To Load Balance via NetScaler you need a Standard ADC license at minimum. This post will show how to load balance the Delivery Controllers and ensure their services are health monitored by using NetScaler built-in monitoring. The Delivery Controllers will use HTTPS for communication.
If you have not already enabled Load Balancing, right-click Load Balancing within NetScaler and choose Enable.
First create server objects for each of your Delivery Controllers. Navigate to Traffic Management -> Load Balancing -> Servers -> Add.
Enter a name and the IP of your Delivery Controller. Click Create. Do the same for your remaining Delivery Controllers. Now each server object will go in to a Service Group. Navigate to Traffic Management -> Load Balancing -> Service Groups -> Add. Specify a name and choose SSL as the protocol. You can configure HTTP/80 but I like to secure the XML broker communication and it is recommended for security. Click OK. Click on No Service Group Member to bind a members to this Service Group. Click Click to select. Select your Delivery Controller server objects, click Select. Now enter 443 as the port. Click Create. Click OK. Expand Monitors. Click on No Service Group to Monitor Binding. Click on the + symbol. Enter a name and under Type choose CITRIX-XD-DDC. Towards the bottom of the Standard Parameters tab check Secure. Click on the Special Parameters tab. Here you can validate credentials against your Delivery Controllers. This is just an added monitoring capability to ensure the Delivery Controllers are online even if the standard monitor probe is successful. Click Create. Click Done. The new Service Group shows as UP. A load balanced certificate needs to be installed on your Delivery Controllers and additional work binding that SSL certificate and the Citrix Broker Service together needs performed. If the Delivery Controllers have IIS then you use that to do your certificate to HTTPS bindings however most Delivery Controller installs are on a dedicated machine and does not run IIS. See https://jgspiers.com/securing-ddc-xml-broker-communication-over-https/ Now we create the Load Balanced vServer. Navigate to Traffic Management -> Load Balancing -> Virtual Servers -> Add. Specify a name, set the protocol as SSL and enter an IP. Click OK. Click No Load Balancing Virtual Server ServiceGroup Binding to bind the Service Group to this Virtual Server. Click on Click to select. Select the Service Group. Click Select Click Bind. Click Continue. Click No Server Certificate. Click on Click to select. Select the Load Balanced certificate that is also installed on the Delivery Controllers. In my case, it matches the URL of ddclb.jgspiers.com. Click Select. Click Bind. Expand Method. Choose ROUNDROBIN and click OK. Click Done. The Virtual Server reports UP and is ready to be used. Within StoreFront make sure you specify the Load Balanced FQDN against your stores.
Bilal Aslam
January 19, 2017To best of my understanding this statement is not correct. “To Load Balance via NetScaler you need an Enterprise ADC license at minimum”
George Spiers
January 19, 2017You are right – that is just a mistake on my end. You need Standard or higher.
SaaJ
October 13, 2017I am guessing we could use a Netscaler VPX Express to achieve this. Any disadvantages in doing this? Would the 5mbs limit be a blocker?
Thanks.
George Spiers
October 13, 2017Yes VPX Express can do that and 5Mbps will only become a blocker if DDC Load Balancing tries to comsume more than that 🙂 I’m not sure how much bandwidth brokering consumes, but would bet it is very minimal.
Dayo
October 1, 2018I have a 10MB Citrix ADC Platinum, is this sufficient enough servicing 80 users?
George Spiers
October 8, 2018I would say yes. Typically light connections can consume around 50Kbps. You should deploy a trial, run a small PoC, and deploy NMAS to capture some metrics before purchasing any license.
Joshua Corder
April 9, 2020George, great articles.
Question
Is it possible to use netscalers without storefront servers?
In other words
Are there features built into netscalers where the netscaler presents it’s own “web url” that points directly to the delivery controllers?
I ask because I want to turn off the storefront HDX optimal routing and have the netscalers handle the proximity redirection.
Using AAA groups
Then I want to have AAA group for one domain that points to one farm
Then another AAA group for another domain that points to it’s own farm
With GSLB active/active onto using proximity method
Joshua Corder
April 9, 2020Or
Maybe have a storefront load balancer with all 4 storefronts
2 from one datacenter
And 2 from the other datacenter
And then on the gateway vip have all 4 delivery controllers
And the session policy point to the storefront load balancer vip
George Spiers
July 11, 2020That is not uncommon, especially when datacentres are close.
George Spiers
July 11, 2020There used to be Web Interface functionality but nothing new.
Martin Meier
March 14, 2017Can this LB vServer also be used as STA on NetScaler Gateway and on StoreFront Remote Access configuration?
George Spiers
March 14, 2017Nope you can’t use load balanced names for STA. You’ll have to use the FQDN of one or more DDCs.
Joeke van der Velde
May 15, 2017Maybe a bit of a newbie question, but i’m wondering:
What are the user rights the “service_ddc” account needs under special parameters?
Are they only Citrix rights within Citrix Studio? Or maybe a few AD rights?
I can’t find it anywhere, so it looks like i’m the only one who doesn’t know.. :-p
George Spiers
May 15, 2017Hi Joeke
It is just a standard domain user account you need.
Joeke van der Velde
May 15, 2017Thx George!
berks
October 17, 2017Hi JG, just want to thank you, your articles are always fantastic and always appreciate the effort you put in.
