Citrix Access Gateway v5.x – High Availability
One often undervalued feature of Access Gateway standard edition (5.x) is high availability, using this feature can help mitigate against unplanned downtime and also allow an administrator to perform scheduled maintenance with minimum impact. Configuring this feature is quick and when used in conjunction with session reliability it is possible for the Access Gateway to failover and connectivity be re-established without the user needing to re-authenticate.
Below is some key high level information:
- Each AG must be running the same firmware version
- Passwords are not synchronised between appliances
- UDP 694 is used for appliance failover
- TCP 5432 is used for database communications
- Different networking configuration (including static routing) can be specified on each node, other settings are replicated from the primary to the secondary node
How it works
First both Access Gateways must be configured with their respective network settings, including nominating a network adapter for appliance failover. Once this has been set the first node can be configured for HA. Once the first node has been configured the second node can simply join and then receive it’s configuration from the primary appliance.
The nodes use a pre-shared key to enable synchronisation, if this key is entered incorrectly on the secondary node during configuration then it will fail to join the primary node in a HA configuration. Although changing the pre-shared key can be achieved after initial installation, this will require re-configuring appliance failover.
The HA pair uses virtual IP addresses to simplify the configuration and enable near instant failover, there is an external virtual IP address and an internal virtual IP address, the external address should be configured as the target address when configuring the NAT rule for external access to the Access Gateway. The internal address is used to communicate with backend servers, such as an authentication server or web interface server.
As with many HA solutions, the secondary unit sends periodic (every 1 second) heartbeats to the primary appliance expecting a normal response, if 10 heartbeats are missed then the secondary appliance will become the primary appliance. The secondary appliance then issues a gratuitous ARP (GARP) which is essentially an update notification to nearby devices to tell them that the virtual IP addresses that were owned by the primary, are now owned by the secondary appliance, this ensures that connections are now routed to the secondary appliance.
Sample configuration details
The sample configuration used in this article is based on an Access Gateway that has ETH0 in a DMZ/perimeter network (192.168.75.0 /24) and ETH1 in the LAN (10.121.0.0 /24). The default gateway is via ETH0 and static routes can be used for any additional internal networks that need to be accessed via ETH1. ETH1 will be used for the appliance heartbeats and failover, as such this has been selected within the management interface.
The networking configuration of the first gateway can be seen below:
The networking configuration of the second gateway is below:
Once the networking configuration has been set, HA can be configured and enabled. Once both appliances have been configured and joined as a pair, the secondary appliance will receive all configuration details from the primary appliance and apply them, this ensures that the units are identical, so that in the event of a failover the secondary unit does not need re-configuring. Any further configuration changes are synchronised between the appliances.
The node that will be designated as the primary appliance will be used to configure the high availability settings. The “appliance failover” node within the management GUI is used to configure high availability, the following settings should be configured as:
- Appliance Failover Role – Primary
- Shared Key – Pre-shared password for synchronisation
- Peer IP Address – The IP address of the secondary node
- Internal Virtual IP address – IP address used for communicating with backend servers
- External Virtual IP address – IP address used for external connectivity
The primary appliance configuration will look similar to this:
To configure the secondary appliance the following needs to be configured:
- Appliance Failover Role – Secondary
- Shared Key – Pre-shared password for synchronisation
- Peer IP Address – IP address of primary node
Once the configuration has been completed, select “Join Primary” button and the unit will participate in high availability.
There may be an instance whereby an administrator wishes to force the failover of the primary role to the secondary node. This can be achieved by using the “force failover” button that is available within the “appliance failover” section of the primary node’s GUI.
End user experience
Arguably the most important piece of all this is what happens to the end user’s session; if session reliability is enabled then the session will reconnect to the new gateway automatically, the same is possible for the Access Gateway plug-in based connections. This is facilitated by synchronisation of session data between the appliances.
If session reliability is disabled the user will be required to re-authenticate and re-launch the published application/desktop.
Although the setup is quite easy I wasn’t really aware of how it exactly worked under the hood. Thanks for a clear explanation!