• Category Archives Load Balancing
  • Load Balancing AD FS 2012 R2 3.0 and Web Application Proxy With Netscaler

    Recently I had to set up load balancing for Microsoft Active Directory Federation Services (ADFS) 3.0 environment. There is not a whole lot of information out there on load balancing of ADFS 3.0. Most of the guides and documentation that are out there today are based on ADFS 2.0

    The diagram below illustrates a typical ADFS deployment scenario utilizing hardware load balancers such as Netscaler or F5 appliances.

    image_thumb_12

    Why you need to do this.
    Server Name Indication (SNI) is a feature of SSL TLS and both Web Application Proxy and AD FS 2012 R2 use it to enable simpler deployment and remove networking prerequisites. Some client applications don’t support SNI but there is an easy way to workaround this using a fallback certificate. In this blog we will explain what SNI is, how it works and what to do if you have non-SNI capable clients.

    In this case the client (i.e. the Netscaler) does not support SNI for back end services. hence the requirements below. The proxy servers will only reply if the host header is present and will not respond directly via IP address. One of the main issues with the load balancing of the latest ADFS is that it doesn’t bind the certificate or service to the IP address.

    ADFS Server & Proxy Server Configuration
    On each of the ADFS servers and Web Application Proxy Servers for the ADFS services you will need to do the following.

      1. Open PowerShell
      2. Run the following command in the PowerShell Window
        1. netsh http show sslcert
      3. Review the output of the command and notate the following field

      1. Certificate Hash
      2. Application ID – Copy including brackets
    1.  Run the following command in the PowerShell Window
      1. netsh http add sslcert ipport=<IPAddress:port> certhash=<certhash> appid=<appid> certstorename=MY
        1. Fields
          1. IPAddress:port such as 0.0.0.0:443 for example
            1. note 0.0.0.0 will bind to all IP addresses on server. Can use specific IP
          2. certhash – copied from netsh http show sslcert
          3. appid – copied from netsh http show sslcert
        2. Note: On several of the systems that I ran the powershell command on I had to put single quotes around the appid before and after the brackets Without the bracket the error was “The Parameter is incorrect”
          1. Example of this would be below
            1. netsh http add sslcert ipport=<IPAddress:port> certhash=<certhash> appid='<appid>’ certstorename=MY

    Netscaler Configuration.
    You will need to create attach the monitor to either the services or service groups for ADFS 3.0 Servers & Proxy Servers. In my case all services & service groups were configured for SSL Bridge

    ADFS Monitor Configuration

    add lb monitor mon-https-ADFS3 HTTP-ECV -send “GET /federationmetadata/2007-06/federationmetadata.xml” -recv “adfs3.website.com/adfs/services/trust” -LRTM ENABLED -secure YES

    ADFS Proxy Monitor Configuration – Note the addition of the custom header. This is required for the proxy server configuration

    add lb monitor mon-https-ADFS3-PROXY HTTP-ECV -customHeaders “host: adfs3.website.comrn” -send “GET /federationmetadata/2007-06/federationmetadata.xml” -recv “adfs3.website.com/adfs/services/trust” -LRTM ENABLED -secure YES

    Replace website adfs3.website.com with your particular company website.

    You can find more information below at the following links

    ADFS is used in a variety of services and I hope you found this helpful. Now signing off.


  • Citrix Netscaler VPX Express (free but powerful)

    An often overlooked resource (free) for small environments or for deployments with low requirements is the use of the Netscaler VPX Express. This is a very powerful device, and the VPX express gives you the features of a Standard Edition VPX express platform but has a few limitations.

    Use Cases:

    • Load Balancing a small XenDesktop or XenApp Farm
    • Load Balancing Citrix PVS tftp
    • Load Balancing AD request
    • Load Balancing DNS
    • Load Balancing just about any web site or service…
    • Unlimited ICA Proxy connections to XenDesktop/XenApp (still bound by 5 Mpbs throughput)
    • Remote access to Citrix XenDesktop and Citrix XenApp (Access Gateway)
    • Load Balancing a VMware View deployment (more to come on this one…)
    • Full VPN tunnel for up to 5 concurrent users
    • Clientless access to Web Sites or File Shares
    • External access to Exchange or other web sites and file shares.

    Benefits:

    • Netscaler Standard Edition Features
      • Load Balancing
      • Access Gateway
      • Content Switching
      • Web Logging
      • Content Filtering
      • URL Rewrite
    • Pay as you grow – VPX has all the same features and is only limited by licensing, can pay for a higher edition to expose new features and increase your total throughput
    • Netscaler includes 5 free Access Gateway Enterprise Edition concurrent licenses (what does that give me…?)
      • Full VPN Tunnel
      • EndPoint Analaysis
      • Policy Based SmartAccess
      • Clientless access to Web Sites and File Shares

    I think you get the idea, so what are the major limitations of the Netscaler VPX Express? This sounds too good to be true..

    • License only last one year.. (bummer), “but wait there’s more..” but its free and you can just request another license for the next year
    • 5 Mbps throughput (this applies to all traffic and can be upgraded with a simple license purchase)
    • No SSL offload (this is try of any VPX Netscaler) The Netscaler physical appliances offer SSL offload to dedicated hardware for encryption/decryption. This improved the performance of the box as the CPU doesn’t have to handle the SSL encryption/decryption.

    This is only the tip of the iceberg for what the Netscaler can do and the free ones main limitation is the bandwidth which can be upgraded with a license purchase. You can also deploy as many of these appliances as you need to handle the workload, each pair would have the 5 Mpbs limitation. It may not sound like much bandwidth but that is per second.

    Test it out, deploy the VPX Express yourself and see what your workload throughput is by putting it through the Netscaler and you may be surprised, maybe the VPX Express will be right for you… The Netscaler VPX Express is easy to deploy and can run on VMware vSphere, Hyper-V and XenServer, there are appliances for each of these hypervisors.