Citrix VPN with Cisco ACE

wasiimcisco · ‎06-09-2010

Hi,

I have ACE 4710 in routed mode. I am in process of deploying Citrix VPN soultion (3 boxes). Client will access the Citrix VPN url through the HTTPS.

I want to use the ACE for redundency not load balancing. All the traffic always goes to Server 1 and in case of failure it should go the next not like round roubin fashion.

I will also have a certificate server seperatly for Citrix VPN.

How I will configure the stickyness for HTTPS. Internet client will access the Citrix VPN through HTTPS on the Public IP address.

I have server load balancing only on HTTP in the current setup this if first time I am going with HTTPS, with certificate server.

Plese let know me how to achieve this any exmaple or past deployment any hint.

Please help me out.

UHansen1976 · ‎06-10-2010

One option would be:

1) configure your VPN-boxes as individual rservers.

rserver host RSRV_CITRIX_VPN1

ip addr x.x.x.x

inservice

rserver host RSRV_CITRIX_VPN2

ip addr x.x.x.x

inservice

rserver host RSRV_CITRIX_VPN3

ip addr x.x.x.x

inservice

2) configure a serverfarm, which could look something like this:

serverfarm host SFARM_CITRIX_VPN

probe probename

rserver RSRV_CITRIX_VPN1

inservice

backup-rserver RSRV_CITRIX_VPN2

However, I'm not sure you can have multible backupservers, which would leave VPN3 unnecessary.

Is there any particular reson why you don't want to loadbalance your https-traffic? I understand, that you're already doing http-loadbalance. Indeed, if you do decide to loadbalance your https, you need to configure stickyness. And even with loadbalancing enabled, there are several ways to manipulate with the rserver-selection. Weight and the built-in predictor mechanisms. In my opinion the benefits of doing loadbalancing far outweighs the drawbacks, unless it's some kind of license issue with your VPN-boxes, where only one is licensed to be active at any given time.

wasiimcisco · ‎06-10-2010

Thanks for the reply,

I will check with the Citrix team for teh license limitation.

But I want to know how I will do the HTTPS stickness Because I didnt find any option of HTTPS in stick session.

Also in my deployment there is no SSL offload, I need the HTTPS session directly on the VIP. Will there be some special configuration require and how I will get the certificate from the certificate server.

Please let me know how to achieve it.

UHansen1976 · ‎06-11-2010

There are multible ways to configure stickyness (sticky-ip, cookie-insertion, http-content based). It depends on your requirements. One way to configure stickyness would be ip-based stickyness:

sticky ip-netmask 255.255.255.255 address (source|destination|both) group-name

replicate sticky

timeout xxx

serverfarm serverfarm-name

Cisco makes a recommendation when configuring the netmask, see below:

Note If you configure a network mask other than 255.255.255.255 (/32), the ACE may populate the sticky entries only on one of its two network processors which may reduce the number of available sticky entries by 50 percent. This reduction in resources can cause problems when heavy sticky use occurs on the ACE.

Optionally, you can configure a backup serverfarm and make that sticky as well. Simply add the following to the 'serverfarm' in your sticky-config:

backup serverfarm-name sticky.

As far as SSL goes, you could configure end-to-end ssl on the ACE. Or I suppose you could do simple L4-based loadbalancing and not interfere with the ssl it all. End-to-end ssl is described here http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/ssl/guide/endtoend.html

hth

/Ulrich