George Spiers
October 17, 2017Thank you Berks! It’s always nice to receive some positive feedback on how I am helping out and I am glad you are making good use of the content.
Engin
March 15, 2018Hi,
Wondering what you use for STA address when configuring Storefront when you get a common cert for delivery controller LB VIP address and use it on delivery controllers.
That is, ddclb.domain.com is showing LB VIP IP and it’s used in Storefront delivery controllers page with port 443. But when you add a Netscaler, STA addresses are: https://ddc01.domain.com/scripts/ctxsta.dll, etc..
Thanks,
George Spiers
March 16, 2018You can use port 80 for STA communication which is what I do.
Alternatively another server outside of the DDC Load Balancing group can serve as the STA server over port 443, or you could possibly use a SAN certificate on DDCs.
Daniel Alcocer
August 7, 2018a question, I have my VIP with which I made the LB of the delivery, this vip must answer by name? that is to say I must assign an alias to the VIP, for example my ip is 192.168.10.25 (VIP) this must have a name. example
192.168.10.25 = dclb.domain.com
George Spiers
August 8, 2018Using DNS names is always best practice.
Richard
December 12, 2018In the past when you load balanced XML the persistence was NONE for DDC is it now Source IP
George Spiers
December 12, 2018Actually there is no need for persistence. I must have copied that config from another load balancing article. I’ve removed it!
Anonymous
May 15, 2019Hi George
I followed your guide but the storefront keep generating Event ID 4003 and temproalry removign my servers from the active servers but it is online and monitoring are green for both DDC
None of the Citrix XML Services configured for farm MyFarm are in the list of active services, so none were contacted.
The Citrix XML Service or the Citrix servers may be unavailable or temporarily overloaded: 503 Service Unavailable. This message was reported from the XML Service at address http://ddc2.mydomain.local/scripts/ctxsta.dll [CtxSTAProtocol.TRequestTicket]. The specified Secure Ticket Authority could not be contacted and has been temporarily removed from the list of active services.
Can you advise on how to overcome this issue?
George Spiers
May 16, 2019Your Store is pointing at the load balanced address and not individual Delivery Controllers?
Anonymous
March 17, 2020Hi i’ve follow your steps however when i access the storefront through my Virtual Gateway i don’t see any apps. then i read that you cannot put Load Balance VIP at STA on Virtual Gateway, my question is if you put DDC FQDN how do we know the DDC is load balanced?
George Spiers
May 19, 2020Can your StoreFront servers access the DDC VIP? For STA, you can point at single FQDNs.
Syed
April 21, 2020Hi George, great article and thanks for your efforts.
I have a quick question. Can we setup the DDC LB vServer as SSL vServer and configure the Delivery Controllers/Service Group on Port 80? Does this configuration work?
I’ve configured my environment this way and am having connectivity issues. (Storefront screen post logon is blank and doesn’t display any icons for published apps or desktops)
Would appreciate your response.
Syed
George Spiers
September 9, 2020Hello
Yes this is possible and fairly simple to configure. You will have:
1. SSL vServer for DDC, with backend Service Group on HTTP/80
2. Certificate bound to SSL vServer matching Controller LB address e.g. ddc.domain.com
3. StoreFront pointing to LB address e.g. ddc.domain.com over HTTPS/443
4. DNS configured to resolve LB address e.g. ddc.domain.com to the VIP, and it is resolvable by StoreFront servers
If still failing, the Citrix Delivery Services event logs should give pointers.
Anonymous
July 13, 2022I keep getting “no apps or desktops available..” when after login to the storefront page. The service group shows UP state, monitor assigned is Citrix-XD-DDC, when I checked the monitor details, both DDCs are validated by the monitor (green). I Created Load Balancing vServer using SSL, and the certificate was installed, vServer shows UP (green). All are looking good (green). However, as soon as I replaced the individual DDCs with the DDCs LB VIP in the storefront, the enumeration fails with the error message stated above. when listing DDCs individually, using HTTPS, enumeration succesful again.. ,
Sandy
May 8, 2023I had this issue too. I changed my default cipher to a more narrowed down list of secure ciphers and then it worked.
Chris
December 3, 2024Long shot since you posted this over 2 years ago LOL.. BUT did you ever get this figured out.. we are having the exact same problem.
Naz
September 13, 2022Hey Goerge,
Forever grateful for all you do for the community!
In this XDDC LB article, you setup the vServer using SSL… do you forsee any issues if I use SSLBRIDGE instead?
Rationale:
I want to avoid SSL certs where it is not needed.
I dont mind the DDCs doing the secure encrpyt/decrypt. unless you see a benefit not doing so?
Another reason, since LB’ing DDC, it appears to have added 3-4 seconds to the initial Storefront enumeration post successful Gateway authentiation.
WIthout going through an LB, this takes under a second for SF to remunerate.
Regards,
N.
Rick
September 29, 2022If I have two delivery controllers, do they HAVE to be load balanced by netscaler or is the storefront functionality enough?
Nick
October 15, 2023Doubtful I’ll get a reply this late in the game but if I have two storefront servers that I’m load balancing with the Netscaler and I also have four xenapo servers I want to load balance – will I need to create a new load balance vserver for xenapp? I guess I’m confused to the flow of data. From storefront vserver to xenapp.