NetScaler VPX

Configure HA-INC nodes by using the Citrix high availability template for internet-facing applications

You can quickly and efficiently deploy a pair of VPX instances in HA-INC mode by using the standard template for internet-facing applications. The Azure load balancer (ALB) uses a public IP address for the front end. The template creates two nodes, with three subnets and six NICs. The subnets are for management, client, and server-side traffic. Each subnet has two NICs for both the VPX instances.

You can get the Citrix ADC HA pair template for internet-facing applications at the Azure Marketplace.

Complete the following steps to launch the template and deploy a high availability VPX pair by using Azure availability sets or availability zone.

  1. From the Azure Marketplace, search Citrix ADC.
  2. Click GET IT NOW.

    Azure Marketplace

  3. Select the required HA deployment along with license, and click Continue.

    Azure HA with license

  4. The Basics page appears. Create a Resource Group. Under the Parameters tab, enter details for the Region, Admin user name, Admin Password, license type (VM SKU), and other fields.

    Basics page for ALB

  5. Click Next : VM Configurations >.

    VM Configurations for ALB

  6. On the VM Configurations page, perform the following:
    • Configure public IP domain name suffix
    • Enable or disable Azure Monitoring Metrics
    • Enable or disable Backend Autoscale
  7. Click Next: Network and Additional settings >

    Network and Additional settings

  8. On Network and Additional Settings page, create Boot diagnostics account and configure the network settings.

    Boot Diagnostics

  9. Click Next: Review + create >.

  10. Review the basic settings, VM configuration, network and additional settings, and click Create.

    It might take a moment for the Azure Resource Group to be created with the required configurations. After completion, select the Resource Group in the Azure portal to see the configuration details, such as LB rules, back-end pools, and health probes. The high availability pair appears as citrix-adc-vpx-0 and citrix-adc-vpx-1.

    If further modifications are required for your HA setup, such as creating more security rules and ports, you can do that from the Azure portal.

    Once the required configuration is complete, the following resources are created.

    HA internet application resource group

  11. You must log on to citrix-adc-vpx-0 and citrix-adc-vpx-1 nodes to validate the following configuration:

    • NSIP addresses for both nodes must be in the management subnet.
    • On the primary (citrix-adc-vpx-0) and secondary (citrix-adc-vpx-1) nodes, you must see two SNIP addresses. One SNIP (client subnet) is used for responding to the ALB probes and the other SNIP (server subnet) is used for back-end server communication.

    Note:

    In the HA-INC mode, the SNIP addresses of the citrix-adc-vpx-0 and citrix-adc-vpx-1 VMs are different, unlike with the classic on-premises ADC high availability deployment where both are the same.

    On the primary node (citrix-adc-vpx-0)

    Show IP CLI on the primary node of ALB

    Show ha node CLI on the primary node of ALB

    On the secondary node (citrix-adc-vpx-1)

    Show IP CLI on the secondary node of ALB

    Show ha node CLI on the secondary node of ALB

  12. After the primary and secondary nodes are UP and the Synchronization status is SUCCESS, you must configure the load balancing virtual server or the gateway virtual server on the primary node (citrix-adc-vpx-0) with the public IP address of the ALB virtual server. For more information, see the Sample configuration section.

  13. To find the public IP address of ALB virtual server, navigate to Azure portal > Azure Load Balancer > Frontend IP configuration.

    ALB front end IP configuration

  14. Add the inbound security rule for virtual server port 443 on the network security group of both the client interfaces.

    Inbound security rule1

    Inbound security rule2

  15. Configure the ALB port that you want to access, and create inbound security rule for the specified port. The Backend port is your load balancing virtual server port or the VPN virtual server port.

    LB rule back-end port

  16. Now, you can access the load balancing virtual server or the VPN virtual server using the fully qualified domain name (FQDN) associated with the ALB public IP address.

    FQDN public IP address

Sample configuration

To configure a gateway VPN virtual server and load balancing virtual server, run the following commands on the primary node (ADC-VPX-0). The configuration auto synchronizes to the secondary node (ADC-VPX-1).

Gateway sample configuration

enable feature aaa LB SSL SSLVPN
add ip 52.172.55.197 255.255.255.0 -type VIP
add vpn vserver vpn_ssl SSL 52.172.55.197 443
add ssl certKey ckp -cert cgwsanity.cer -key cgwsanity.key
bind ssl vserver vpn_ssl -certkeyName ckp
<!--NeedCopy-->

Load balancing sample configuration

enable feature LB SSL
enable ns mode MBF
add lb vserver lb_vs1 SSL 52.172.55.197 443
bind ssl vserver lb_vs1 -certkeyName ckp
<!--NeedCopy-->

You can now access the load balancing or VPN virtual server using the FQDN associated with the public IP address of ALB.

See the Resources section for more information about how to configure the load balancing virtual server.

Resources:

The following links provide additional information related to HA deployment and virtual server configuration:

Configure HA-INC nodes by using the Citrix high availability template for internet-facing applications