Netscaler 12 – Load balancer – Reverse Proxy – SSL Proxy Configuration Steps

This post will cover load balancing in Netscaler with reverse proxy or SSL proxy or SSL offload. There are many confusions out there how to do reverse proxy or ssl proxy or SSL offload, In Netscaler terms its very simple Select SSL as the virtual server type and bind a valid certificate to it, then you are done with the configuration. It is as simple as like that. We will take a scenario and cover this in this post.

 

My infrastructure details

We are having two web/app servers in the internal need to be load balanced. Our servers are working on port TCP_80 (http) however we want users to connect on HTTPS TCP_443, servers to be load balanced and netscaler to act as reverse proxy and do SSL offload.

Our web servers :
Server 1: 192.168.1.150
Server 1: 192.168.1.151

Internal Server Port:
Http ( TCP_80)

External Server Port:
Https (TCP_443)

Certificate :
Already installed in Netscaler with key file.

Follow link to Generate CSR and install Certificate in Netscaler

Netscaler Virtual IP: 192.168.1.162

DNS record for URL: apps.sslab.com ( point to VIP 192.168.1.162)

 

Netscaler Load Balancer Design and Traffic flow

 

As we have seen above our servers will listen on port 80 , Netscaler will load balance and do reverse proxy on port 443 (https). There are cases you might have more than two servers and i have seen some cases where people have only one server. In some cases your backend port is not 80 it might be 8443 or 443 or something else. In all scenarios this post will apply to them.

Step 1: create the servers.

Step2: Create service gorup

Step3: Create load balancing virtual server.

Create Servers

Go to Traffic Management – Load balancing – servers – ADD

Add both web servers, provide Name and IP and Create.

Both the servers are shown below and state should be enabled. Please note enabled green means from netscaler its enable, But whether it is listening to port , working or not will know after creating service group.

Create Service Group for servers

Select Service Groups under load balancing – ADD

Provide Name and Protocol as HTTP – OK

Please note if your backend server in on SSL select SSL here.

Click on add memebers to add above servers created.

Select server based.

select both servers and select.

select port 80 and create , this will bind the servers to service group.

if your server is listening on 443 or something else, need to mention here.

select OK

Add Monitors as shown below, click on Right monitor and select on it.

select on it.

Click select monitor and select TCP – bind

Click Done

Now as you can see the service group is created and UP, meaning all the backend servers are reachable and working.

Create Load Balancer Virtual server for Reverse proxy or SSL proxy

This is the important part, Now Click on virtual servers under load balancing and click ADD

Provide Name : vSRV-Apps

Protocol: SSL

IP Type: IP address

IP Address : the VIP that users will connect 192.168.1.162

Port : 443 ( the port users will use to connect, this can be changed if you need)

Select service gorup binding

select the group created earlier and select

Bind

Click continue for further steps.

Select server certificate to bind certificate.

select the certificate and select.

review and bind the certificate.

Continue

If you like to disable SSLV3 or other weak protocols it can be done as shown below, ignore this if not required and click done.

unselect what ever not required.

review the whole config and click done.

Review and Save configuration

The final thing to do it check the service is up and click save.

click yes to save

 

Testing

Now comes the testing, as seen below my server is listening and working on http as shown below.

Our URL is apps and certificate is also for apps so there are no SSL errors. as shown below our Reverse proxy/SSL proxy or SSL offload is working. The same http URL is working on HTTPS now.

Hope this post is useful, leave your comments and suggestions.

Siva Sankar

Siva Sankar works as Solution Architect in Abu Dhabi with primary focus on SDDC, Automation,Network Virtualization, Digital Workspace, VDI, HCI and Virtualization products from VMWare, Citrix and Microsoft.

15 thoughts on “Netscaler 12 – Load balancer – Reverse Proxy – SSL Proxy Configuration Steps

  • August 30, 2018 at 5:36 pm
    Permalink

    Dear Sir, Can you please tell me how can I create the Virtual server, How Can I declare the Ip address for the virtual server. where can I add in DNS

    Reply
    • September 1, 2018 at 4:24 pm
      Permalink

      Dear

      the virtual server IP is the IP users will connect to. it can be created under configuration – traffic management – load balancing – virtual server.
      create the DNS record on your DNS record for your url to the virtual ip in netscaler.

      feel free to refer my netscaler basics blog which covers some theory about IP’s.

      thanks,
      siva sankar

      Reply
  • March 16, 2019 at 12:31 am
    Permalink

    Does this work for OWA setup too?

    Reply
    • March 17, 2019 at 2:52 pm
      Permalink

      Yes dear
      for exchange for just reverse proxy set source ip base persistence to 20 mins or more.

      Thanks
      Siva

      Reply
  • November 7, 2019 at 6:50 pm
    Permalink

    Hi, Will this work for a different internal port. For example, we’ve a application running on port 9644 internally. But externally, I need to access it using HTTPS. Is it possible?

    Reply
    • November 8, 2019 at 11:15 pm
      Permalink

      Yes, its possible. you can have any port in internal and translate to other port external. No restrictions.

      Reply
      • December 9, 2020 at 10:39 pm
        Permalink

        HI Siva,
        IF possible can you share the steps for configuring customised ports internal to 443 external

        Reply
        • December 26, 2020 at 5:56 pm
          Permalink

          Dear
          LB vserver configure on 443, while attaching services or service group use backend port 80 or 8080 or any other port. Netscaler will translate the traffic.

          Reply
      • December 10, 2020 at 9:43 pm
        Permalink

        Hi Siva,
        Can i get the steps for configuring internal customized port exp – 8084 and for external it need to work with 443 .

        Reply
        • December 26, 2020 at 5:58 pm
          Permalink

          Dear
          LB vserver configure on 443, while attaching services or service group use backend port 80 or 8080 or any other port. Netscaler will translate the traffic.

          Reply
  • April 7, 2020 at 12:41 pm
    Permalink

    Hi, I have a question
    My server is not support TLS1.2 and it can’t be upgrade
    My server want to connect to the Target site, but the site only support TLS1.2
    If source is not 1.2 then the Target Site will reject the connection
    My RD said if the server can through Netscaler to reverse proxy to the Target site
    Both them are TLS1.2, then they can finish the connection
    Is that working?
    thx!

    Reply
    • April 16, 2020 at 11:19 am
      Permalink

      Dear

      regarding TLS. end user browser – Netscaler – Backend servers all should support the TLS version you are looking for to make it work.

      thanks

      Reply
  • May 26, 2020 at 2:06 pm
    Permalink

    Dear Siva,

    I have a customer we have deployed Microsoft Teams Room on the internal network. The Join meeting button fails after a meeting is added then deleted and new meeting added. Disconnecting network cable temporarily fixes the problem. They have Netscaler internal and 3 Skype for business front end severs. The issue goes away if we have all the devices pointed to 8.8.8.8 as dns entry.

    Do you have any recommendations?.

    Thank you

    Adrian

    Reply
    • May 28, 2020 at 12:01 pm
      Permalink

      Dear

      Seems in this case the internal DNS server is having some issues or some name resolutions are not happening.

      thanks
      siva

      Reply
  • March 17, 2021 at 4:26 pm
    Permalink

    Dear Siva,
    Please clarify.
    You created an HTTP group, which you did not associate with the LB. The LB you created SSL and linked it to an unknown SVG-APPS group.
    Questions:
    what is SVG-APPS?
    how does the transfer from ssl to http service work?

    Reply

Leave a Reply

Your email address will not be published.

Show Buttons
Hide Buttons