Citrix VPN with Cisco ACE

Unanswered Question
Jun 9th, 2010


I have ACE 4710 in routed mode. I am in process of deploying Citrix VPN soultion (3 boxes). Client will access the Citrix VPN url through the HTTPS.

I want to use the ACE for redundency not load balancing. All the traffic always goes to Server 1 and in case of failure it should go the next not like round roubin fashion.

I will also have a certificate server seperatly for Citrix VPN.

How I will configure the stickyness  for HTTPS. Internet client will access the Citrix VPN through HTTPS on the Public IP address.

I have server load balancing only on HTTP in the current setup this if first time I am going with HTTPS, with certificate server.

Plese let know me how to achieve this any exmaple or past deployment any hint.

Please help me out.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
UHansen1976 Thu, 06/10/2010 - 04:34

One option would be:

1) configure your VPN-boxes as individual rservers.

rserver host RSRV_CITRIX_VPN1

  ip addr x.x.x.x


rserver host RSRV_CITRIX_VPN2

  ip addr x.x.x.x


rserver host RSRV_CITRIX_VPN3

  ip addr x.x.x.x


2) configure a serverfarm, which could look something like this:

serverfarm host SFARM_CITRIX_VPN

  probe probename

  rserver RSRV_CITRIX_VPN1


    backup-rserver RSRV_CITRIX_VPN2

However, I'm not sure you can have multible backupservers, which would leave VPN3 unnecessary.

Is there any particular reson why you don't want to loadbalance your https-traffic? I understand, that you're already doing http-loadbalance. Indeed, if you do decide to loadbalance your https, you need to configure stickyness. And even with loadbalancing enabled, there are several ways to manipulate with the rserver-selection. Weight and the built-in predictor mechanisms. In my opinion the benefits of doing loadbalancing far outweighs the drawbacks, unless it's some kind of license issue with your VPN-boxes, where only one is licensed to be active at any given time.

wasiimcisco Thu, 06/10/2010 - 13:27

Thanks for the reply,

I will check with the Citrix team for teh license limitation.

But I want to know how I will do the HTTPS stickness Because I didnt find any option of HTTPS in stick session.

Also in my deployment there is no SSL offload, I need the HTTPS session directly on the VIP. Will there be some special configuration require and how I will get the certificate from the certificate server.

Please let me know how to achieve it.

UHansen1976 Fri, 06/11/2010 - 00:21

There are multible ways to configure stickyness (sticky-ip, cookie-insertion, http-content based). It depends on your requirements. One way to configure stickyness would be ip-based stickyness:

sticky ip-netmask address (source|destination|both) group-name

  replicate sticky

  timeout xxx

  serverfarm serverfarm-name

Cisco makes a recommendation when configuring the netmask, see below:

Note If you configure a network mask other than (/32), the ACE may populate the sticky entries only on  one of its two network processors which may reduce the number of  available sticky entries by 50 percent. This reduction in resources can  cause problems when heavy sticky use occurs on the ACE.

Optionally, you can configure a backup serverfarm and make that sticky as well. Simply add the following to the 'serverfarm' in your sticky-config:

backup serverfarm-name sticky.

As far as SSL goes, you could configure end-to-end ssl on the ACE. Or I suppose you could do simple L4-based loadbalancing and not interfere with the ssl it all. End-to-end ssl is described here




This Discussion