Navigation
GSLB Planning
ADNS
Metric Exchange Protocol
GSLB Services
GSLB Virtual Server
DNS Delegation
Geo Location Database
GSLB Planning
Citrix has a good DNS and GSLB Primer.
When configuring GSLB, don’t forget to ask “where is the data?”. For XenApp/XenDesktop, DFS multi-master replication of user profiles is not supported so configure “home” sites for users. More information at Citrix Blog Post XenDesktop, GSLB & DR – Everything you think you know is probably wrong!
GSLB can be enabled both externally and internally. For external GSLB, configure it on the DMZ NetScaler appliances and expose it to the Internet. For internal GSLB, configure it on internal NetScaler appliances. Note: Each NetScaler appliance only has one DNS table so if you try to use one NetScaler for both public and internal then be aware that external users can query for internal GSLB-enabled DNS names
Some IP Addresses are needed on each NetScaler pair:
A SNIP that will listen for ADNS queries. For external, create a public IP for the SNIP and open UDP 53 so Internet-based DNS servers can access it.
A SNIP that will be used for NetScaler-to-NetScaler communication. This is called MEP or Metric Exchange Protocol. The SNIP for ADNS can also be used for MEP.
For external GSLB, create public IPs that are NAT’d to the MEP SNIPs. The same public IP used for ADNS can also be used for MEP. MEP should be routed across the Internet so NetScaler can determine if the remote datacenter has Internet connectivity or not.
Open ports TCP 3009, and TCP 22. Make sure only the NetScalers can access these ports on the other NetScaler. Do not allow any other device on the Internet to access these ports. These ports are encrypted.
To use GSLB Configuration Sync, open ports TCP 22, TCP 3008, and TCP 3010 from the NSIP (management IP) to the remote public IP that is NAT’d to the MEP SNIP.
The purpose of GSLB is to resolve a DNS name to one of several potential IP addresses. These IP addresses are usually public IPs that are NAT’d to existing Load Balancing, SSL Offload, Content Switching, or NetScaler Gateway VIPs in each datacenter.
In summary, for external GSLB, you will need a minimum of two public IPs in each datacenter:
One public IP that is NAT’d to the SNIP that is used for ADNS and MEP. You only need one ADNS/MEP IP no matter how many GSLB names are configured.
One public IP that is NAT’d to a Load Balancing, SSL Offload, Content Switching, or NetScaler Gateway VIP.
If you GSLB-enable multiple DNS names, each DNS name usually resolves to different IPs. This usually means that you will need additional public IPs NAT’d to additional VIPs.
ADNS
Identify a SNIP that you will use for MEP and ADNS.
Configure a public IP for the SNIP and configure firewall rules.
If you wish to use GSLB configuration sync then management access (SSH) must be enabled on this SNIP.
On the left, expand Load Balancing and click Services.
On the right, click Add.
Name the service ADNS or similar.
In the IP Address field, enter an appliance SNIP.
In the Protocol field, select ADNS. Then click OK.
Scroll down and click Done.
On the left of the console, expand System, expand Network and then click IPs.
On the right, you’ll see the SNIP as now being marked as the ADNS svc IP. If you don’t see this yet, click the Refresh icon.
Repeat on the other appliance in the other datacenter.
Metric Exchange Protocol
Open the firewall rules for Metric Exchange Protocol. You can use the same SNIP and same public IP used for ADNS.
On the left, expand Traffic Management, right-click GSLB and enable the feature.
Expand GSLB and click Sites.
On the right, click Add.
Add the local site first. Enter a descriptive name and in the Site Type select LOCAL.
In the Site IP Address field, enter an appliance SNIP. This SNIP must be in the default Traffic Domain.
For external GSLB, in the Public IP Address field, enter the public IP that is NAT’d to the SNIP. For internal GSLB, there’s no need to enter anything in the Public IP field. Click Create.
Go back to System > Network > IPs and verify that the DMZ SNIP is now marked as a GSLB site IP. If you don’t see it yet, click the Refresh button.
Go to the other appliance and also create the local site using its SNIP and its public IP that is NAT’d to the SNIP.
Its SNIP should now be marked as GSLB site IP.
Now on each appliance add the Remote site. Add another GSLB Site.
Enter a descriptive name and select REMOTE as the Site Type.
Enter the other appliance’s actual SNIP as configured on the appliance. This IP does not need to be reachable.
In the Public IP field, enter the public IP that is NAT’d to the MEP SNIP on the other appliance. TCP 3009, TCP 3011 and TCP 22 must be open to this IP. Click Create.
Repeat on the other appliance.
MEP will not function yet since the NetScalers are currently configured to communicate unencrypted on TCP 3011. To fix that, on the left, expand System, expand Network and click RPC.
On the right, edit the new RPC address (the other site’s GSLB Site IP) and click Open.
On the bottom, check the box next to Secure and click OK.
Do the same thing on the other appliance.
If you go back to GSLB > Sites, you should see it as active.
GSLB Services
Start on the appliance in the primary data center. This appliance should already have a Virtual Server for the web service or NetScaler Gateway service that you are trying to GSLB enable.
On the left, expand Traffic Management > GSLB and click Services.
On the right, click Add.
The service name should be similar to the DNS name that you are trying to GSLB. Include the site name in the service name.
Select the LOCAL Site.
On the bottom part, select Virtual Servers and then select a Virtual Server that is already defined on this appliance. It should automatically fill in the other fields. If you see a message asking if you wish to create a service object, click Yes.
Make sure the Service Type is SSL.
The Public IP field contains the actual IP Address that the GSLB ADNS service will hand out. Make sure this Public IP is user accessible. It doesn’t even need to be a NetScaler owned IP.
Scroll down and click OK.
Attach a monitor under the following conditions:
If the GSLB Service IP is in a non-default Traffic Domain then you will need to attach a monitor. GSLB cannot determine the state of Virtual Servers in non-default Traffic Domains.
If the GSLB Service IP is not hosted on a NetScaler. Only monitors can determine if it is up or not.
Otherwise, there’s no need to bind a monitor.
Click Done.
On the DR datacenter NetScaler, create a GSLB Service.
Select the REMOTE site that is hosting the service.
Since the service is on a different appliance and not this one, you won’t be able to select it using the Virtual Servers option. Instead, click New Server.
For the Server IP, enter the actual VIP configured on the other appliance. The DR NetScaler will use MEP to communicate with the primary NetScaler to find a Virtual Server with this VIP. The primary NetScaler will use MEP to tell the DR NetScaler if this Virtual Server is up or not. The Server IP configured here does not need to be reachable by this appliance.
In the Public IP field, enter the IP address that will be handed out to clients. This is the IP address that users will use to connect to the service.
Change the Service Type to match the Virtual Server defined on the other appliance.
Click OK and then click Done.
If active/active, add a GSLB service for the VIPs in each datacenter. If the service is active in two datacenters you will create two GSLB services on each appliance. Each GSLB service resolves to a different VIP.
If you configured a GSLB service for a VIP that is on a remote appliance then the GSLB Service will show as Up if MEP was successful at finding the Virtual Server VIP on the other appliance.
GSLB Virtual Server
The GSLB Virtual Server is the entity that the DNS name is bound to.
On the left, expand Traffic Management > GLSB and click Virtual Servers.
On the right, click Add.
Give it a descriptive name. For active/active, you can name it the same as your DNS name. For active/passive, you will create two GSLB Virtual Servers, one for each datacenter, so include Active or Passive in the Virtual Server name.
Click OK.
On the right, in the Advanced Settings column, click Service.
On the left, click where it says No GSLB Virtual Server to GSLBService Binding.
Click the arrow next to Click to select.
Check the box next to an existing GSLB Service and click Select. If your GSLB is active/passive then only bind one service.
If your GSLB is active/active then bind multiple GSLB Services. Also, you’d probably need to configure GSLB persistence (Source IP or cookies).
Click Bind.
On the right, in the Advanced Settings column, click Domains.
On the left, click where it says No GSLB Virtual Server Domain Binding.
Enter the FQDN that GSLB will resolve.
If this GSLB is active/passive, there are two options:
Use the Backup IP field to specify the IP address that will be handed out if the primary NetScaler is inaccessible or if the VIP on the primary appliance is marked down for any reason.
Or, create a second GSLB Virtual Server that has the passive GSLB service bound to it. Don’t bind a Domain to the second GSLB Virtual Server. Then edit the Active GSLB Virtual Server and use the Backup Virtual Server section to select the second GSLB Virtual Server.
Click Bind.
Click Done.
If you are configuring active/passive using the backup GSLB Virtual Server method, create a second GSLB Virtual Server that has the passive GSLB service bound to it. Don’t bind a Domain to the second GSLB Virtual Server. Then edit the Active GSLB Virtual Server and use the Backup Virtual Server section to select the second GSLB Virtual Server.
On the left, if you expand DNS, expand Records and click Address Records, you’ll see a new DNS record for the GSLB domain you just configured. Notice it is marked as GSLB DOMAIN.
