GSLB services for Citrix NetScaler Gateway – Active/Passive setup

Below is a guide on how to set up GSLB services for the Citrix NetScaler Gateway.

Before we get started, lets understand the flow a bit as well as the NetScaler services you need. I also really suggest you read the GSLB configuration guide by Dave Brett, which walks you trough the process of setting up ADNS, as well as GSLB servers, and finally this training video from John Smith which does an escellent job showing you the GSLB setup.

What is needed on the NetScaler?

ADNS – Authoriative DNS Service – This is required on the NetScaler to return the correct IP Address of the currently active NetScaler Gateway – this needs to be in place for GSLB to work correctly.

GSLB Site – This is basically a virtual data centre in its simplest terms.  For Example – Data Center 1 as a primary site and Date Center 2 as a fail over site.

NetScaler Gateway – Basically a secure application/desktop visualization solution to securely deliver access to data center applications/ desktops (virtual or physical).

NetScaler DNS View – Used to  identify various types of clients and provide an appropriate IP address to a group of clients who query for the same GSLB domain.

DNS views are configured by using DNS policies that select the IP addresses sent back to the client.  In the example below when an internal client queries a GSLB CName, the NetScaler will return with an internal DMZ IP of the Gateway and not the public IP.

What is the external DNS query doing?

  • Request
  • Ask Public DNS Servers for IP (Not found so will be passed to next hop i.e. ISP DNS Servers)
  • Public IP Address(s) for ADNS Service NAT’s to Internal ADNS IP present on NetScaler
  • ISP Servers have record for but control is delegated to Public IP Address(s) of ADNS Service for company
  • Public IP Address(s) for ADNS Service NAT’s to Internal ADNS IP present on NetScaler
  • ADNS Service on NetScaler returns the current live external IP Address for NetScaler Gateway


  • Citrix NetsScaler 10.5 Safe Harbor Build
  • StoreFront 2.6


1. Add Gateway Server records with IPs of your NetScaler Gateways

add server remote_gateway_dc1
add server remote_gateway_dc2

2. Setup your DNS view (Ex. client request comes from subnet 10.10.x.x) will receive an internal IP vs the external public IP.  In the example below I am binding this globally, which means all your GSLB services will have the DNS View enabled, you will just need to enter the internal IP you need to provide to the 10.10.x.x client requests

add dns view internal_dns_view
add dns action internal_dns_action ViewName -viewName internal_dns_view
add dns policy internal_dns_policy “CLIENT.IP.SRC.IN_SUBNET(” internal_dns_action

bind dns global internal_dns_policy 100 -gotoPriorityExpression END -type REQ_DEFAULT

3. Add GSLB services for Data Center 1 and Data Center 2, provide external IPs and bind to the server gateways created earlier.  Please note I disabled AppFlow as there are still some known issues with 10.5 and I rather not take any changes 😛

add gslb service remote_gateway_dc1_gslbsvc remote_gateway_ny SSL 443 -publicIP external_ip_address -publicPort 443 -maxClient 0 -siteName NY -cltTimeout 180 -svrTimeout 360 -downStateFlush DISABLED -appflowLog DISABLED

add gslb service remote_gateway_dc2_gslbsvc remote_gateway_nj SSL 443 -publicIP external_ip_address-publicPort 443 -maxClient 0 -siteName NJ -cltTimeout 180 -svrTimeout 360 -downStateFlush DISABLED -appflowLog DISABLED

add gslb vserver remote_gateway_dc1_gslbvs HTTP -lbMethod RTT -backupLBMethod ROUNDROBIN -tolerance 0 -EDR ENABLED -MIR ENABLED -appflowLog DISABLED

add gslb vserver remote_gateway_dc2_gslbvs HTTP -lbMethod RTT -backupLBMethod ROUNDROBIN -tolerance 0 -EDR ENABLED -MIR ENABLED -appflowLog DISABLED

4. Bind your services to your GSLB vServers

bind gslb vserver remote_gateway_dc1_gslbvs -domainName -TTL 5

bind gslb vserver remote_gateway_dc2_gslbvs -serviceName remote_gateway_dc2_gslbsvc

5. Bind those DNS View settings with the internal DMZ IP address of your Gateways

bind gslb service remote_gateway_dc1_gslbsvc -viewName internal_dns_view

bind gslb service remote_gateway_dc2_gslbsvc -viewName internal_dns_view

6. Set up a failover GSLB vServer, in my case Data Center 1 is active, and Data Center 2 will remain passive.  When you do this, the passive node will use the active GSLB vServer as a proxy, which contains the

set gslb vserver remote_gateway_dc1_gslbvs -backupVServer remote_gateway_dc2_gslbvs -lbMethod RTT -backupLBMethod ROUNDROBIN -tolerance 0 -EDR ENABLED -MIR ENABLED -appflowLog DISABLED

Failover node

Won’t go into details, as the fail over node will need the same configuration, just note that the domain name being added, in our case and the backup vServer when setting up the GSLB vServers should be set exactly the same as the primary site.

set gslb vserver remote_gateway_dc2_gslbvs -backupVServer remote_gateway_dc1_gslbvs -lbMethod RTT -backupLBMethod ROUNDROBIN -tolerance 0 -EDR ENABLED -MIR ENABLED -appflowLog DISABLED

Hope this helps and drop a comment if you need any additional help


I do not accept any responsibility or liability for the accuracy, content, completeness, legality, or reliability of the information contained on this website.

About CyberRuiz
Highly motivated with over 12 years experience on Citrix/VMWare/Microsoft/technologies. Exceptional communication skills and team player. CCIA – Citrix Certified Integration Architect. CCEA – Citrix Certified Enterprise Administrator. VCP – VMWare Certified Professional in ESX 2.x, VI3, VI4 MCSE – Microsoft Certified Systems Engineer

2 Responses to GSLB services for Citrix NetScaler Gateway – Active/Passive setup

  1. Jose Peña says:

    This is really GREAT! any chance you can provide screenshots? Some of us are still in the learning process and it would be easier to follow if GUI screenshots are available.

    Thank you Daniel

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: