Netscaler 12 – Load balancer – Reverse Proxy – SSL Proxy Configuration Steps
This post will cover load balancing in Netscaler with reverse proxy or SSL proxy or SSL offload. There are many confusions out there how to do reverse proxy or ssl proxy or SSL offload, In Netscaler terms its very simple Select SSL as the virtual server type and bind a valid certificate to it, then you are done with the configuration. It is as simple as like that. We will take a scenario and cover this in this post.
Contents of the Post
My infrastructure details
We are having two web/app servers in the internal need to be load balanced. Our servers are working on port TCP_80 (http) however we want users to connect on HTTPS TCP_443, servers to be load balanced and netscaler to act as reverse proxy and do SSL offload.
Our web servers :
Server 1: 192.168.1.150
Server 1: 192.168.1.151
Internal Server Port:
Http ( TCP_80)
External Server Port:
Https (TCP_443)
Certificate :
Already installed in Netscaler with key file.
Follow link to Generate CSR and install Certificate in Netscaler
Netscaler Virtual IP: 192.168.1.162
DNS record for URL: apps.sslab.com ( point to VIP 192.168.1.162)
Netscaler Load Balancer Design and Traffic flow
As we have seen above our servers will listen on port 80 , Netscaler will load balance and do reverse proxy on port 443 (https). There are cases you might have more than two servers and i have seen some cases where people have only one server. In some cases your backend port is not 80 it might be 8443 or 443 or something else. In all scenarios this post will apply to them.
Step 1: create the servers.
Step2: Create service gorup
Step3: Create load balancing virtual server.
Create Servers
Go to Traffic Management – Load balancing – servers – ADD
Add both web servers, provide Name and IP and Create.
Both the servers are shown below and state should be enabled. Please note enabled green means from netscaler its enable, But whether it is listening to port , working or not will know after creating service group.
Create Service Group for servers
Select Service Groups under load balancing – ADD
Provide Name and Protocol as HTTP – OK
Please note if your backend server in on SSL select SSL here.
Click on add memebers to add above servers created.
Select server based.
select both servers and select.
select port 80 and create , this will bind the servers to service group.
if your server is listening on 443 or something else, need to mention here.
select OK
Add Monitors as shown below, click on Right monitor and select on it.
select on it.
Click select monitor and select TCP – bind
Click Done
Now as you can see the service group is created and UP, meaning all the backend servers are reachable and working.
Create Load Balancer Virtual server for Reverse proxy or SSL proxy
This is the important part, Now Click on virtual servers under load balancing and click ADD
Provide Name : vSRV-Apps
Protocol: SSL
IP Type: IP address
IP Address : the VIP that users will connect 192.168.1.162
Port : 443 ( the port users will use to connect, this can be changed if you need)
Select service gorup binding
select the group created earlier and select
Bind
Click continue for further steps.
Select server certificate to bind certificate.
select the certificate and select.
review and bind the certificate.
Continue
If you like to disable SSLV3 or other weak protocols it can be done as shown below, ignore this if not required and click done.
unselect what ever not required.
review the whole config and click done.
Review and Save configuration
The final thing to do it check the service is up and click save.
click yes to save
Testing
Now comes the testing, as seen below my server is listening and working on http as shown below.
Our URL is apps and certificate is also for apps so there are no SSL errors. as shown below our Reverse proxy/SSL proxy or SSL offload is working. The same http URL is working on HTTPS now.
Hope this post is useful, leave your comments and suggestions.
Dear Sir, Can you please tell me how can I create the Virtual server, How Can I declare the Ip address for the virtual server. where can I add in DNS
Dear
the virtual server IP is the IP users will connect to. it can be created under configuration – traffic management – load balancing – virtual server.
create the DNS record on your DNS record for your url to the virtual ip in netscaler.
feel free to refer my netscaler basics blog which covers some theory about IP’s.
thanks,
siva sankar
Does this work for OWA setup too?
Yes dear
for exchange for just reverse proxy set source ip base persistence to 20 mins or more.
Thanks
Siva
Hi, Will this work for a different internal port. For example, we’ve a application running on port 9644 internally. But externally, I need to access it using HTTPS. Is it possible?
Yes, its possible. you can have any port in internal and translate to other port external. No restrictions.
HI Siva,
IF possible can you share the steps for configuring customised ports internal to 443 external
Dear
LB vserver configure on 443, while attaching services or service group use backend port 80 or 8080 or any other port. Netscaler will translate the traffic.
Hi Siva,
Can i get the steps for configuring internal customized port exp – 8084 and for external it need to work with 443 .
Dear
LB vserver configure on 443, while attaching services or service group use backend port 80 or 8080 or any other port. Netscaler will translate the traffic.
Hi, I have a question
My server is not support TLS1.2 and it can’t be upgrade
My server want to connect to the Target site, but the site only support TLS1.2
If source is not 1.2 then the Target Site will reject the connection
My RD said if the server can through Netscaler to reverse proxy to the Target site
Both them are TLS1.2, then they can finish the connection
Is that working?
thx!
Dear
regarding TLS. end user browser – Netscaler – Backend servers all should support the TLS version you are looking for to make it work.
thanks
Dear Siva,
I have a customer we have deployed Microsoft Teams Room on the internal network. The Join meeting button fails after a meeting is added then deleted and new meeting added. Disconnecting network cable temporarily fixes the problem. They have Netscaler internal and 3 Skype for business front end severs. The issue goes away if we have all the devices pointed to 8.8.8.8 as dns entry.
Do you have any recommendations?.
Thank you
Adrian
Dear
Seems in this case the internal DNS server is having some issues or some name resolutions are not happening.
thanks
siva
Dear Siva,
Please clarify.
You created an HTTP group, which you did not associate with the LB. The LB you created SSL and linked it to an unknown SVG-APPS group.
Questions:
what is SVG-APPS?
how does the transfer from ssl to http service work?