Fun with NetScaler Gateway and StoreFront

I don’t work with NetScalers on a regular basis.  I am familiar with the product and the capabilities, but prefer to leave that to NetScaler and networking engineers.  As I explained to a friend of mine once, I understand the core product, but it’s the overall networking and security landscape that I don’t have enough experience in.  It’s the same for someone to say they know Windows so they should be able to design a full virtualization environment… you need to know the full topology to be effective.

That being said, sometimes I still get my hands dirty in the NetScaler world, either because no one else is available or I am a glutton for punishment.  It seems like every time I do, I have to relearn points I had forgotten.  Some of the points raised in this post will be common sense or common knowledge, but I want to list them for my own future reference.  Who knows, they may help you too!

First, be sure to plan for enough IP address for your NetScaler deployment.  I generally request a block of 10 IP addresses, just to be safe.  The actual number will vary.  Here is what you NEED:

  • 1 NetScaler IP (NSIP) per Appliance – this is the management IP address
  • 1 Subnet IP (SNIP) per subnet, including the primary network – this is used for HA and can be used for additional network interfaces
  • 1 IP per Virtual Server/Virtual Interface (VIP) –Load Balanced addresses, gateways, etc

When planning a new deployment, you need to identify 1-Arm or 2-Arm mode.  1-Arm means only a single interface is active; this is the simplest and most common deployment.  2-Arm mode means two (or more) interfaces are active, typically an internal link and a DMZ link.  If you are using 2-Arm mode, I recommend setting the default gateway to the outbound Router in the DMZ, this will make your life MUCH easier.  Also, if you are using 2-Arm mode, be sure to set route statements so you can manage/direct your internal traffic.

When I am using a NetScaler Gateway for StoreFront, I set up the following virtual interfaces (VIPs):

  • Gateway VIP – Public Access
  • StoreFront Load Balanced VIP – Routing for Gateway
  • StoreFront Load Balanced VIP with SSL Offload – Used for Internal Secure Access
  • Authentication Load Balanced VIP – used for balancing LDAP requests
  • Desktop Director Load Balanced VIP – if using Desktop Director
  • Load Balanced XML Broker VIP – optional
  • Gateway Call Back VIP for StoreFront – optional, may be necessary in 2-Arm Mode

If you are using Gateway features for public access, don’t forget:

  • Request and Install a Public Certificate
  • Be sure to Chain the Intermediate Certificate as well

Also, if you are using multiple domains, for ease of use, I recommend:

  • Separate Authentication VIPs, 1/domain
  • Separate Gateway VIPs/URL, 1/domain

This greatly eases the authentication rules and workflow.  There are some ways around it with a 2-phased approach or multiple NetScalers, but I like to keep it simple.


For more information, please see:

This entry was posted in Blog and tagged , , , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *