ADC

Load balance a group of SIP servers

The Session Initiation Protocol (SIP) is designed to initiate, manage, and terminate multimedia communications sessions. It has emerged as the standard for Internet telephony (VoIP). SIP messages can be transmitted over TCP or UDP. SIP messages are of two types: request messages and response messages.

The traffic in a SIP based communication system is routed through dedicated devices and applications (entities). In a multimedia communication session, these entities exchange messages. The following figure shows a basic SIP based communication system:

Figure 1. SIP Based Communication System

sip

A Citrix ADC enables you to load balance SIP messages over UDP or over TCP (including TLS). You can configure the Citrix ADC to load balance SIP requests to a group of SIP proxy servers. To do so, you create a load balancing virtual server with the load balancing method and the type of persistence set to one of the following combinations:

  • Call-ID hash load balancing method with no persistence setting
  • Call-ID based persistence with least connection or round robin load balancing method
  • Rule based persistence with least connection or round robin load balancing method

Also, by default, the Citrix ADC appends RPORT to the via header of the SIP request, so that the server sends the response back to the source IP address and port from which the request originated.

Note: For load balancing to work, you must configure the SIP proxies so that they do not add private IP addresses or private domains to the SIP header/payload. SIP proxies must add to the SIP header a domain name that resolves to the IP address of the SIP virtual server. Also, the SIP proxies must communicate with a common database to share registration information.

Server Initiated Traffic

For SIP-server initiated outbound traffic, configure RNAT on the Citrix ADC so that the private IP addresses used by the clients are translated into public IP addresses.

If you have configured SIP parameters that include the RNAT source or destination port, the appliance compares the values of the source and destination ports of the request packets with the RNAT source port and RNAT destination port. If one of the values matches, the appliance updates the VIA header with RPORT. The SIP response from the client then traverses the same path as the request.

For server-initiated SSL traffic, the Citrix ADC uses a built-in certificate-key pair. If you want to use a custom certificate-key pair, bind the custom certificate-key pair to the Citrix ADC internal service named nsrnatsip-127.0.0.1-5061.

Support for Policies and Expressions

The Citrix ADC default expressions language contains a number of expressions that operate on Session Initiation Protocol (SIP) connections. These expressions can be bound only to SIP based (sip_udp, sip_tcp or sip_ssl) virtual servers, and to global bind points. You can use these expressions in content switching, rate limiting, responder, and rewrite policies.

Configuring Load Balancing for SIP Signaling Traffic over TCP or UDP

The Citrix ADC can load balance SIP servers that send requests over UDP or TCP, including TCP traffic secured by TLS. The ADC provides the following service types to load balance the SIP servers:

  • SIP_UDP – Used when SIP servers send SIP messages over UDP.
  • SIP_TCP – Used when SIP servers send SIP messages over TCP.
  • SIP_SSL – Used to secure SIP signaling traffic over TCP by using SSL or TLS. The Citrix ADC supports the following modes:
    • End-to-end TLS connection between the client, the ADC, and the SIP server.
    • TLS connection between the client and the ADC, and TCP connection between the ADC and the SIP server.
    • TCP connection between the client and the ADC, and TLS connection between the ADC and the SIP server.

The following figure shows the topology of a setup configured to load balance a group of SIP servers sending SIP messages over TCP or UDP.

Figure 2. SIP Load Balancing Topology

sip-lb-topology

Entity type Name IP address Port Service type / Protocol
Virtual Server Vserver-LB-1 10.102.29.65 80 SIP_UDP / SIP_TCP / SIP_SSL
Services Service-SIP-1 192.168.1.6 80 SIP_UDP / SIP_TCP / SIP_SSL
  Service-SIP-2 192.168.1.5 80 SIP_UDP / SIP_TCP / SIP_SSL
Monitors Default None 80 SIP_UDP / SIP_TCP / SIP_SSL

Following is an overview of configuring basic load balancing for SIP traffic:

  1. Configure services, and configure a virtual server for each type of SIP traffic that you want to load balance:

    • SIP_UDP – If you are load balancing the SIP traffic over UDP.
    • SIP_TCP – If you are load balancing the SIP traffic over TCP.
    • SIP_SSL – If you are load balancing and securing the SIP traffic over TCP.

    Note: If you use SIP_SSL, be sure to create an SSL certificate-key pair. For more information, see Adding a Certificate Key Pair.

  2. Bind the services to the virtual servers.

  3. If you want to monitor the states of the services with a monitor other than the default (tcp-default), create a custom monitor and bind it to the services. The Citrix ADC provides two custom monitor types, SIP-UDP and SIP-TCP, for monitoring SIP services.

  4. If using a SIP_SSL virtual server, bind an SSL certificate-key pair to the virtual server.

  5. If you are using the Citrix ADC as the gateway for the SIP servers in your deployment, configure RNAT.

  6. If you want to append RPORT to the SIP messages that are initiated from the SIP server, configure the SIP parameters.

To configure a basic load balancing setup for SIP traffic by using the command line interface

Create one or more services. At the command prompt, type:

add service <name> <serverName> (SIP_UDP | SIP_TCP | SIP_SSL) <port>
<!--NeedCopy-->

Example:

add service Service-SIP-UDP-1 192.0.2.5 SIP_UDP 80
<!--NeedCopy-->

Create as many virtual servers as necessary to handle the services that you created. The virtual server type must match the type of services that you will bind to it. At the command prompt, type:

add lb vserver <name> <serverName> (SIP_UDP | SIP_TCP | SIP_SSL) <port>
<!--NeedCopy-->

Example:

add lb vserver Vserver-LB-1 SIP_UDP 10.102.29.60 80
<!--NeedCopy-->

Bind each service to a virtual server. At the command prompt, type:

bind lb vserver <name> <serverName>
<!--NeedCopy-->

Example:

bind lb vserver Vserver-LB-1 Service-SIP-UDP-1
<!--NeedCopy-->

(Optional) Create a custom monitor of type SIP-UDP or SIP-TCP, and bind the monitor to the service. At the command prompt, type:

add lb monitor <monitorName> <monitorType> [<interval>]

bind lb monitor <monitorName> <ServiceName>
<!--NeedCopy-->

Example:

add lb monitor mon1 sip-UDP -sipMethod REGISTER -sipuRI sip:mon@test.com -sipregURI sip:mon@test.com -respcode 200

bind monitor mon1 Service-SIP-UDP-1
<!--NeedCopy-->

If you created a SIP_SSL virtual server, bind an SSL certificate key pair to the virtual server. At the command prompt, type: At the command prompt, type:

bind ssl vserver <vServerName> -certkeyName <certificate-KeyPairName> -CA –skipCAName
<!--NeedCopy-->

Example:

bind ssl vserver Vserver-LB-1 -certkeyName CertKey-SSL-1
<!--NeedCopy-->

Configure RNAT as required by your network topology. At the command prompt, type one of the following commands to create, respectively, an RNAT entry that uses a network address as the condition and a SNIP as the NAT IP address, an RNAT entry that uses a network address as the condition and a unique IP address as the NAT IP address, an RNAT entry that uses an ACL as the condition and a SNIP as the NAT IP address, or an RNAT entry that uses an ACL as a condition and a unique IP address as the NAT IP address:

set rnat <IPAddress> <netmask>

set rnat <IPAddress> <netmask> -natip <NATIPAddress>

set rnat <aclname> [-redirectPort <port>]

set rnat <aclname> [-redirectPort <port>] -natIP <NATIPAddress>
<!--NeedCopy-->

Example:

set rnat 192.168.1.0 255.255.255.0 -natip 10.102.29.50
<!--NeedCopy-->

If you want to use a custom certificate-key pair, bind the custom certificate-key pair to the Citrix ADC internal service named nsrnatsip-127.0.0.1-5061.

add ssl certKey <certkeyName> -cert <string> [-key <string>]

bind ssl service <serviceName> -certkeyName <string>
<!--NeedCopy-->

Example:

add ssl certKey c1 -cert cert.epm -key key.ky

bind ssl service nsrnatsip-127.0.0.1-5061 -certkeyName c1
<!--NeedCopy-->

If you want to append RPORT to the SIP messages that the SIP server initiates, type the following command at the command prompt:

set lb sipParameters -rnatSrcPort <rnatSrcPort> -rnatDstPort<rnatDstPort> -retryDur <integer> -addRportVip <addRportVip> - sip503RateThreshold <sip503_rate_threshold_value>
<!--NeedCopy-->

Sample Configuration for load balancing the SIP traffic over UDP

add service service-UDP-1 10.102.29.5 SIP_UDP 80

Done

add lb vserver vserver-LB-1 SIP_UDP 10.102.29.60 80

Done

bind lb vserver vserver-LB-1 service-UDP-1

Done

add lb mon mon1 sip-udp -sipMethod REGISTER -sipuRI sip:mon@test.com -sipregURI sip:mon@test.com -respcode 200

Done

bind mon mon1 service-UDP-1

Done

set rnat 192.168.1.0 255.255.255.0

Done

set lb sipParameters -rnatSrcPort 5060 -rnatDstPort 5060 -retryDur 1000 -addRportVip ENABLED -sip503RateThreshold 1000

Done
<!--NeedCopy-->

Sample Configuration for load balancing the SIP traffic over TCP

add service service-TCP-1 10.102.29.5 SIP_TCP 80

Done

add lb vserver vserver-LB-1 SIP_TCP 10.102.29.60 80

Done

bind lb vserver vserver-LB-1 service-TCP-1

Done

add lb mon mon1 sip-tcp -sipMethod REGISTER -sipuRI sip:mon@test.com -sipregURI sip:mon@test.com -respcode 200

Done

bind mon mon1 service-TCP-1

Done

set rnat 192.168.1.0 255.255.255.0

Done

set lb sipParameters -rnatSrcPort 5060 -rnatDstPort 5060 -retryDur 1000 -addRportVip ENABLED -sip503RateThreshold 1000

Done
<!--NeedCopy-->

Sample Configuration for load balancing and securing SIP traffic over TCP

add service service-SIP-SSL-1 10.102.29.5 SIP_SSL 80

Done

add lb vserver vserver-LB-1 SIP_SSL 10.102.29.60 80

Done

bind lb vserver vserver-LB-1 service-SIP-SSL

Done

add lb mon mon1 sip-tCP -sipMethod REGISTER -sipuRI sip:mon@test.com -sipregURI sip:mon@test.com -respcode 200

Done

bind mon mon1 service-SIP-SSL

Done

bind ssl vserver Vserver-LB-1 -certkeyName CertKey-SSL-1

Done

set rnat 192.168.1.0 255.255.255.0

Done

set lb sipParameters -rnatSrcPort 5060 -rnatDstPort 5060 -retryDur 1000 -addRportVip ENABLED -sip503RateThreshold 1000

Done
<!--NeedCopy-->

To configure a basic load balancing setup for SIP traffic by using the configuration utility

  1. Navigate to Traffic Management > Load Balancing > Virtual Servers, and add a virtual server of type SIP_UDP, SIP_TCP, or SIP_SSL.

  2. Click the Service section, and add a service of type SIP_UDP, SIP_TCP, or SIP_SSL.

  3. (Optional) Click the Monitor section, and add a monitor of type: SIP-UDP or SIP-TCP.

  4. Bind the monitor to the service, and bind the service to the virtual server.

  5. If you created a SIP_SSL virtual server, bind an SSL certificate key pair to the virtual server. Click the Certificates section, and bind a certificate key pair to the virtual server.

  6. Configure RNAT as required by your network topology. To configure RNAT:

    1. Navigate to System > Network > Routes.
    2. On the Routes page, click the RNAT tab.
    3. In the details pane, click Configure RNAT.
    4. In the Configure RNAT dialog box, do one of the following:
      • If you want to use the network address as a condition for creating an RNAT entry, click Network and set the following parameters:
        • Network
        • Netmask
      • If you want to use an extended ACL as a condition for creating an RNAT entry, click ACL and set the following parameters:
        • ACL Name
        • Redirect Port
    5. To set a SNIP address as a NAT IP address, skip to step 7.
    6. To set a unique IP address as a NAT IP, in the Available NAT IP (s) list, select the IP address that you want to set as the NAT IP, and then click Add. The NAT IP you selected appears in the Configured NAT IP(s) list.
    7. Click Create, and then click Close.

    If you want to use a custom certificate-key pair, bind the custom certificate-key pair to the Citrix ADC internal service named nsrnatsip-127.0.0.1-5061. To bind the pair:

    1. Navigate to Traffic Management > Load Balancing > Services and click the Internal Services tab.
    2. Select nsrnatsip-127.0.0.1-5061 and click Edit.
    3. Click the Certificates section and bind a certificate key pair to the internal service.
  7. If you want to append RPORT to the SIP messages that the SIP server initiates, configure the SIP parameters. Navigate to Traffic Management > Load Balancing and click Change SIP settings, set the various SIP parameters.

SIP Expression and Policy Example: Compression Enabled in Client Requests

A Citrix ADC cannot process compressed client SIP requests, so the client SIP request fails.

You can configure a responder policy that intercepts the SIP NEGOTIATE message from the client and looks for the compression header. If the message includes a compression header, the policy responds with “400 Bad Request,” so that the client resends the request without compressing it.

At the command prompt, type the following commands to create the responder policy:

add responder action sipaction1 respondwith q{"SIP/2.0 400 Bad Requestrnrn"}

Done

add responder policy sippol1

add responder policy sippol1 "SIP.REQ.METHOD.EQ("NEGOTIATE")&&SIP.REQ.HEADER("Compression").EXISTS" sipaction1
<!--NeedCopy-->