06-09-2010 01:14 PM
Hi,
I have ACE 4710 in routed mode. I am in process of deploying Citrix VPN soultion (3 boxes). Client will access the Citrix VPN url through the HTTPS.
I want to use the ACE for redundency not load balancing. All the traffic always goes to Server 1 and in case of failure it should go the next not like round roubin fashion.
I will also have a certificate server seperatly for Citrix VPN.
How I will configure the stickyness for HTTPS. Internet client will access the Citrix VPN through HTTPS on the Public IP address.
I have server load balancing only on HTTP in the current setup this if first time I am going with HTTPS, with certificate server.
Plese let know me how to achieve this any exmaple or past deployment any hint.
Please help me out.
06-10-2010 04:34 AM
One option would be:
1) configure your VPN-boxes as individual rservers.
rserver host RSRV_CITRIX_VPN1
ip addr x.x.x.x
inservice
rserver host RSRV_CITRIX_VPN2
ip addr x.x.x.x
inservice
rserver host RSRV_CITRIX_VPN3
ip addr x.x.x.x
inservice
2) configure a serverfarm, which could look something like this:
serverfarm host SFARM_CITRIX_VPN
probe probename
rserver RSRV_CITRIX_VPN1
inservice
backup-rserver RSRV_CITRIX_VPN2
However, I'm not sure you can have multible backupservers, which would leave VPN3 unnecessary.
Is there any particular reson why you don't want to loadbalance your https-traffic? I understand, that you're already doing http-loadbalance. Indeed, if you do decide to loadbalance your https, you need to configure stickyness. And even with loadbalancing enabled, there are several ways to manipulate with the rserver-selection. Weight and the built-in predictor mechanisms. In my opinion the benefits of doing loadbalancing far outweighs the drawbacks, unless it's some kind of license issue with your VPN-boxes, where only one is licensed to be active at any given time.
06-10-2010 01:27 PM
Thanks for the reply,
I will check with the Citrix team for teh license limitation.
But I want to know how I will do the HTTPS stickness Because I didnt find any option of HTTPS in stick session.
Also in my deployment there is no SSL offload, I need the HTTPS session directly on the VIP. Will there be some special configuration require and how I will get the certificate from the certificate server.
Please let me know how to achieve it.
06-11-2010 12:21 AM
There are multible ways to configure stickyness (sticky-ip, cookie-insertion, http-content based). It depends on your requirements. One way to configure stickyness would be ip-based stickyness:
sticky ip-netmask 255.255.255.255 address (source|destination|both) group-name
replicate sticky
timeout xxx
serverfarm serverfarm-name
Cisco makes a recommendation when configuring the netmask, see below:
Note If you configure a network mask other than 255.255.255.255 (/32), the ACE may populate the sticky entries only on one of its two network processors which may reduce the number of available sticky entries by 50 percent. This reduction in resources can cause problems when heavy sticky use occurs on the ACE.
Optionally, you can configure a backup serverfarm and make that sticky as well. Simply add the following to the 'serverfarm' in your sticky-config:
backup serverfarm-name sticky.
As far as SSL goes, you could configure end-to-end ssl on the ACE. Or I suppose you could do simple L4-based loadbalancing and not interfere with the ssl it all. End-to-end ssl is described here http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/ssl/guide/endtoend.html
hth
/Ulrich
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide