I don’t work with NetScalers on a regular basis. I am familiar with the product and the capabilities, but prefer to leave that to NetScaler and networking engineers. As I explained to a friend of mine once, I understand the core product, but it’s the overall networking and security landscape that I don’t have enough experience in. It’s the same for someone to say they know Windows so they should be able to design a full virtualization environment… you need to know the full topology to be effective.
That being said, sometimes I still get my hands dirty in the NetScaler world, either because no one else is available or I am a glutton for punishment. It seems like every time I do, I have to relearn points I had forgotten. Some of the points raised in this post will be common sense or common knowledge, but I want to list them for my own future reference. Who knows, they may help you too!
First, be sure to plan for enough IP address for your NetScaler deployment. I generally request a block of 10 IP addresses, just to be safe. The actual number will vary. Here is what you NEED:
- 1 NetScaler IP (NSIP) per Appliance – this is the management IP address
- 1 Subnet IP (SNIP) per subnet, including the primary network – this is used for HA and can be used for additional network interfaces
- 1 IP per Virtual Server/Virtual Interface (VIP) –Load Balanced addresses, gateways, etc
When planning a new deployment, you need to identify 1-Arm or 2-Arm mode. 1-Arm means only a single interface is active; this is the simplest and most common deployment. 2-Arm mode means two (or more) interfaces are active, typically an internal link and a DMZ link. If you are using 2-Arm mode, I recommend setting the default gateway to the outbound Router in the DMZ, this will make your life MUCH easier. Also, if you are using 2-Arm mode, be sure to set route statements so you can manage/direct your internal traffic.
When I am using a NetScaler Gateway for StoreFront, I set up the following virtual interfaces (VIPs):
- Gateway VIP – Public Access
- StoreFront Load Balanced VIP – Routing for Gateway
- StoreFront Load Balanced VIP with SSL Offload – Used for Internal Secure Access
- Authentication Load Balanced VIP – used for balancing LDAP requests
- Desktop Director Load Balanced VIP – if using Desktop Director
- Load Balanced XML Broker VIP – optional
- Gateway Call Back VIP for StoreFront – optional, may be necessary in 2-Arm Mode
If you are using Gateway features for public access, don’t forget:
- Request and Install a Public Certificate
- Be sure to Chain the Intermediate Certificate as well
Also, if you are using multiple domains, for ease of use, I recommend:
- Separate Authentication VIPs, 1/domain
- Separate Gateway VIPs/URL, 1/domain
This greatly eases the authentication rules and workflow. There are some ways around it with a 2-phased approach or multiple NetScalers, but I like to keep it simple.
For more information, please see: