Deployment Guide -...

WAN Link Load BalancingDeployment GuideA Step-by-Step Technical Guide

Deployment Guide

Deployment Guide

Notice:

The information in this publication is subject to change without notice.

THIS PUBLICATION IS PROVIDED “AS IS” WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NONINFRINGEMENT. CITRIX SYSTEMS, INC. (“CITRIX”), SHALL NOT BE LIABLE FOR TECHNICAL OR EDITORIAL ERRORS OR OMISSIONS CONTAINED HEREIN, NOR FOR DIRECT, INCIDENTAL, CONSEQUENTIAL OR ANY OTHER DAMAGES RESULTING FROM THE FURNISHING, PERFORMANCE, OR USE OF THIS PUBLICATION, EVEN IF CITRIX HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES IN ADVANCE.

This publication contains information protected by copyright. Except for internal distribution, no part of this publication may be photocopied or reproduced in any form without prior written consent from Citrix.

The exclusive warranty for Citrix products, if any, is stated in the product documentation accompanying such products. Citrix does not warrant products other than its own.

Product names mentioned herein may be trademarks and/or registered trademarks of their respective companies.

Copyright © 2008 Citrix Systems, Inc., 851 West Cypress Creek Road, Ft. Lauderdale, Florida 33309-2009 U.S.A. All rights reserved.

Table of ContentsIntroduction ..........................................................................................................................................4Solution Requirements ..........................................................................................................................5Prerequisites .........................................................................................................................................5Network Diagram .................................................................................................................................6First time connectivity ...........................................................................................................................8

Serial Connection ............................................................................................................................8Ethernet Connection ........................................................................................................................8

NetScaler Configuration ........................................................................................................................9Deployment Model: Netscaler Two-Arm Mode, Server Load Balancing, RNAT..................................9Licensing .......................................................................................................................................10Basic Features ...............................................................................................................................11IP Addresses, Interfaces and VLANs ..............................................................................................12

RNAT Configuration ............................................................................................................................15About RNAT ..................................................................................................................................15

Load Balancing Configuration .............................................................................................................16About Server Load Balancing ........................................................................................................16Create Server Objects ....................................................................................................................16Create Service Groups ...................................................................................................................17Create LB Virtual Server Objects (VIPs) ..........................................................................................18Load Balancing Methods & Persistence .........................................................................................19

WanScaler ..........................................................................................................................................20WAN Optimization .........................................................................................................................20WanScaler Headquarters Configuration .........................................................................................21WanScaler Remote Configuration ..................................................................................................22

Elfiq - WAN Link Load Balancing ........................................................................................................24Configuration and Management .....................................................................................................24

Appendix A - NetScaler Configuration.................................................................................................26Appendix B - WanScaler Configuration ...............................................................................................28Appendix C - Elfiq Configuration .........................................................................................................29

4

IntroductionCitrix® NetScaler® optimizes the delivery of web applications — increasing security and improving performance and Web server capacity. This approach ensures the best total cost of ownership (TCO), security, availability, and performance for Web applications. The Citrix NetScaler solution is a comprehensive network system that combines high-speed load balancing and content switching with state-of-the-art application acceleration, layer 4-7 traffic management, data compression, dynamic content caching, SSL acceleration, network optimization, and robust application security into a single, tightly integrated solution. Deployed in front of application servers, the system significantly reduces processing overhead on application and database servers, reducing hardware and bandwidth costs.

Elfiq Networks is a technology innovator in the field of link balancing for multi homed networks, bringing a unique and integrated approach to advanced link management features. Link Load Balancing involves managing the inbound and outbound traffic from an enterprise firewall to the ISP. Server Load Balancing involves managing the traffic to the backend application servers, which NetScaler is popularly known for. Elfiq LLB units operate at Layer 2 transparently and are compatible with any firewall/VPN connection. Elfiq units use multiple advanced algorithms to efficiently manage bandwidth for performance, availability and failover in case of link failure. Elfiq load balancers also come with advanced features such as traffic segmentation, network segmentation, geographic load balancing, HA pairing, and the mixing of private and public ISP networks.

The real value of Elfiq is that it provides redundant connectivity by balancing multiple Internet and private links from various providers at different link speeds. This technology is also known as a WAN load balancer. The Elfiq Link LB differentiates itself by operating at the data link network layer (layer 2) to manage synchronous or asynchronous telecommunication links. This prevents it from having to get involved in using complex protocols such as BGP (Border Gateway Protocol) to support multiple links. It usually resides between the external routers and the firewall, or any other public or private link, and its installation is completely transparent to the rest of the network.

When integrated with Citrix NetScaler and/or WanScaler, Elfiq can be added in front (on the internet side) so that it load balances and optimizes which network link should be used when a user connects into the data center. The Elfiq LLB operates on inbound as well as outbound traffic.

When connectivity is being deployed to multiple sites with multiple links, Elfiq SitePathMTPX ensures that links carrying corporate services are resilient. IPSec VPN Tunnels and VoIP implementations along side enterprise applications are common examples where SitePathMTPX resilience enables greater performance. With SitePathMTPX, should a link failure occur, traffic will keep flowing on the remaining links without interruption and without intervention from the administration team.

This deployment guide was created as the result of validation testing with The Citrix NetScaler, Citrix WanScaler, and Elfiq Link Load Balancers (WAN Load Balancer). The ISP cloud was built with Vyatta Open Source routers running BGPv4 running on XenServer v4.1 inside of a Dell 2950 Server. This deployment guide walks through the step-by-step configuration details of how to configure the Citrix NetScaler application switch , The Citrix WanScaler, and the Elfiq Link Load Balancer.

5

Solution RequirementsApplication Front-End Server Load Balancing - NetScaler

WAN Optimization - WanScaler

WAN Load Balancing (Link Load Balancing) - ElfIQ Networks

PrerequisitesCitrix NetScaler L4/7 Application Switch, running version 8.0+ (Quantity x 2 for Headquarters & Remote sites).

Citrix WanScalers running version 4.2.21 (Quantity x 2 for Headquarters & Remote site)

Elfiq Networks Link Load Balancers (Quantity x 2, Headquarters & Remote site)

Client laptop/workstation running Internet Explorer 6.0+, Ethernet port

9-pin serial cable -or- USB-to-serial cable

•

•

•

•

•

•

•

•

6

The following is the Network that was used to develop this deployment guide, and is representative of a solution implemented at a customer site.

Network Diagram

int 1/2 int 1/8

WANScaler®

76.220.202.81

DFG76.220.202.1

NAT76.220.202.2

LB VIP76.220.202.152

Citrix NetScaler®

169.145.91.71

Remote Office169.145.91.0/24

Clients

Application Server169.145.91.152 ElfIQ Link Load

Balancer

ISP A

ISP B

VFI

gateway mac2

gateway mac1

VLAN Legend NetScaler WanScaler Elfiq

VLAN 1

VLAN 76

VLAN 1: (Mgmt) Interface 1/2, Untagged NSIP: 169.145.91.71 / 24 SNIP: 169.145.91.1 / 24

VLAN 76: Interface 1/8, Untagged SNIP: 76.220.202.1 / 24 VIP: 76.220.202.152 / 24

Controller IP: 76.220.202.81 / 24Gateway: 76.220.202.1

Mgmt IP: 76.220.202.91 / 24

7

Datacenter172.16.104.0/24

Citrix NetScaler®Mgmt int 1/2

10.217.104.71

WANScaler®

65.89.216.81

int 1/7int 1/8

Clients

DNS172.16.104.10

Application Server172.16.104.151

DFG65.89.216.1

NAT65.89.216.2

LB VIP65.89.216.151

ElfIQ Link Load Balancer:

ISP C

ISP D

VFI

gateway mac2

gateway mac1

VLAN Legend NetScaler WanScaler Elfiq

VLAN 1

VLAN 65

VLAN 172

VLAN 1: (Mgmt) Interface 1/2, Untagged NSIP: 10.217.104.71 / 24 SNIP: 10.217.104.73 / 24 VLAN 65: Interface 1/8, Untagged SNIP: 65.89.216.1 / 24 VIP: 65.89.216.151 / 24

VLAN 172: Interface 1/7, Untagged SNIP: 172.15.104.1 / 24

Controller IP: 65.89.216.81 / 24Gateway: 65.89.216.1

Mgmt IP: 65.89.216.91 / 24

8

Serial: 9600, n, 8, 1 Default IP Address:192.168.100.1

First time connectivitySerial Connection

The NetScaler can be accessed by the serial port through any terminal emulation program. Windows Hyperterm is commonly used on a laptop or workstation. Connect a 9-pin Null Modem cable (or USB-to-9-pin cable) from the computer to the NetScaler’s console port. In the terminal emulation program configure the settings for 9600 baud, No stop bits, 8 data bits, and 1 parity bit. The login prompt should appear. The default login is nsroot, nsroot. It is advisable to change the nsroot password once connected.

Once connected type in the CLI command ‘configns’ (‘nsconfig’ if at the shell prompt). Select option 1 to change the NetScaler IP Address and Network Mask. Exit, save and reboot.

Ethernet Connection

The NetScaler can also be accessed by the default IP Address of 192.168.100.1, either through an http, https, telnet or ssh connection. Once connected, the login prompt should appear. The default login is nsroot, nsroot. It is advisable to change the nsroot password once connected.

Type in the CLI command ‘configns’ (‘nsconfig’ if at the shell prompt). Select option 1 to change the NetScaler IP Address and Network Mask. Exit, save and reboot.

Note: Changing the NetScaler IP Address always requires a reboot.

9

NetScaler ConfigurationDeployment Model: Netscaler Two-Arm Mode, Server Load Balancing, RNAT.

The NetScaler in this example will be used in two-arm mode. The NetScaler in Two-Arm mode uses different interfaces for the segmentation of VLAN traffic, providing an additional physical layer of separation. This deployment can easily have been implemented using a Trunk port on the Netscaler and a Layer 2 switch. For incoming connections to the Application server, we will configure a Load Balancing VIP on the Internet facing subnet. For outgoing connections from the internal subnet, we will configure NAT (RNAT - Reverse NAT) to translate internal addresses to public addresses. The WanScaler and Elfiq appliances will sit transparently inline to traffic.

Connect to the NetScaler via the NSIP using a web browser. In this example: NS1: http://10.217.104.71

Note: Java will be installed.

Default login is: nsroot, nsroot.

Ethernet

10

Licensing

The availability of a feature is controlled by a license key. When using the system for the first time, you need to load the license key and then enable the feature.

To add new licenses.

From the GUI, navigate to NetScaler System Licenses Manage Licenses.

Note:Licenses are tied to the hostname of the switch and must match. The hostname can be found under NetScaler System. Make sure the license file is in the correct location. With release 8.0 all license files must be in the /nsconfig/license directory in order to be recognized.

Also, check the “hosts” files in /nsconfig and in /etc, and make sure both include lines for localhost and for the NetScaler hostname as defined in the configuration and /nsconfig/rc.conf.

A properly configured hosts file should look similar to the following (using nshost as the example hostname defined for this NetScaler).

127.0.0.1 localhost127.0.0.1 nshost

11

Basic Features

Load Balancing is enabled in Basic Features.

From the GUI, navigate to NetScaler System Settings Basic Features.

Select Load Balancing and click OK.

12

Important NetScaler IP AddressesAcronym Description Usage

Note: NSIP is Mandatory and requires a reboot.

NSIP NetScaler IP Address The NetScaler IP (NSIP) is the management IP address for the appliance, and is used for all management related access to the appliance. There can only be one NSIP.

SNIP Subnet IP Address The Subnet IP address (SNIP) allows the user to access an Application Switch from an external host that is residing on another subnet. When a subnet IP address is added, a corresponding route entry is made in the route table. The Application Switch uses the SNIP as the source IP Address for outgoing packets, when the “USNIP” mode is enabled. USNIP is enabled by default. (With USNIP enabled, configuration of MIP is unnecessary). The SNIP can also be used as the Tagged VLAN IP, and for RNAT.

MIP Mapped IP Address The mapped IP address (MIP) is becoming outdated. It has traditionally been used by the Application Switch to represent the client when communicating with the backend managed server. Mapped IP addresses (MIP) were used for server-side connections and can be used for Reverse NAT. Think of this as the client’s source address on the server-side of the Application Switch, assuming a two-arm proxy deployment. When using the USNIP mode above, MIP’s are unnecessary.

VIP Virtual IP Address The Virtual Server IP address (VIP) is used by the Application Switch to represent the public facing ip address of the managed services. ARP and ICMP attributes on this IP address allow users to host the same vserver on multiple Application Switches residing on the same broadcast domain.

DFG Default Gateway IP Address of the router that forwards traffic outside of the subnet where the appliance is installed.

IP Addresses, Interfaces and VLANsAssigning IP Addresses to Interfaces is done ‘virtually’ through the use of port based VLANs.

By default, all the interfaces on the system are in a single port-based VLAN as untagged interfaces. This VLAN is the default VLAN with a VID equal to 1.

When an interface is added to a new VLAN as an untagged member, the interface is automatically removed from the default VLAN and placed in the new VLAN. This becomes a convenient feature, such that when we plug the Netscaler into a Switch that is using VLANs with tagging, we only need to check the box, to turn on tagging. VLANs are typically used to separate subnet traffic.

If Trunking is turned On, you will see an interface as a member of more than one VLAN.

Note:USNIP mode is enabled by default. If both USIP mode and USNIP mode are enabled, USIP mode takes precedence over USNIP mode.

13

Add the remaining IP Addresses

IP Addresses (SNIPs) that are used for routing between VLANs, RNAT and BGP are added separately according to the table in the network diagram. Note that VIP addresses are created later during Load Balancing configuration, not at this time. The following screen shots are for the HQ NetScaler.

Add the remaining IP Addresses.

NetScaler Network IPs Add.

Note: Dynamic Routing must be enabled on the Subnet IP (SNIP) for these routes to be propagated in routing protocols.

Make sure you take this opportunity to “Save” the configuration on both the Primary and Secondary NetScalers.

14

Create VLANs and Assign Subnet IP Addresses to them.

NetScaler Network VLANs Add.

For this example: We create VLANs 65 & 172. We assign VLAN 65 to Interface 1/8 and VLAN 172 to interface 1/7.

(We did not use VLAN Trunking in this deployment, but easily could have by turning on trunking on one of the NetScaler interfaces, and assigning VLANs 65 & 172 to it).

Interface 1/2 is our management interface, in VLAN 1.

NetScaler Network VLANs, to add VLAN and Interface assignments on the Application Switch. Be sure to bind the ip address to each VLAN, and enable dynamic routing.

Note: Dynamic Routing must be enabled on the VLAN for these routes to be propagated to routing protocols.

Note:

15

RNAT ConfigurationAbout RNAT

The NetScaler system supports Reverse Network Address Translation (RNAT) or NAT for outbound connections. When the system performs RNAT, it replaces the source IP addresses of packets generated by the back-end servers with a NAT IP address. The NAT IP address is a public IP address. By default, the NAT IP address is a MIP. However, you can configure the system to use a Subnet IP address as the NAT IP addresses, which we do in this deployment guide.

From the GUI, navigate to NetScaler Network Routing Configure RNAT Create.

With this configuration all internal private ip addresses that originate in the 10.217.104.0 network will be translated (NAT’d) to 65.89.216.2 as they reach the public internet.

We added a separate SNIP 65.89.216.2 to be used for the public NAT address, but could have also used the 65.89.216.1 SNIP to save ip addresses.

