I recently had to configure a Load Balanced LDAPS Load Balancing Virtual Server on a NetScaler version 11 for a client and since the procedure is slightly different than earlier versions, I took the time to document the steps so I can write this post for future reference. The Netscaler used in this example will be a VPX 200 NS11.0 62.10.nc:
Step #1 – Create Server Objects
Begin by logging into the NetScaler appliance and navigating to Traffic Management > Load Balancing > Servers and create the server objects that represent your domain controllers that will be used in the load balancing virtual server:
For this example, I will be creating 3 server objects for 3 Domain Controllers:
Step #2 – Create LDAPS Monitor
With the server objects created, navigate to Management > Load Balancing > Monitors to create the monitor object that will reach out to the domain controllers and execute an LDAPS query to verify the health of the server:
Type in a name to represent this monitor that will query servers to verify LDAPS is operational, select LDAP as the Type:
Leave all of the text fields as the default then scroll all the way down to the bottom and select the Secure checkbox:
**Note that previous to NetScaler version 11, we would have had to customize the regular LDAP monitor script (nsldap.pl) to perform LDAPS health verification.
Scroll back up to the top of the page and select the Special Parameters tab:
Proceed to fill in the following fields:
Script Name: nsldap.pl
Dispatcher IP: 127.0.0.1
Dispatcher Port: 3013
Base DN: dc=yourDomain,dc=com
Bind DN: svc_netscaler@yourDomain.com
Filter: cn=builtin
Password: <password for the service account>
Proceed by clicking on the Create button to create the monitor:
Step #3 – Create Service Group
With the server objects representing the domain controllers and monitor capable of querying to verify the health of LDAPS, continue by creating a service group that represents the domain controllers that will represent a physical site or a logical separation from other domain controllers in your environment. For the purpose of this example, I will be creating a group that represents domain controllers that reside in the same datacenter. Navigate to Management > Load Balancing > Service Groups and click on the Add button:
Type in a name to represent the Load Balancing Service Group then select SSL_TCP as the Protocol then click on the OK button to continue:
Proceed by clicking on the No Service Group Member item:
In the Create Service Group Member window, click on the Server Based option:
Then select the server objects that were created earlier to represent the domain controllers:
With the servers selected, put in the value 636 as the Port number then click on the Create button to create the Service Group Member:
Continue by clicking the OK button:
With the Service Group Members assigned, continue by clicking on the Monitors button on the right side of the menu then click on the No Service Group to Monitor Binding item:
In the Load Balancing Monitor Binding window, click on the Select Monitor option:
Select the LDAPS monitor that was created earlier in Step #2:
Click on the Bind button:
Before navigating out of the Load Balancing Service Group, click on the 3 Service Group Members item:
Select one of the domain controllers and then click on Monitor Details:
Verify that the Last Response status is labeled as Success – Probe succeeded:
Repeat for the other domain controllers then proceed to exit out of the monitors then click on Done to complete the creation of the Load Balancing Service Group:
It’s important to note that the Effective State may be labeled as DOWN after the initial creation but a few refreshes of the console should list it as being up:
Step #4 – Create the Load Balancing Virtual Server
With the server, the monitor and the service group representing the domain controllers created, proceed by importing the certificate that will be used to secure the traffic to the load balancing virtual server’s VIP when clients attempt to connect to the FQDN that resolves to the IP address:
Then create a new load balancing virtual server:
Enter a name to represent the load balancing virtual server, SSL_TCP as the Protocol, a unique IP address for this virtual server, and 636 for the Port and the Ok button to apply the configuration:
Continue by click on the No Load Balancing Virtual Server ServiceGroup Binding item:
Select the service group that was created earlier:
Click on the Bind button:
Click on the Continue button:
Click on the No Server Certificate item:
Select the certificate used for this load balancing virtual server:
Click on the Bind button to bind the certificate to the load balancing virtual server:
Click on the Continue button:
Then the done button to complete the creation:
The new load balancing virtual server representing the 3 domain controllers for LDAPS configuration is now ready to be used:
