NetScaler Source IP – AGEE or Load Balancing Access Gateways

Most of us don’t think about the source IP when we put up any load balancer.  So lets understand the basics.  This is a good concept that was written by Written by KJ (Ken) Salchow from F5 Networks.

What does this mean for us Citrix fellas when management asks to provide reports.  Well we just don’t know where the hell the traffic is coming from.  What?!? the SourceIP is always the SNIP of the NetScaler?  I had to go to war with some Exchange guy over this (understandably).

I have done it all with this… if you read the USIP mode on the NetScaler, it will throw you in circles.  And when the nCore version of the NetScaler was announced to be the only version support after 9.3, I was happy to know AppFlow was going to save the day.  Well, not so much (for now)

Some basics now:

As depicted, the load balancer will typically sit in-line between the client and the hosts that provide the services the client wants to use; like most things in load balancing, this is not a rule, but more of a best practice of the typical deployment. We will also assume that the load balancer is already configured with a virtual server that points to a cluster consisting of two service points. In this deployment scenario, it is also common for the hosts to have a return route that points back to the load balancer so that return traffic will be processed through it on its way back to the client.

The basic load balancing transaction is as follows:

  • The client attempts to connect with the service on the load balancer.
  • The load balancer accepts the connection, and after deciding which host should receive the connection, changes the destination IP (and possibly port) to match the service of the selected host (note that the source IP of the client is not touched).
  • The host accepts the connection and responds back to the original source, the client, via its default route, the load balancer.
  • The load balancer intercepts the return packet from the host and now changes the source IP (and possible port) to match the virtual server IP and port, and forwards the packet back to the client.
  • The client receives the return packet, believing that it came from the virtual server, and continues the process.

Well now that we know this… read this KB article from Citrix that will help you sort things out.  For the company I was working for at the time, this saved us as we had a critical reporting process in place and the source IP of the client was crucial.  For you that are running other WI such as 5.x or the new 5.4 reply to the post and I will point you in the right direction.


About CyberRuiz
Highly motivated with over 12 years experience on Citrix/VMWare/Microsoft/technologies. Exceptional communication skills and team player. CCIA – Citrix Certified Integration Architect. CCEA – Citrix Certified Enterprise Administrator. VCP – VMWare Certified Professional in ESX 2.x, VI3, VI4 MCSE – Microsoft Certified Systems Engineer

One Response to NetScaler Source IP – AGEE or Load Balancing Access Gateways

  1. Citrix Admin says:

    Thanks for providing this information! It’ll really come in handy!!!

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: