ADC

Manage client connections

To facilitate management of client connections, you can enable delayed cleanup of connections to the virtual server. You can then manage local DNS traffic by configuring DNS policies.

Enable delayed cleanup of virtual server connections

The state of a virtual server depends on the states of the services bound to it, and the state of each service depends on the monitors bound to it. If a server is slow or down, the monitoring probes time out and the service that represents the server is marked as DOWN. A virtual server is marked as DOWN only when all services bound to it are marked as DOWN. You can configure services and virtual servers to either terminate all connections when they go down, or allow the connections to go through. The latter setting is for situations in which a service is marked as DOWN because of a slow server.

When you configure the down state flush option, the Citrix ADC appliance performs a delayed cleanup of connections to a GSLB service that is down.

To enable delayed cleanup of virtual server connections by using the command line interface

At the command prompt, type the following commands to configure delayed connection cleanup and verify the configuration:

set gslb service <name> -downStateFlush (ENABLED | DISABLED)  
show gslb service <name>  
<!--NeedCopy-->

Example:

set gslb service Service-GSLB-1 -downStateFlush ENABLED
Done

show gslb service Service-GSLB-1
Done
<!--NeedCopy-->

To enable delayed cleanup of virtual server connections by using the configuration utility

  1. Navigate to Traffic Management > GSLB > Services and double-click the service.
  2. Click the Other Settings section and select the Down State Flush option.

Manage local DNS traffic by using DNS policies

You can use DNS policies to implement site affinity by directing traffic from the IP address of a local DNS resolver or network to a predefined target GSLB site. This is configured by creating DNS policies with DNS expressions and binding the policies globally on the Citrix ADC appliance.

DNS expressions

The Citrix ADC appliance provides certain predefined DNS expressions that can be used for configuring actions specific to a domain. Such actions can, for example, drop certain requests, select a specific view for a specific domain, or redirect certain requests to a specific location.

These DNS expressions (also called rules) are combined to create DNS policies that are then bound globally on the Citrix ADC appliance.

Following is the list of predefined DNS qualifiers available on the Citrix ADC appliance:

  • CLIENT.UDP.DNS.DOMAIN.EQ(“domainname”)
  • CLIENT.UDP.DNS.IS_AREC
  • CLIENT.UDP.DNS.IS_AAAAREC
  • CLIENT.UDP.DNS.IS_SRVREC
  • CLIENT.UDP.DNS.IS_MXREC
  • CLIENT.UDP.DNS.IS_SOAREC
  • CLIENT.UDP.DNS.IS_PTRREC
  • CLIENT.UDP.DNS.IS_CNAME
  • CLIENT.UDP.DNS.IS_NSREC
  • CLIENT.UDP.DNS.IS_ANYREC

The CLIENT.UDP.DNS.DOMAIN DNS expression can be used with string expressions. If you are using domain names as part of the expression, they must end with a period (.). For example, CLIENT.UDP.DNS.DOMAIN.ENDSWITH(“abc.com.”)

To create an expression by using the configuration utility

  1. Click the icon next to the Expression text box. Click Add. (Leave the Flow Type and Protocol drop-down list boxes empty.) Follow these steps to create a rule.
  2. In the Qualifier box, select a qualifier (for example, LOCATION).
  3. In the Operator box, select an operator (for example, ==).
  4. In the Value box, type a value (for example, Asia, Japan….).
  5. Click OK. Click Create and click Close. The rule is created.
  6. Click OK.

Configure DNS actions

A DNS policy includes the name of a DNS action to be performed when the policy rule evaluates to TRUE. A DNS action can do one of the following:

  • Send the client an IP address for which you have configured a DNS view. For more information about DNS views, see Adding DNS Views.
  • Send the client the IP address of a GSLB service after referring to a list of preferred locations that overrides static proximity behavior. For more information about preferred locations, see Overriding Static Proximity Behavior by Configuring Preferred Locations.
  • Send the client a specific IP address as determined by the evaluation of the DNS query or response (DNS response rewrite).
  • Forward a request to the name server without performing a lookup in the appliance’s DNS cache.
  • Drop a request.

You cannot create a DNS action for dropping a DNS request or for bypassing the DNS cache on the appliance. If you want to drop a DNS request, use the built-in action, dns_default_act_Drop. If you want to bypass the DNS cache, use the built-in action, dns_default_act_Cachebypass. Both actions are available along with custom actions in the Create DNS Policy and the Configure DNS Policy dialog boxes. These built-in actions cannot be modified or removed.

To configure a DNS action by using the command line interface

At the command prompt, type the following commands to configure a DNS action and verify the configuration:

add dns action <actionName> <actionType> (-IPAddress <ip_addr | ipv6_addr> ... | -viewName <string> | -preferredLocList <string> ...) [-TTL <secs>]

show dns action [<actionName>]
<!--NeedCopy-->
Examples

Example 1: Configuring DNS Response Rewrite. The following DNS action sends the client a preconfigured IP address when the policy to which the action is bound evaluates to true:

add dns action dns_act_response_rewrite Rewrite_Response -IPAddress 192.0.2.20 192.0.2.56 198.51.100.10
 Done

show dns action dns_act_response_rewrite
1)  ActionName:  dns_act_response_rewrite ActionType:  Rewrite_Response TTL:  3600               IPAddress:  192.0.2.20 192.0.2.56 198.51.100.10
 Done
<!--NeedCopy-->

Example 2: Configuring a DNS-View Based Response. The following DNS action sends the client an IP address for which you have configured a DNS view:

add dns action send_ip_from_view_internal_ip ViewName -viewName view_internal_ip
Done

show dns action send_ip_from_view_internal_ip
1)  ActionName:  send_ip_from_view_internal_ip ActionType:  ViewName    ViewName:  view_internal_ip
 Done
<!--NeedCopy-->

Example 3: Configuring a Response Based on a Preferred Location List. The following DNS action sends the client the IP address that corresponds to the preferred location that it selects from the specified list of locations:

add dns action send_preferred_location GslbPrefLoc -preferredLocList NA.tx.ns1.*.*.* NA.tx.ns2.*.*.* NA.tx.ns3.*.*.*
Done

show dns action  send_preferred_location
1)  ActionName:  send_preferred_location ActionType:  GslbPrefLoc PreferredLocList:  "NA.tx.ns1.*.*.*" "NA.tx.ns2.*.*.*" "NA.tx.ns3.*.*.*"
 Done
<!--NeedCopy-->

To configure a DNS action by using the Citrix ADC configuration utility

  1. Navigate to Traffic Management > DNS > Actions, create or edit a DNS action.
  2. In the Create DNS Action or Configure DNS Action dialog box, set the following parameters:
    • Action Name (cannot be changed for an existing DNS action)
    • Type (cannot be changed for an existing DNS action) To set the Type parameter, do one of the following:
      • To create a DNS action that is associated with a DNS view, select View Name. Then, from the View Name list, select the DNS view that you want to use in the action.
      • To create a DNS action with a preferred location list, select Preferred Location List. In Preferred Location, enter a location, and then click Add. Add as many DNS locations as you want.
      • To configure a DNS action for rewriting a DNS response on the basis of policy evaluation, select Rewrite Response. In IP Address, enter an IP address, and then click Add. Add as many IP addresses as you want.
    • TTL (applicable only to the Rewrite Response action type)

Configure DNS policies

DNS policies operate on a location database that uses static and custom IP addresses. The attributes of the incoming local DNS request are defined as part of an expression, and the target site is defined as part of a DNS policy. While defining actions and expressions, you can use a pair of single quotation marks (‘’) as a wildcard qualifier to specify more than one location. When a DNS policy is configured and a GSLB request is received, the custom IP address database is first queried for an entry that defines the location attributes for the source:

  • When a DNS query comes from an LDNS, the characteristics of the LDNS are evaluated against the configured policies. If they match, an appropriate action (site affinity) is executed. If the LDNS characteristics match more than one site, the request is load balanced between the sites that match the LDNS characteristics.
  • If the entry is not found in the custom database, the static IP address database is queried for an entry, and if there is a match, the above policy evaluation is repeated.
  • If the entry is not found in either the custom or static databases, the best site is selected and sent in the DNS response on the basis of the configured load balancing method.

The following restrictions apply to DNS policies created on the Citrix ADC appliance.

  • A maximum of 64 policies are supported.

  • DNS policies are global to the Citrix ADC appliance and cannot be applied to a specific virtual server or domain.

  • Domain or virtual server specific binding of policy is not supported.

You can use DNS policies to direct clients that match a certain IP address range to a specific site. For example, if you have a GSLB setup with multiple GSLB sites that are separated geographically, you can direct all clients whose IP address is within a specific range to a particular data center.

Both TCP-based and UDP-based DNS traffic can be evaluated. Policy expressions are available for UDP-based DNS traffic on the server and for both UDP-based DNS traffic and TCP-based DNS traffic on the client side. Additionally, you can configure expressions to evaluate queries and responses that involve only the following DNS question types (or QTYPE values):

  • A
  • AAAA
  • NS
  • SRV
  • PTR
  • CNAME
  • SOA
  • MX
  • ANY

The following response codes (RCODE values) are also supported:

  • NOERROR - No error
  • FORMERR - Format error
  • SERVFAIL - Server failure
  • NXDOMAIN - Non-existent domain
  • NOTIMP - Query type not implemented
  • REFUSED - Query refused

You can configure expressions to evaluate DNS traffic. A DNS expression begins with the DNS.REQ or DNS.RES prefixes. Functions are available for evaluating the queried domain, the query type, and the carrier protocol. For more information about DNS expressions, see “Expressions for Evaluating a DNS Message and Identifying Its Carrier Protocol” in “Policy Configuration and Reference”.

To add a DNS policy by using the command line interface

At the command prompt, type the following commands to create a DNS policy and verify the configuration:

add dns policy <name> <rule> <actionName>
show dns policy <name>
<!--NeedCopy-->

Example:

> add dns policy policy-GSLB-1 'CLIENT.UDP.DNS.DOMAIN.EQ("domainname")' my_dns_action
 Done
> show dns policy policy-GSLB-1
    Name: policy-GSLB-1
    Rule: CLIENT.UDP.DNS.DOMAIN.EQ("domainname")
    Action Name: my_dns_action
    Hits: 0
    Undef Hits: 0

 Done
<!--NeedCopy-->

To remove a configured DNS policy by using the command line interface

At the command prompt, type:

rm dns policy <name>
<!--NeedCopy-->

To configure a DNS policy by using the Citrix ADC configuration utility

  1. Navigate to Traffic Management > DNS > Policies and create a DNS policy.
  2. In the Create DNS Policy or Configure DNS Policy dialog box, set the following parameters:
    • Policy Name (cannot be changed for an existing policy)
    • Action
    • Expression To specify an expression, do the following:
      1. Click Add, and then, in the drop-down box that appears, select the expression element with which you want to begin the expression. A second list appears. The list contains a set of expression elements that you can use immediately after the firs expression element.
      2. In the second list, select the expression element that you want, and then enter a period.
      3. After each selection, if you enter a period, the next set of valid expression elements appear in a list. Select expression elements and fill in arguments to functions until you have the expression you want.
  3. Click Create or OK, and then click Close.

Bind DNS policies

DNS policies are bound globally on the Citrix ADC appliance and are available for all configured GSLB virtual servers. Even though DNS policies are globally bound, policy execution can be limited to a specific GSLB virtual server by specifying the domain in the expression.

Note: Even though the bind dns global command accepts REQ_OVERRIDE and RES_OVERRIDE as valid bind points, those bind points are redundant, because DNS policies can be bound only globally. Bind your DNS policies only to the REQ_DEFAULT and RES_DEFAULT bind points.

To bind a DNS policy globally by using the command line interface

At the command prompt, type the following commands to bind a DNS policy globally and verify the configuration:

bind dns global <policyName> <priority> [-gotoPriorityExpression <string>] [-type <type>]  
show dns global -type <type>  
<!--NeedCopy-->

Example:

bind dns global policy-GSLB-1 10 -gotoPriorityExpression END
 Done
show dns global -type REQ_DEFAULT
1)  Policy Name: policy-GSLB-1
    Priority: 10
    GotoPriorityExpression: END
 Done
<!--NeedCopy-->

To bind a DNS policy globally by using the configuration utility

  1. Navigate to Traffic Management > DNS > Policies.
  2. In the details pane, click Global Bindings.
  3. In the Bind/Unbind DNS Policy(s) to Global dialog box, click Insert Policy.
  4. In the Policy Name column, select, from the list, the policy that you want to bind. Alternatively, in the list, click New Policy, and then create a DNS policy by setting parameters in the Create DNS Policy dialog box.
  5. To modify a policy that is already bound globally, click the name of the policy, and then click Modify Policy. Then, in the Configure DNS Policy dialog box, modify the policy, and then click OK.
  6. To unbind a policy, click the name of the policy, and then click Unbind Policy.
  7. To modify the priority assigned to a policy, double-click the priority value, and then enter a new value.
  8. To regenerate assigned priorities, click Regenerate Priorities. The priority values are modified to begin at 100, with increments of 10, without affecting the order of evaluation.
  9. Click OK.

To view the global bindings of a DNS policy by using the command line interface

At the command prompt, type:

show dns global

To view the global bindings of a DNS policy by using the configuration utility

  1. Navigate to Traffic Management > DNS > Policies.
  2. In the details pane, click Global Bindings. The global bindings of all DNS policies appear in this dialog box.

Adding DNS Views

You can configure DNS views to identify various types of clients and provide an appropriate IP address to a group of clients who query for the same GSLB domain. DNS views are configured by using DNS policies that select the IP addresses sent back to the client.

For example, if you have configured GSLB for your company’s domain and have the server hosted in your company’s network, clients querying for the domain from within your company’s internal network can be provided with the server’s internal IP address instead of the public IP address. Clients that query DNS for the domain from the Internet, on the other hand, can be provided the domain’s public IP address.

To add a DNS view, you assign it a name of up to 31 characters. The leading character must be a number or letter. The following characters are also allowed: @ _ - . (period) : (colon) # and space ( ). After adding the view, you configure a policy to associate it with clients and a part of the network, and you bind the policy globally. To configure and bind a DNS policy, see Managing Local DNS Traffic by Using DNS Policies.

To add a DNS view by using the command line interface

At the command prompt, type the following commands to create a DNS view and verify the configuration:

add dns view <viewName>
show dns view <viewName>
<!--NeedCopy-->

Example:

add dns view PrivateSubnet
show dns view PrivateSubnet
<!--NeedCopy-->

To remove a DNS view by using the command line interface

At the command prompt, type:

rm dns view <viewName>
<!--NeedCopy-->

To add a DNS view by using the configuration utility

Navigate to Traffic Management > DNS > Views and add a DNS view.

For details on how to create a DNS policy and how to bind DNS policies globally, see Managing Local DNS Traffic by Using DNS Policies.

Manage client connections