Friday, February 24, 2012

Configuring Microsoft Windows NLB (Network Load Balancing) for Citrix Web Interface 5.4 on Windows Server 2008 R2

I’m aware that Citrix has the public KB:

How to Configure Windows Network Load Balancing and Web Interface
http://support.citrix.com/article/CTX108812

… available but I noticed that the KB references Windows Server 2008 R2.  Since my environment consists of Windows Server 2008 R2, I went ahead and tried to search for a KB that showed how to configure NLB with Windows Server 2008 R2 but wasn’t able to find one.  I’ve done several NLBs in the past so rather than calling Citrix to ask, I just went ahead and configured it.  The following demonstrates what the process looks like.

Start by logging onto both of your Citrix Web Interface servers, open up the Server Manager navigate to the Features node and click on Add Features:

image

Continue and check the Network Load Balancing feature to install NLB:

image

imageimage

image

Once the Network Load Balancing feature is installed, open up the Network Load Balancing Manager from the Administrative Tools folder:

image

image

Once you’re in the Network Load Balancing Manager console, click on the Cluster folder and select New:

image

Continue by adding the IP or name of your first Web Interface server:

image

Click the Connect button after you’ve entered the IP or name:

image

You should see the status Connected under the Connection status heading:

image

Proceed by clicking on next and you’ll be asked to assign a priority which is also a unique host identifier.  The dedicated IP address should be automatically entered for you as your server should be single homed (1 NIC):

image

Proceeding to the next screen will bring you to the New Cluster: Cluster IP Addresses window.  Click on the Add button:

image

In the Add IP Address window, proceed with entering your VIP (Virtual IP Address):

image

Once you’ve entered the VIP for the NLB cluster, you should see it listed in the New Cluster: Cluster IP Addresses window:

image

Proceeding to the next screen will allow you to select the cluster’s IP address and enter the Full Internet name which is what you’ve decided to use for your DNS name:

image

It’s important to note that we’ll be using Multicast mode for the cluster’s operation mode and rather than trying to explain it myself, refer to the following article if you want to know the difference between Unicast and Multicast:

http://technet.microsoft.com/en-us/library/cc782694(v=ws.10).aspx

**Note that because we’re using multicast mode for this cluster, make sure you ask your network engineer that he’ll need to create a static ARP entry on the layer 3 device with the MAC address listed below in the Network address field:

image

Proceeding on to the next screen will allow you to edit the port rules.  As best practice, you should lock down Web Interface servers by only allowing port 80 and 443 to limit possible surface attacks:

imageimage

I won’t go into this but what you need to do is remove the port that covers 0 to 65535 and add 2 separate port rules (one for 80 and one for 443) into the windows above.

Once you’ve clicked the Finish button, the cluster will be created.  A successful cluster creation in Network Load Balancing Manager will look something like the following:

image

Now that we have our first web interface server added, proceed with adding the second web interface server by click on Cluster then Add Host:

image

Proceed with adding the IP or name of the second web interface server as you did with the first one:

imageimage

Assign a priority and ensure the dedicated IP address is correct:

image

Configure the appropriate ports:

image

Complete the configuration and you’ll see the second node being added:

image

Upon completion of the convergence, you’ll see something similar to the following:

image

This completes the configuration but make sure you ask your network engineer to create a static ARP entry on the layer 3 device with the MAC address of the cluster (mapped to the VIP).  To retrieve that MAC address, right click on the cluster, click on Cluster Properties:

image

Within the cluster’s properties:

image

… click on the Cluster Parameters tab to get the MAC address of the cluster:

image

Note that your web interface’s NIC’s MAC address does not change:

image

Also note that NLB only protects you against server up down and not at the services level.

No comments: