Creating a Load Balanced Multi-Node Citrix StoreFront 2.0 Server Group with NetScaler Gateway 10.1!
Over a year ago I wrote a blog post covering the recently released Citrix Receiver StoreFront 1.0 at the time, which can be found here. Much has changed in the world of Citrix technologies in a year and a half, and I felt it was time to provide an update for the new Citrix StoreFront 2.0 which among other major enhancements has removed the Microsoft SQL database requirement!! Horray! Here’s the updated architectural overview that I will be covering in this blog post:
Additionally, you’ll notice updated vernacular relating to the Access Gateway component as CAG VPX (v5.0.x) can be safely disregarded. If you or a customer you know are still running the 5.0.x code (CAG 2010 for example), here’s your wake up call that it’s time to migrate off that legacy platform (sorry to burst your bubble!). Furthermore, I won’t be covering that platform in any future blog posts, including this one. This article will be highlighting the new NetScaler 10.1 codebase including the rebranded “NetScaler Gateway” which is essentially Access Gateway Enterprise Edition (v10.1) without the advanced Load Balancing functionality. Keep in mind NetScaler Gateway can be purchased as a virtual appliance (VPX) for the low, low price of $995 list price. At $2,000 for an HA pair, you have no more excuses to stay on the CAG platform, so now’s the time to start migrating!
Let’s get started with the basic installation. StoreFront 2.0 can be found on the XenDesktop 7.0 installation media, or can be downloaded as a separate installer from MyCitrix.com Downloads. You can find it under “StoreFront/Web Interface” –> “StoreFront”. Simply click the StoreFront 2.0 link found here:
Review the eDocs if you need to and click Download to get started. Store this download in a safe place, we’ll be using it throughout this article:
As with all components in XenDesktop 7.0, Windows Server 2012 is fully supported, so I will be using that platform as my preferred choice for this article. Double click the installer or Run as Administrator if UAC is enabled:
Accept the lice nse agreement and click Next:
Click Next:
Click Install:
When completed, click Finish:
If you’re a little more inclined to use command line switches to perform installations, you can optionally use the –silent switch from an elevated command prompt, however this option will not provide any progress indicators:
Repeat the above process on all servers in the server group and we will proceed below. Before we get started, we should create the DNS record (friendly name for the VIP) and the load balancer virtual servers. For my internal friendly name, I’ll use storefront.ws12.com:
For the external friendly name, I recommend a different name than internal as I have seen issues in StoreFront 1.x when the same name was used for internal access to StoreFront and external access to Access Gateway. For my external friendly name, I’ll use go.ws12.com:
Next, I’ll go ahead and create the Load Balancing virtual server (VIP) using simple HTTP monitors for the time being. It’s important when creating these LB services that we use the Client IP Headers. When creating the LB Service, this can be found on the Advanced tab. Check the box under Settings to Override Global, check the box to enable Client IP and in the Header text box enter “X-Forwarded-for”:
For the Persistence method we want to use COOKIEINSERT (Optionally you can increase the time-out from the default 2 minutes) with a backup persistence method of SOURCEIP:
Review to ensure that all services have been added appropriately. After we’ve configured the StoreFront sites, I’ll come back and update the monitors to use the built-in StoreFront monitors for NetScaler 10.1:
Let’s start in the console by launching Citrix StoreFront from the start menu of the first server. Click Create a new deployment:
If you have an SSL certificate, you can either offload at the load balancer or pass the SSL traffic directly through to the StoreFront servers. I’ve tested with both options, both are supported. For this demo, I’ll be using HTTP load balancing without SSL certificate to keep the configuration simple. Use the friendly name of the load balanced VIP (http://storefront.ws12.com):
I recommend keeping the first Store named “Store” as a starting point. This will come in hand down the road when you do things like e-mail/DNS based discovery:
Add your delivery controllers and multiple XenApp/XenDesktop sites as appropriate (XenDesktop 7 in my case). If you have a NetScaler load balancer available, I recommend load balancing the XML services to provide more advanced monitoring than built-in StoreFront capabilities:
Review the Sites/Farms and click Next:
For a NetScaler Gateway based deployment, I typically recommend No VPN Tunnel unless you plan on using the Access Gateway plug-ins for SSL VPN. Click Add to configure the NetScaler Gateway (this can always be configured at a later time):
Enter the appropriate information, most importantly the URLs and Subnet IP. If you’re unsure of the Subnet IP, this can be found under the Network –> IPs section within the NetScaler GUI. Ensure that all of these URLs are resolvable to the Access Gateway Virtual IP (VIP), otherwise your deployment may fail. Click Next:
Add the applicable Secure Ticket Authorities using the Fully Qualified Domain Names. Click Create once all have been added:
Review the Remote Access configuration and click Create:
When completed, click Finish:
Before we go any further, now is an opportune time to configure the server group. Expand the tree and select Server Group. Click Add Server on the right action pane:
Copy the Authorization code to your clipboard, we’ll need to enter this on the second server in the group:
On the second server, launch the StoreFront console and select Join existing server group:
Enter the DNS name of the authorizing server (first server) and paste the Authorization code. Click Join:
Unlike previous versions of StoreFront, the user interface in v2.0 is very intuitive, showing detailed progress along the way:
Provided successful, at the end a status message will indicate that the server was joined successfully. From this point forward, I would recommend changes ONLY be made from the first server, then propagated out to the additional servers. If desired, you could even disable logons for the second and subsequent servers.
On the first server, a similar confirmation is displayed:
Propagation automatically occurs when the additional servers are joined now, but after any changes are made, you can come back to this section and manual initiate a synchronization by clicking Propagate Changes in the actions pane:
Additionally, many of the manual activities in previous builds such as configuring authentication sources, beacons, etc. are handled automatically now when using the welcome wizard. This definitely helps and cuts down on the manual steps to build a StoreFront server group.
Outside of this, the only additional changes that I like to make are to enable HTML5 access. The HTML5 Engine components are now automatically installed with StoreFront 2, but need to be manually enabled. To do this, navigate to the Receiver for Web section and click Deploy Citrix Receiver:
Change the option to Use Receiver for HTML5 if local install fails from the default (Install locally) and click OK.
Once this change is made, you’ll need to manually propagate changes using the procedures mentioned above. Now that we have StoreFront sites created, we can proceed with configuration of the NetScaler monitors for StoreFront. To configure the LB Monitors, expand Virtual Servers and Services, right click on Monitors and click Add:
We’ll need to add a monitor for every server in the server group. You can use either IP addresses or DNS names, depending on NetScaler DNS resolution to internal providers. I personally prefer IP addresses as LB VIPs are typically tied to IP addresses anyway. Create a unique name for each monitor, for example IPAddress_StoreFront and select StoreFront at the end of the Type drop-down:
Click the Special Parameters tab and enter http://IPAddress for the host name. Enter the Store name, typically “Store” and be sure to leave Storefront Account Service unchecked. (Note: I tried checking this and the monitor would consistently show DOWN. I checked documentation and I’m not quite sure what this LB Monitor feature does. Perhaps a deprecated component from StoreFront 1.x? Not sure. Just trust me and leave it unchecked.) Click Create and repeat this process for any additional servers in the server group.
Finally, we need to go back to each of our Virtual Services and change the monitor from TCP or HTTP to the StoreFront monitor. You can optionally leave multiple monitors with weights, but I figure if the StoreFront monitor is responding, it’s good enough by me:
Apply the new monitor, save the config, and make sure all the LB services and VIP are showing operational. To test out the new monitor, I stopped the Citrix* IIS Application Pools. As expected, IIS was still responding on HTTP Port 80, but all Citrix StoreFront services were down. Equally expected, the LB Service displayed down within the UI. Optionally at this point you can apply your IIS HTTP Redirects to take the users to /Citrix/StoreWeb. Compared to my previous article on StoreFront 1.0, hopefully you can appreciate how much simpler the end-to-end setup is with StoreFront 2.0 and NetScaler 10.1!
As always, if you have any questions, comments, or just want to leave feedback, please do so below. Thanks for reading!
–youngtech
At what point to you configure the Access Gateway on your External Netscaler? There is no mention of what you did with the external friendly name and IP 10.0.1..123???
What policies did you use on the External AG? How did you get the traffic to the internal Netscaler VIP that load balances the StoreFront servers on your internal network?