Adaptive Authentication service

Sample LDAP and LDAPS load balancing configuration

February 11, 2025

Contributed by:

The Citrix Adaptive Authentication instance provides LDAP/LDAPS support using a load balancing virtual server.

Note:

If you are not using load balancing for LDAP/LDAPS, avoid creating a service or a server for an LDAP server as this might break the Adaptive Authentication tunnel.

If you are using load balancing for LDAP, create a service group and bind it to the load balancing service and not to a standalone service.

When using load balancing virtual server for authentication, ensure that you add the load balancing virtual server IP address instead of the actual LDAP server IP address in the LDAP action.

By default, a TCP monitor is bound to the service that you create. On the Adaptive Authentication NetScaler instances, the service is marked as UP by default if a TCP monitor is used.

For monitoring, it is recommended that you use custom monitors.

Prerequisites

Private IP address (RFC1918 address) of the load balancing virtual server. It can be a dummy IP address as this address is used for internal configuration.

Load balancing LDAP servers

For load balancing LDAP servers, create a service group and bind it to the load balancing virtual server. Do not create a service for load balancing LDAP servers.

Configure LDAP by using the NetScaler CLI:

You can use the following CLI commands as a reference to configure LDAP.

add serviceGroup <serviceGroupName> <serviceType>
bind servicegroup <serviceGroupName> (<IP> | <serverName>) <port>
add lb vserver <name> <serviceType> <ip> <port> - The port must be 389. This port is used for internal communication and connection to an on-premises server is over SSL based on the port configured for the service group.
bind lb vserver <name> <serviceGroupName>
add authentication ldapAction <name> {-serverIP} <ip_addr> | {-serverName <string>}} <lb vserver ip>
add authentication policy <ldap_policy_name> -rule <expression> -action <string>
bind authentication vserver auth_vs -policy <ldap_policy_name> -priority <ldap_policy_priority> -gotoPriorityExpression NEXT

Configure LDAP by using the NetScaler GUI:

Navigate to Traffic Management > Load Balancing and then click Virtual Servers.
Create a virtual server of type TCP and port 389.

Do not create a load balancing virtual server of type SSL/SSL_TCP.
Navigate to Traffic Management > Load Balancing and then click Service Groups.
Create a service group of type TCP and port 389.
Bind the service group to the virtual server that you have created in step 1.

For details on the procedures, see Setup basic load balancing.

Load balancing LDAPS servers

For load balancing LDAPS servers, you must create a load balancing virtual server of type TCP to avoid internal SSL encryption or decryption into the Adaptive Authentication instance. The load balancing virtual server handles the TLS encryption/decryption in this case. Do not create a load balancing virtual server of type SSL.

Configure LDAPS by using the NetScaler CLI:

You can use the following CLI commands as a reference to configure LDAPS.

add lb vserver <name> <serviceType> <ip> <port> - The port must be 636.
bind lb vserver <name> <serviceGroupName>
add authentication ldapAction <name> {-serverIP} <ip_addr> | {-serverName <string>}} <lb vserver ip>
add authentication policy <ldap_policy_name> -rule <expression> -action <string>
bind authentication vserver auth_vs -policy <ldap_policy_name> -priority <ldap_policy_priority> -gotoPriorityExpression NEXT

Configure LDAPS by using the NetScaler GUI:

Navigate to Traffic Management > Load Balancing and then click Virtual Servers.
Create a virtual server of type TCP and port 636.

Do not create a load balancing virtual server of type SSL/SSL_TCP.
Navigate to Traffic Management > Load Balancing and then click Service.
Create a service of type SSL_TCP and port 636.
Bind the service to the virtual server that you have created in step 1.

For details on the procedures, see Setup basic load balancing.

Create custom monitors

Create custom monitors by using the NetScaler GUI:

Navigate to Traffic Management > Load Balancing > Monitors.
Create a monitor of type LDAP. Ensure that you set the monitor probe interval to 15 seconds and the response timeout to 10 sec.
Bind this monitor to your service.

For more details, see Custom monitors.

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Was this helpful

Sample LDAP and LDAPS load balancing configuration

February 11, 2025

Contributed by:

February 11, 2025

Contributed by:

Sample LDAP and LDAPS load balancing configuration

Prerequisites

Load balancing LDAP servers

Load balancing LDAPS servers

Create custom monitors

In this article