Configuring Citrix NetScaler to Load Balance ADFS v3.0
The link below is broken, I also do not have a copy of the full document I created in July 2015. Do not e-mail me directly asking for a copy.
To ensure ADFS and the WAP servers are highly available a hardware load balance is recommended. In this example I have outlined how to configure Citrix NetScalers to do this. If you are deploying ADFS for Office 365, it is important that the service is highly available otherwise users will not be able to authenticate to ADFS.
Microsoft supports NetScaler as a hardware load balance but there is lack of documentation around how to deploy the two solutions together.
Some of the configuration settings such as MAC based forwarding, SSL bridging, session persistence and Client IP header are some of the settings that are not obviously required.
Although the full guide I created no longer exists, I have summarised how to configure the NetScaler to load balance ADFS 3.0 below. This is not a full and conclusive guide. I won't be re-doing the guide until I am asked to do it for a customer.
Although this diagram is for MS Lync, it's similar for ADFS. Imagine you have 2 x WAP in the DMZ and 2 x ADFS in your LAN.
Most places won't have two separate physical NetScaler pairs. The above topology can be achieved using a single pair of Netscalers, with network interfaces on each of the DMZ/LAN networks. Netscaler vServers can then be used to load balance each component. If your security requirements state you must have a physical break then it's different.
- Base configure the Netscalers (NSIP, SIP, routes, default gateways etc)
- at this point it's important to have an interface on each network. If you are deploying the ADFS WAP servers, these should be in your DMZ. Therefore an interface from the NS is required on each of the separate Layer 2 networks.
- if you have problems research "Mac based forwarding"
- Configure high availability of the Netscalers
- Easy to do, Google it. I normally set my HA configuration to Active/Passive.
- Define the server's both ADFS and WAP
- Traffic Management/Load Balancing/Server
- Create a new server object for each of the ADFS/WAP's. Set the protocol to SSL Bridge
- Create a new service one for the WAP's and one for the ADFS's. Traffic Management/Load Balancing/Services
- service 1 = "adfs_https" protocol SSL Bridge
- service 2 = "wap_https" protocol SSL Bridge
- It's important the protocol type matches on the servers/services.
At this point, if you servers are listening on TCP 443 (https) and you have configured the networking correctly the server/services will show as "up" and the light will be green. If not there is some kind of networking problem (remember your WAP servers don't listen on 443 until you have them successfully paired with the ADFS servers)
- You should configure SSL session persistence (I cant remember the exactly menu, you either do this in the service configuration or on the vServer, check eDocs)
- Now create a new vServer for each the WAP's and the ADFS's
- vserver1 = "adfs" give the vserver an IP on the network the backend servers sit on
- vserver2 = "wap" same as above
- When you create the vserver, bind them to the corresponding service (adfs - adfs etc), and set the load balancing method to round robin.
Now you have the NS configured, on the WAP servers create a hosts file entry to point your ADFS service name i.e sso.domain.com to the NS vServer for the ADFS servers. Try to run the WAP-ADFS pairing. If you get an error check out the bindings.