Configuring Load Balanced LDAPS Load Balancing Virtual Server on NetScaler version 11

I recently had to configure a Load Balanced LDAPS Load Balancing Virtual Server on a NetScaler version 11 for a client and since the procedure is slightly different than earlier versions, I took the time to document the steps so I can write this post for future reference.  The Netscaler used in this example will be a VPX 200 NS11.0 62.10.nc:

image

Step #1 – Create Server Objects

Begin by logging into the NetScaler appliance and navigating to Traffic Management > Load Balancing > Servers and create the server objects that represent your domain controllers that will be used in the load balancing virtual server:

image

For this example, I will be creating 3 server objects for 3 Domain Controllers:

image

image

Step #2 – Create LDAPS Monitor

With the server objects created, navigate to Management > Load Balancing > Monitors to create the monitor object that will reach out to the domain controllers and execute an LDAPS query to verify the health of the server:

image

Type in a name to represent this monitor that will query servers to verify LDAPS is operational, select LDAP as the Type:

image

Leave all of the text fields as the default then scroll all the way down to the bottom and select the Secure checkbox:

image

**Note that previous to NetScaler version 11, we would have had to customize the regular LDAP monitor script (nsldap.pl) to perform LDAPS health verification.

Scroll back up to the top of the page and select the Special Parameters tab:

image

Proceed to fill in the following fields:

Script Name: nsldap.pl

Dispatcher IP: 127.0.0.1

Dispatcher Port: 3013

Base DN: dc=yourDomain,dc=com

Bind DN: svc_netscaler@yourDomain.com

Filter: cn=builtin

Password: <password for the service account>

image

Proceed by clicking on the Create button to create the monitor:

image

Step #3 – Create Service Group

With the server objects representing the domain controllers and monitor capable of querying to verify the health of LDAPS, continue by creating a service group that represents the domain controllers that will represent a physical site or a logical separation from other domain controllers in your environment. For the purpose of this example, I will be creating a group that represents domain controllers that reside in the same datacenter. Navigate to Management > Load Balancing > Service Groups and click on the Add button:

image

Type in a name to represent the Load Balancing Service Group then select SSL_TCP as the Protocol then click on the OK button to continue:

image

Proceed by clicking on the No Service Group Member item:

image

In the Create Service Group Member window, click on the Server Based option:

image

image

Then select the server objects that were created earlier to represent the domain controllers:

image

With the servers selected, put in the value 636 as the Port number then click on the Create button to create the Service Group Member:

image

Continue by clicking the OK button:

image

With the Service Group Members assigned, continue by clicking on the Monitors button on the right side of the menu then click on the No Service Group to Monitor Binding item:

image

image

In the Load Balancing Monitor Binding window, click on the Select Monitor option:

image

Select the LDAPS monitor that was created earlier in Step #2:

image

Click on the Bind button:

image

Before navigating out of the Load Balancing Service Group, click on the 3 Service Group Members item:

image

Select one of the domain controllers and then click on Monitor Details:

image

Verify that the Last Response status is labeled as Success – Probe succeeded:

image

Repeat for the other domain controllers then proceed to exit out of the monitors then click on Done to complete the creation of the Load Balancing Service Group:

image

It’s important to note that the Effective State may be labeled as DOWN after the initial creation but a few refreshes of the console should list it as being up:

image

image

Step #4 – Create the Load Balancing Virtual Server

With the server, the monitor and the service group representing the domain controllers created, proceed by importing the certificate that will be used to secure the traffic to the load balancing virtual server’s VIP when clients attempt to connect to the FQDN that resolves to the IP address:

image

Then create a new load balancing virtual server:

image

Enter a name to represent the load balancing virtual server, SSL_TCP as the Protocol, a unique IP address for this virtual server, and 636 for the Port and the Ok button to apply the configuration:

image

Continue by click on the No Load Balancing Virtual Server ServiceGroup Binding item:

image

Select the service group that was created earlier:

image

image

Click on the Bind button:

image

Click on the Continue button:

image

Click on the No Server Certificate item:

image

Select the certificate used for this load balancing virtual server:

image

image

Click on the Bind button to bind the certificate to the load balancing virtual server:

image

Click on the Continue button:

image

Then the done button to complete the creation:

image

The new load balancing virtual server representing the 3 domain controllers for LDAPS configuration is now ready to be used:

image