can you setup varibales in the ACE so I can store the value from http host and compare it against http referer?
  Thanks
  Mike C.

  It should be like this (If you want to use separate class maps for referrer & Host).
  class-map type http loadbalance match-any site1-HostHDR
  2 match http header Host header-value ".*site1.com"
  class-map type http loadbalance match-any site1-Referer
  2 match http header Referer header-value "http://site1.*"
  class-map type http loadbalance match-any site2-HostHDR
  2 match http header Host header-value ".*site2.com"
  class-map type http loadbalance match-any site2-Referer
  2 match http header Referer header-value "http://site2.*"
  class-map type http loadbalance match-all Site1-policy
  2 match class-map site1-HostHDR
  3 match class-map site1-Referer
  class-map type http loadbalance match-all Site2-policy
  2 match class-map site2-HostHDR
  3 match class-map site2-Referer
  policy-map type loadbalance http first-match Site1
  class Site1-policy
  serverfarm SFarm-A
  class Site2-policy
  serverfarm SFarm-A
  class class-default
  serverfarm SFARm-B
  Syed Iftekhar Ahmed

• Fitting Citrix Netscaler with Ironport

  Hello,
  Currently we have Exchange 2010 environment and mail flow as below;
  1 CAS
  2 MBX
  Internet --> Ironport --> CAS --> MBX
  We are planning for Exchange 2010 to 2013 upgrade and I am preparing a plan for it.
  We already have Internet facing Ironport as mentioned above.
  We also have Citrix Netscaler as internet facing for accessing citrix applications.
  Exchange 2013 plan
  2 CAS
  2 MBX
  I want to load balance CAS servers with Citrix Netscaler. 
  How should I fit in Netscaler in the design.
  Please suggest
  Thanks,
  Mihir

  Hi Mihir,
  Unlike previous versions of Exchange, Exchange 2013 no longer requires session affinity at the load balancing layer.
  Generally, there are four scenarios for load balance in Exchange 2013:
  1. Single Namespace / Layer 4 (No Session Affinity)
  2. Single Namespace / Layer 7 (No Session Affinity)
  3. Single Namespace / Session Affinity
  4. Multiple Namespaces / No Session Affinity
  For more information about these, please refer to:
  http://blogs.technet.com/b/exchange/archive/2014/03/05/load-balancing-in-exchange-2013.aspx
  Additionally, there is a reference about Microsoft Exchange 2013
  Citrix NetScaler Deployment Guide:
  http://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/microsoft-exchange-2013-citrix-netscaler-deployment-guide.pdf
  Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please
  make sure that you completely understand the risk before retrieving any suggestions from the above link.
  Regards,
  Winnie Liang
  TechNet Community Support

• Load balancing of Access Manager

  Hi,
  I 'm using 2005Q1 Messaging , Access Manager and Delagted Admin. Every thing is working fine. Now I need to add another Access Manager on a separate machine for load balancing. Plz let me know :
  - How can I add new Access Manager which will use same LDAP which first Access Manager using ?
  - Can we use DNS for Load Balancing (Admin guide only described hardware load balancer and resonate)
  Thanks in advance,
  Rehan

  pls try this way, it works fine.
  http://developers.sun.com/prodtech/identserver/reference/techart/load-balancing.html

• Load Balancer for Access Manager

  Which load balancer can we use for Access Manager?
  Please give me some advice. Thank you in advance.

  Jerry,
  the doc url u posted has wrong information. See ticket 64634727.
  The steps listed in this doc donot work.
  I have successfully configured loadbalancing with Sun LB plugin that comes with AppServer.
  Here is what I did....
  LBplugin(on WS6.x)-----> AM1 and AM2.
  LB vip : am-lb.sun.com
  am1 : am1.sun.com
  am2: am2.sun.com
  The steps I followed are :
  1. add the LB vip to orginatination-alias,
  2. donot add the LB vip to platform as stated in the doc. jst add am1 and am2 hosts to platform.
  3. update /etc/opt/SUNWam/config/AMConfig.properties and update only the following attrib. Donot touch any other attrib.
  com.sun.identity.server.fqdnMap[LB-vip]=LB-vip
  for ex:
  com.sun.identity.server.fqdnMap[lb.am.sun.com]=lb.am.sun.com
  The doc u listed is misleading and needs to be taken down.
  See ticket that I mentioned above. I wasted like 4 weeks trying to get this working and in the end it turned out to be a bad documentation.
  V

• How to control a Load Balanced set in IaaS VMs using Text files

  Hi,
  I would like to control the Load Balanced nodes Using a resource to probe like active.txt  in IIS than a Endpoint on the Management Portal.
  The reason i need this is because the engineers in my team will have access to VMs but not to Management servers.
  Any info on it is very helpful.
  Thanks

  Hi,
  You can Control the access to the Load Balanced Set by using Network ACL. A Network Access Control List (ACL) is a security enhancement available for your Azure deployment. An ACL provides the ability to selectively permit or deny traffic for a virtual machine
  endpoint. This packet filtering capability provides an additional layer of security. 
  Using Network ACLs, you can do the following:
  Selectively permit or deny incoming traffic based on remote subnet IPv4 address range to a virtual machine input endpoint. 
  Blacklist IP addresses
  Create multiple rules per virtual machine endpoint
  Specify up to 50 ACL rules per virtual machine endpoint
  Use rule ordering to ensure the correct set of rules are applied on a given virtual machine endpoint (lowest to highest)
  Specify an ACL for a specific remote subnet IPv4 address.
  Network ACLs can be specified on a Load balanced set (LB Set) endpoint. If an ACL is specified for a LB Set, the Network ACL is applied to all Virtual Machines in that LB Set. For example, if a LB Set is created with “Port 80” and the LB Set contains 3 VMs,
  the Network ACL created on endpoint “Port 80” of one VM will automatically apply to the other VMs.
  Hope this helps !
  Regards,
  Sowmya