16

Create server objects for the Application and Database servers on the backend.

From the GUI, navigate to NetScaler Load Balancing Servers Add.

Load Balancing Configuration

Create Server Objects

Create server objects that point to the backend Application and Database servers. We can refer to these servers by name as opposed to IP Address, and can then assign availability monitors to them.

About Server Load Balancing

Server Load Balancing is used for incoming connections to Application servers. Load balancing allows you to distribute requests sent to a particular virtual server (vserver or VIP) evenly across several physical servers. A client sends a request to the virtual server, which selects a physical server in the server farm and directs the request to the selected physical server. Load balancing allows the Application Switch to choose the physical server with the lowest load and greatest available resources.

1-2-3: Configuring Load Balancing is a simple 1-2-3 process performed by creating objects within the Citrix Application Switch. We create the objects in logical formation from the backend servers to the forward facing internet IP Address:1) Create Servers2) Create Services3) Create Load Balancing VIPs w/Persistence

17

Select the ‘Monitors’ tab. Select http-ecv. http-ecv uses a ‘GET’ request.

Monitors can be added or modified.

Add the Service Group for the HQ Application Server.

From the GUI, navigate to NetScaler Load Balancing Service Groups Add.

Create Service Groups

Service Groups are containers for managing load balancing and SSL services to several instances of the same service (port number) on the same or different servers (ip address).

Select an availability monitor to keep in contact with the server/service. If the service goes down, load balancing will mark it down and send traffic to the other available servers/services.

18

Create LB Virtual Server Objects (VIPs)

The Virtual Server or Virtual IP Address is the logical entity on the system that accepts client connections from the Internet and distributes them to the service groups/objects. The Vserver or VIP is the public facing internet connection.

Add the Server Load Balancing Virtual Server.

NetScaler Load Balancing Virtual Servers Add.

In this example:Our public facing IP Address for the Application server is 65.89.216.151 on port 80.

To get the most performance, select the Advanced tab and turn on Compression and TCP Buffering. The compression computation is an off-loaded task for both http and https from the Application servers.

Select the Advanced tab, check TCP Buffering and Compression.

Select OK.

19

Select the ‘Methods and Persistence’ tab. Select the LB Method Round Robin.

Load Balancing Methods & Persistence

The Citrix Application Switch is capable of several Load Balancing Methods. In order to direct traffic correctly to the Application servers, the Citrix Application Switch can also be configured to persist traffic.

By default the Citrix Application Switch uses the ‘Least Connections’ load balancing algorithm, but can be changed to Round Robin. Several persistence methods are available.

Make sure you take this opportunity to “Save” the configuration on both the Primary and Secondary switches.

20

WanScalerWAN Optimization

For WAN Acceleration to occur, all packets in the TCP connection must pass through two WANScaler appliances or the WANScaler client and the remote WANScaler appliance. The WANScaler appliance uses an accelerated bridge (two Ethernet ports) for inline mode; packets enter one Ethernet port and exit through the other. As far as the rest of the network is concerned, it is as though the WANScaler weren’t there at all; its operation is completely transparent.

In Inline mode, data flows in one accelerated Ethernet port and out the other. This requires no router configuration or changes to the firewall or NetScaler. Inline mode offers the highest performance and operates transparently to the traffic.

For configuration the WanScaler can be accessed by the serial port through any terminal emulation program, similarly to the NetScaler. Windows Hyperterm is commonly used on a laptop or workstation. Connect a 9-pin Null Modem cable (or USB-to-9-pin cable) from the computer to the WanScalers console port. In the terminal emulation program configure the settings for 9600 baud, No stop bits, 8 data bits, and 1 parity bit. The default login is admin, wanscaler. It is advisable to change the admin password once connected.

W

21

Connect to the WanScaler with a web browser and login. The default username and password is admin, wanscaler.

Configure the Bandwidth Settings by selecting Bandwidth Management.

In this example:We are using Hardboost, with a send and receive rate of 1.5 Mbps (1500 Kbps) equivalent to a T1.

Note: These setting need to match the other side at the remote or client.

WanScaler Headquarters Configuration

To configure the management IP Address, you need 4 commands: address, netmask, gateway and restart.

The following is the configurationg of the management ip address for the HQ WanScaler:

> address 65.89.216.81

Address set to: 65.89.216.81

> netmask 255.255.255.0

NetMask set to: 255.255.255.0

> gateway 65.89.216.1

Gateway set to: 65.89.216.1

> restart

Connect to the WanScaler with a console cable. The default username and password is admin, wanscaler.

Configure the IP Address, Netmask, and Gateway. Restart the Wanscaler.

22

W

WanScaler Remote Configuration

> address 76.220.202.81


Restart is required before change becomes effective.

> netmask 255.255.255.0


> gateway 76.220.202.1


> restart

23

In order for traffic to be accelerated, the WANScaler needs to recognize it as an ‘Active Connection’.

From the GUI, navigate to Monitoring Active Connection.

To verify traffic is being accelerated through the WANScaler, view the Usage graph.

From the GUI, navigate to Monitoring Usage Graph.

24

Elfiq - WAN Link Load BalancingConfiguration and Management

Elfiq’s Link Load Balancer product line is a natural complement to technologies such as the Citrix WANScaler.

Different link types and speeds can be aggregated together to provide cost-effective, scalable and manageable large virtual links while also providing network resilience. This means that you are not dependent on a single ISP and/or technology. Specific traffic can be sent down (or up) specific links and be instantly redirected during a failure.

Elfiq is placed outside of the Firewall, WanScaler and NetScaler so not reconfiguration of these elements is necessary. Elfiq operates at Layer 2, which enables it to be installed transparently without modifying an existing network. Because operations are handled at the 2nd layer of the OSI model (Data Link Layer), no network port used by Elfiq for a WAN/ISP connection has an IP address and therefore cannot be compromised by Internet-based attacks. In a Layer-2 concept, organizations use the existing link connected to the firewall as the main link for configurations. Should network alterations be required, the link can be reconnected directly to the firewall without any configuration requirement. With the primary link, a single set of security policies are required on the firewall for easy management.

Elfiq’s units are inline (or transparent) units which can integrate into any network and, because of the layer-2 implementation, are compatible with any firewall/VPN. All Elfiq units use multiple advanced algorithms to efficiently manage bandwidth for performance, availability and failover in case of link failure. Algorithms can be selected for each link, service port or IP address.

In this guide we configured the Elfiq to demonstrate it’s load balancing and failover capabilities and operation transparently at Layer 2.

25

The Elfiq can initially be configured through the console cable.

Once configured with an IP Address, the Elfiq Explorer provides a GUI interface into the appliance.

Changes to the System configuration can be made in the System CLI interface.

Changes to the Load Balancing configuration can be made in the VFI0 CLI interface.

26

Appendix A - NetScaler ConfigurationHeadquarters NetScalernshq1> #NS9.0 Build 47.008

# Last modified by `save config`, Mon Aug 11 18:07:27 2008

set ns config -IPAddress 10.217.104.71 -netmask 255.255.255.0

enable ns feature WL SP LB

enable ns mode FR L3 Edge USNIP PMTUD

set interface 1/1 -speed AUTO -duplex AUTO -autoneg ENABLED -haMonitor ON -trunk OFF -lacpMode DISABLED -throughput 0 -bandwidthHigh 0 -bandwidthNormal 0

set interface 1/2 -speed AUTO -duplex AUTO -autoneg ENABLED -haMonitor OFF -trunk OFF -lacpMode DISABLED -throughput 0 -bandwidthHigh 0 -bandwidthNormal 0





set interface 1/7 -speed AUTO -duplex AUTO -flowControl RXTX -autoneg ENABLED -haMonitor OFF -trunk OFF -lacpMode DISABLED -throughput 0 -bandwidthHigh 0 -bandwidthNormal 0


add ns ip 10.217.104.73 255.255.255.0 -vServer DISABLED

add ns ip 65.89.216.1 255.255.255.0 -vServer DISABLED -dynamicRouting ENABLED


add ns ip 10.217.104.72 255.255.255.0 -type MIP -vServer DISABLED



add vlan 65 -ipv6DynamicRouting ENABLED



bind vlan 65 -ifnum 1/8

bind vlan 65 -IPAddress 65.89.216.1 255.255.255.0




27


add server Server151 172.16.104.151

add serviceGroup ServerGroup151 HTTP -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB YES -CMP YES

add lb vserver VIP151 HTTP 65.89.216.151 80 -persistenceType NONE -lbMethod ROUNDROBIN -cltTimeout 180

bind serviceGroup ServerGroup151 Server151 80 -serverID 151

bind lb vserver VIP151 ServerGroup151

bind lb monitor “http-ecv” ServerGroup151

add route 0.0.0.0 0.0.0.0 65.89.216.250 -distance 205 -cost 1

set rnat 172.16.104.0 255.255.255.0 -natIP 65.89.216.2

set ns hostName nshq1

nshq1>

Remote NetScalernsremote> #NS9.0 Build 47.008

# Last modified by `save config`, Mon Aug 11 18:16:04 2008

set ns config -IPAddress 169.145.91.71 -netmask 255.255.255.0

enable ns feature WL SP LB

enable ns mode FR L3 Edge USNIP PMTUD

set interface 1/1 -speed AUTO -duplex AUTO -autoneg ENABLED -haMonitor ON -trunk OFF -lacpMode DISABLED -throughput 0 -bandwidthHigh 0 -bandwidthNormal 0












28







add server Server152 169.145.91.152

add serviceGroup Service152 HTTP -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO

add lb vserver VIP152 HTTP 76.220.202.152 80 -persistenceType NONE -lbMethod ROUNDROBIN -cltTimeout 180

bind serviceGroup Service152 Server152 80 -serverID 152

bind lb vserver VIP152 Service152

bind lb monitor “http-ecv” Service152

add route 0.0.0.0 0.0.0.0 76.220.202.250 -distance 205 -cost 1

set rnat 169.145.91.0 255.255.255.0 -natIP 76.220.202.2

set ns hostName nsremote

nsremote>

Appendix B - WanScaler ConfigurationHeadquarters WanScalerTo configure the management IP Address, you need 4 commands: address, netmask, gateway and restart.

The following is the configurationg of the management ip address for the HQ WanScaler:

> address 65.89.216.81


> netmask 255.255.255.0


> gateway 65.89.216.1


> restart

Remote WanScaler> address 76.220.202.81


29

Restart is required before change becomes effective.

> netmask 255.255.255.0


> gateway 76.220.202.1


> restart

Appendix C - Elfiq ConfigurationElfIQ Headquarters Configuration## EOS Version [3.2.1]

## ( vfi0 )

clr all

## Description

description Not defined

## Inside interface

attach in eth3

## Outside interface(s)

attach out eth1,eth2

## Features

feature default_balancing_group enable

## Arp entries (static)

arp 65.89.216.1 auto inside 30

## Acl arp (static)

acl arp +ip 1 +65.89.216.0/24 +reply fw:65.89.216.1 inside


## Protofix rules

protofix ftp 21

## Gmac entries

gmac 1 auto SimulatedDC1 65.89.216.250/24 1 64 64 0 217.63.65.1:22,0.0.0.0:1 50/50

gmac dev 1 eth2

gmac qos 1 tc_htb 64/64,64/64

gmac probe 1 1 2

gmac tcpprobe 1 65.89.216.1


30

gmac dev 2 eth1

gmac qos 2 tc_htb 64/64,64/64

gmac probe 2 1 2


## Acl nat outside

acl nat out +ip 1 +any +65.89.216.0/24 +nat ndnet:65.89.216.0/24


## Acl nat inside

acl nat in +tcp 1 +65.89.216.0/24:0-0 +any:143-143 +nat poolip:1,20 etfa


acl nat in +tcp 3 +65.89.216.0/24:0-0 +any:25-25 +nat poolip:1,20 opfa




acl nat in +udp 1 +65.89.216.0/24:0-0 +any:53-53 +nat poolip:1,20 opfa


acl nat in +ipsec-esp 1 +65.89.216.0/24:0-0 +any +nat poolip:1,20 opfa

acl nat in +ip 1 +65.89.216.0/24:0-0 +any +nat poolip:1,20 opfa

## IP pools

poolip 20 66.91.171.0/24

## Generated: Aug 11 09:28:39

ElfIQ Remote Configuration## EOS Version [3.2.1]

## ( vfi0 )

clr all

## Description

description Not defined

## Inside interface

attach in eth3

## Outside interface(s)

attach out eth1,eth2

## Features

feature default_balancing_group enable

## Arp entries (static)

arp 76.220.202.1 auto inside 30

31

## Acl arp (static)



## Protofix rules

protofix ftp 21

## Gmac entries


gmac dev 1 eth2



gmac dev 2 eth1


## Acl persistence inside

acl per in +tcp 1 +any +any:443-443 +persist 600

acl per in +tcp 2 +any +any:80-80 +persist 600

## Acl nat outside



## Acl nat inside



acl nat in +tcp 3 +76.220.202.0/24:0-0 +any:25-25 +nat poolip:1,20 opfa






acl nat in +ipsec-esp 1 +76.220.202.0/24:0-0 +any +nat poolip:1,20 opfa

acl nat in +ip 1 +76.220.202.0/24:0-0 +any +nat poolip:1,20 opfa

## IP pools

poolip 20 75.97.59.0/24

## Generated: Aug 11 08:21:20

www.citrix.com

Citrix WorldwideWorldwide headquarters

Citrix Systems, Inc.851 West Cypress Creek RoadFort Lauderdale, FL 33309USAT +1 800 393 1888T +1 954 267 3000

Regional headquarters

AmericasCitrix Silicon Valley4988 Great America ParkwaySanta Clara, CA 95054USAT +1 408 790 8000

EuropeCitrix Systems International GmbHRheinweg 98200 SchaffhausenSwitzerlandT +41 52 635 7700

Asia PacificCitrix Systems Hong Kong Ltd.Suite 3201, 32nd FloorOne International Finance Centre1 Harbour View StreetCentralHong KongT +852 2100 5000

Citrix Online division5385 Hollister AvenueSanta Barbara, CA 93111USAT +1 805 690 6400

www.citrix.com

About CitrixCitrix Systems, Inc. (Nasdaq:CTXS) is the global leader and the most trusted name in application delivery infrastructure. More than 200,000 organizations worldwide rely on Citrix to deliver any application to users anywhere with the best performance, highest security and lowest cost. Citrix customers include 100% of the Fortune 100 companies and 98% of the Fortune Global 500, as well as hundreds of thousands of small businesses and prosumers. Citrix has approximately 6,200 channel and alliance partners in more than 100 countries. Annual revenue in 2006 was $1.1 billion.

Citrix®, NetScaler®, GoToMyPC®, GoToMeeting®, GoToAssist®, Citrix Presentation Server™, Citrix Password Manager™, Citrix Access Gateway™, Citrix Access Essentials™, Citrix Access Suite™, Citrix SmoothRoaming™ and Citrix Subscription Advantage™ and are trademarks of Citrix Systems, Inc. and/or one or more of its subsidiaries, and may be registered in the U.S. Patent and Trademark Office and in other countries. UNIX® is a registered trademark of The Open Group in the U.S. and other countries. Microsoft®, Windows® and Windows Server® are registered trademarks of Microsoft Corporation in the U.S. and/or other countries. All other trademarks and registered trademarks are property of their respective owners.

Deployment Guide -...

Documents

Transcript of Deployment Guide -...