How to achieve SSL offloading with Citrix NetScaler load balancers

John Joyner shows how the Citrix NetScaler load-monitoring service works and explains the benefits that it offers.

The importance of software and hardware solutions that perform network load balancing (NLB) continues to grow. A reason is that cloud-ready, resilient applications, which tolerate individual node failure, often depend on NLB to achieve high availability. Two or more nodes (servers) are grouped into a farm, and when physically or logically located behind a load balancer, achieve fault tolerance and scalability. An NLB service will monitor the status of farm members, and stop sending traffic to a node in the farm when that node is determined to be non-responsive.

Microsoft has included an NLB feature that runs as a software service in a normal Windows computer for a long time. However there are some limitations to the native Windows NLB service, and of course, not every server to be load-balanced is running Windows. There is a robust market for hardware and software NLB solutions to meet the need for stand-alone load balancing capability. Citrix has a novel NLB solution, the NetScaler family, that includes both hardware and software versions with identical usability. Figure A shows the software version of Citrix NetScaler running as a virtual machine (VM) inside a Microsoft private cloud.

Figure A - Software-only Citrix NetScaler load balancer appliance running as a Hyper-V guest VM (click to enlarge images)

Configure a service to be load balanced

Load balancing requirements in the private cloud are in demand for applications like Exchange, Lync, and SharePoint, as well as many enterprise "line of business" applications. To configure a load balanced service using Citrix NetScaler, follow these steps:

  1. Use your web browser to log into the NetScaler over the network.
  2. At the Configuration tab, navigate to the Load Balancing -> Servers node, right-click and select Add.
  3. For each server in the web farm, at Create Server, enter a server name and IP address.
  4. Navigate to the Load Balancing -> Services node, right-click and select Add.
  5. For each service (protocol) in web farm, at Create Service, enter a service name, select the protocol type such as HTTPS, select a monitor appropriate for the protocol, and in the Server drop-down list, select the server created in step 3.
  6. At the Configuration tab, navigate to the Load Balancing -> Virtual Servers node, right-click and select Add.
  7. At Create Virtual Server (Load Balancing), enter a virtual server name, select a protocol, and select in the Services tab those services created in step 5.
Figure B shows the web-based administration interface of a NetScaler physical appliance, listing the load-balanced virtual servers such as a SharePoint Pool, Lync Front Ends, and Exchange Outlook Web Access.

Figure B - Each Virtual Server listed represents a load-balanced farm of two or more servers.

Import a certificate and enable SSL offload

A common practice to increase the scalability of SSL (Secure Sockets Layer) publishing solutions is to use SSL offloading, which relieves a web server of the processing burden of encrypting and decrypting traffic. Microsoft's Threat Management Gateway (TMG) and Unified Access Gateway (UAG) products achieve this using a "web listener" concept. Using familiar Windows certificate management tools, it's not too difficult to import a certificate into the TMG or UAG computer's certificate store, and select the certificate to map to the web listener. Obviously with Citrix NetScaler, there is quite a different method of importing an SSL certificate.

Perform the following steps to import an SSL certificate from a Windows environment to a Citrix NetScaler, and associate that certificate with a virtual server:

  1. Using the Certificates snap-in on your Windows computer, export the SSL certificate with private key to a .PFX file. Select ONLY the ‘Include all certificates in the certification path if possible' option.
  2. Use your web browser to log into the NetScaler over the network.
  3. At the Configuration tab, navigate to the SSL node, and click the Import link in the Tools section. Figure C shows the .PFX file being imported and converted to a .PEM-format file on the NetScaler appliance.
  4. Click the Manage Certificates / Keys / CSRs link in the Tools section.
  5. Access the NetScaler with an SSH (telnet) utility and follow steps 3 to 9 from the "Convert the PKCS#12 certificate and install it on the NetScaler" section of this document:
  6. Test access to the load balanced SSL application.

Figure C - Importing an SSL certificate file with private key from Windows to the NetScaler.

TIP: To configure NetScaler to email an alert when certificates are nearing their expiration dates, follow the "Setting the Expiry Criteria for SSL Certificates" and "Configuring Event and Alarm Triggers" links at this Citrix support document.

By John Joyner

John Joyner, MCSE, CMSP, MVP Cloud and Datacenter Management, is senior architect at ClearPointe, a cloud provider of systems management services. He is co-author of the "System Center Operations Manager: Unleashed" book series from Sams Publishing, ...