This post will cover load balancing in Netscaler with reverse proxy or SSL proxy or SSL offload. There are many confusions out there how to do reverse proxy or ssl proxy or SSL offload, In Netscaler terms its very simple Select SSL as the virtual server type and bind a valid certificate to it, then you are done with the configuration. It is as simple as like that. We will take a scenario and cover this in this post.
My infrastructure details
We are having two web/app servers in the internal need to be load balanced. Our servers are working on port TCP_80 (http) however we want users to connect on HTTPS TCP_443, servers to be load balanced and netscaler to act as reverse proxy and do SSL offload.
Our web servers :
Server 1: 192.168.1.150
Server 1: 192.168.1.151
Internal Server Port:
Http ( TCP_80)
External Server Port:
Already installed in Netscaler with key file.
Netscaler Virtual IP: 192.168.1.162
DNS record for URL: apps.sslab.com ( point to VIP 192.168.1.162)
Netscaler Load Balancer Design and Traffic flow
As we have seen above our servers will listen on port 80 , Netscaler will load balance and do reverse proxy on port 443 (https). There are cases you might have more than two servers and i have seen some cases where people have only one server. In some cases your backend port is not 80 it might be 8443 or 443 or something else. In all scenarios this post will apply to them.
Step 1: create the servers.
Step2: Create service gorup
Step3: Create load balancing virtual server.
Go to Traffic Management – Load balancing – servers – ADD
Add both web servers, provide Name and IP and Create.
Both the servers are shown below and state should be enabled. Please note enabled green means from netscaler its enable, But whether it is listening to port , working or not will know after creating service group.
Create Service Group for servers
Select Service Groups under load balancing – ADD
Provide Name and Protocol as HTTP – OK
Please note if your backend server in on SSL select SSL here.
Click on add memebers to add above servers created.
Select server based.
select both servers and select.
select port 80 and create , this will bind the servers to service group.
if your server is listening on 443 or something else, need to mention here.
Add Monitors as shown below, click on Right monitor and select on it.
select on it.
Click select monitor and select TCP – bind
Now as you can see the service group is created and UP, meaning all the backend servers are reachable and working.
Create Load Balancer Virtual server for Reverse proxy or SSL proxy
This is the important part, Now Click on virtual servers under load balancing and click ADD
Provide Name : vSRV-Apps
IP Type: IP address
IP Address : the VIP that users will connect 192.168.1.162
Port : 443 ( the port users will use to connect, this can be changed if you need)
Select service gorup binding
select the group created earlier and select
Click continue for further steps.
Select server certificate to bind certificate.
select the certificate and select.
review and bind the certificate.
If you like to disable SSLV3 or other weak protocols it can be done as shown below, ignore this if not required and click done.
unselect what ever not required.
review the whole config and click done.
Review and Save configuration
The final thing to do it check the service is up and click save.
click yes to save
Now comes the testing, as seen below my server is listening and working on http as shown below.
Our URL is apps and certificate is also for apps so there are no SSL errors. as shown below our Reverse proxy/SSL proxy or SSL offload is working. The same http URL is working on HTTPS now.
Hope this post is useful, leave your comments and suggestions.