Create an identical GSLB Virtual Server on the other NetScaler appliance. The other NetScaler needs to resolve the DNS name in an identical fashion.
You can also synchronize the GSLB configuration with the remote appliance by going to Traffic Management > GSLB.
On the right, click Sychronize configuration on remote sites.
Use the check boxes on the top, if desired. It’s usually a good idea to Preview the changes before applying them. Then click OK to begin synchronization.
DNS Delegation
DNS Delegation instructions will vary depending on what product is being used to host the public DNS zone. This section details Microsoft DNS but it should be similar in BIND or web-based DNS products.
If you are enabling GSLB for the domain gateway.corp.com, you’ll need to create a delegation at the server that is hosting the corp.com DNS zone. For public GSLB, you need to edit the public DNS zone for corp.com.
There are two ways to delegate GSLB-enabled DNS names to NetScaler ADNS:
Delegate the individual record. For example, delegate gateway.corp.com to the two NetScaler ADNS services (gslb1.corp.com and gslb2.corp.com).
Delegate an entire subzone. For example, delegate the subzone gslb.corp.com to the two NetScaler ADNS services. Then create a CNAME record in the parent DNS zone for gateway.corp.com that is aliased to gateway.gslb.corp.com. When DNS queries make it to NetScaler, they will be for gateway.gslb.corp.com and thus gateway.gslb.corp.com needs to be bound to the GSLB Virtual Server instead of gateway.corp.com. For additional delegations, simply create more CNAME records.
This section covers the first method – delegating an individual DNS record:
Run DNS Manager.
First, create Host Records pointing to the ADNS services running on the NetScalers in each data center. These host records for ADNS are used for all GSLB delegations no matter how many GSLB delegations you need to create.
The first Host record is gslb1 (or similar) and should point to the DMZ SNIP (public IP) on one of the NetScaler appliances that is enabled for ADNS.
The second Host record is gslb2 and should point to the DMZ SNIP (public IP) on the other NetScaler appliance that is enabled for ADNS.
If you currently have a host record for the service that you are delegating to GSLB (gateway.corp.com), delete it.
Right-click the parent DNS zone and click New Delegation.
In the Welcome to the New Delegation Wizard page, click Next.
In the Delegated Domain Name page, enter the left part of the DNS record that you are delegating (e.g. gateway). Click Next.
In the Name Servers page, click Add.
This is where you specify gslb1.corp.com and gslb2.corp.com. Enter gslb1.corp.com and click Resolve. Then click OK. If you see a message about the server not being authoritative for the zone, ignore the message.
Then click Add to add the other GSLB ADNS server.
Once both ADNS servers are added to the list, click Next.
In the Completing the New Delegation Wizard page, click Finish.
If you run nslookup against your Microsoft DNS server, it will respond with Non-authoritative answer. That’s because it got the response from NetScaler and not from itself.
You can also point nslookup to your NetScaler ADNS services and submit DNS queries.
That’s all there is to it. Your NetScalers are now DNS servers. For active/passive, the NetScalers will hand out the public IP address of the primary data center. When the primary data center is not accessible, GSLB will hand out the Backup IP, which is the DR data center.
Geo Location Database
If you want to use DNS Policies or Static Proximity GSLB Load Balancing or Responders based on user’s location, import a geo location database. Common free databases are:
GeoLite Legacy – http://dev.maxmind.com/geoip/legacy/geolite/
IP2Location Lite – http://lite.ip2location.com/
For IP2Location, see the blog post Add IP2Location Database as NetScaler’s Location File for instructions on how to import.
For GeoLite Legacy:
Download the GeoLite Country database CSV from http://dev.maxmind.com/geoip/legacy/geolite/.
On the NetScaler appliance, create the directory /var/geoip.
Copy the location database to the appliance.
In the NetScaler GUI, on the left, expand AppExpert, expand Location and click Static Database (IPv4).
On the right, click Add.
Browse to the location database file.
In the Location Format field, select geoip-country and click Create.
When you open a GSLB Service, the public IP will be translated to a location.
You can use the Geo locations in a DNS Policy, static proximity GSLB Load Balancing, or Responders:
Citrix Knowledgebase article CTX130701 – How to Block Access to a Website Using a Location Database Based on User’s Country
Neil Spellings blog post – Using Netscaler HTTP callouts for real-time GeoIP and anonymous proxy detection
Citrix eDocs – Overriding Static Proximity Behavior by Configuring Preferred Locations