Product documentation
Citrix Virtual Apps and Desktops
Service Current Release 2402 LTSR 2308 2305 2303 2212 2209 2206 2203 LTSR 1912 LTSR
View PDF

Set up a load-balanced Web Studio deployment

June 6, 2024
Contributed by: 
C C

To set up highly available Web Studio deployments, you can choose tools such as NetScaler ADC or Windows Network Load Balancing. This article provides a step-by-step guide on how to set up a load-balanced Web Studio deployment using a NetScaler ADC appliance.

HA Web Studio diagram

Certificate requirements

Before buying a certificate from a commercial certificate authority or issuing one from your enterprise certificate authority, consider the following options based on your needs:

Option Pros Cons
Option 1: Use a *.example.com wildcard certificate on both the NetScaler ADC appliance load balancer server and the Web Studio servers.

  • Simplifies configuration
  • Easier to manage (single certificate)
  • Can add new subdomains without updating the certificate
  • If the wildcard certificate is compromised, all subdomains are at risk
  • Not all applications support wildcard certificates
  • Might be more expensive than individual certificates
Option 2: Use a certificate with Subject Alternative Names (SANs) on both the NetScaler ADC appliance load balancer server and the Web Studio servers.

  • Flexible, can include multiple specific domains and subdomains
  • Centralizes management for multiple domains
  • Supports multiple distinct names, providing more flexibility than wildcards
  • Managing SAN entries can become complex as the number of domains increases
  • Adding new domains requires reissuing the certificate
  • Limited by the number of SAN entries supported by the CA
Option 3: Use a certificate for each Web Studio server and the NetScaler ADC appliance load balancer server

  • Each server is independently secured
  • Compromise of one certificate does not affect others
  • Can use specific certificates tailored to each server’s needs
  • Higher administrative overhead, as each certificate must be managed separately
  • More certificates to renew and potentially higher costs
  • Must ensure all certificates are consistently configured

Configure the server certificate on the load balancer

  1. Log on to the NetScaler ADC appliance management GUI.
  2. Select Traffic Management > SSL > Certificates > Server Certificates
  3. Click Install.

  4. On the Install Server Certificate page, enter a Certificate-Key Pair Name, click Choose File, and then browse for the certificate file. If the certificate file doesn’t include the private key, select a Key File.

    Screenshot of certificate installation screen

Step 1: Add Web Studio server nodes

Add all Web Studio server nodes (for example, Studio-eu-1 and Studio-eu-2) to the load balancer.

  1. Log on to the NetScaler ADC management GUI.

  2. Navigate to Traffic Management > Load Balancing > Servers. Click Add.

  3. Enter the server IP address of a Web Studio server node.

  4. Repeat steps 2–3 to add the other Web Studio servers.

    Screenshot of Servers screen with two servers

Step 2: Add a monitor for Web Studio server nodes

Set up a monitor in the load balancer to check the status of all Web Studio server nodes.

  1. Select Traffic Management > Load Balancing > Monitors > Add.
  2. On the Configuration tab, complete the following settings and leave the other defaults:
    • Enter Web Studio for Name.
    • Select HTTP or SSL for Type.
    • Select the Secure option.
    • Enter HEAD/citrix/studio/ for HTTP Request.

    Screenshot of Servers screen with two servers

Step 3: Create a service group for Web Studio server nodes

  1. Select Traffic Management > Load Balancing > Service Groups > Add. To connect to the Web Studio servers over HTTPS, select a protocol of SSL, leave other settings as default, and then click OK.

  2. Within your Service Group, under Service Group Members, click No Service Group Member, and then follow these steps to add members:

    1. Click Service Based.
    2. Select all servers that you added previously.

    3. Enter 443 for the port.

      Screenshot of Create service group member page

  3. Add the Monitors section and select the Web Studio monitor you created earlier.

    Screenshot of Monitor screen with a monitor listed

  4. Add the Certificates section and complete the following settings:

    1. Bind the client certificate.

    2. Bind the CA certificate used to sign the server certificate that you imported earlier, and any other CAs that might be part of the PKI chain of trust.

      Add binding screen

  5. Add the Settings section, select Insert Client IP Header, and then enter a header name of X-Forwarded-For. This setting allows the Client IP Address to be used in Policies.

Step 4: Create a virtual server

Create a load-balancer virtual server for users to access the Web Studio server group.

  1. Navigate to Traffic Management > Load Balancing > Virtual Servers, and then click Add.

  2. Enter a name, select SSL for the Protocol, enter 443 for the Port, and then click OK.

    Screenshot of NetScaler Load Balancing Virtual Server screen

  3. Bind the Service Group you created earlier to the load-balancing virtual server.

  4. Bind the CA certificate that you bound to the service group in Step 3: Create a service group for Web Studio server nodes.

  5. Add the Method section and select the load-balancing method. Common choices for Web Studio load balancing are ROUNDROBIN or LEASTCONNECTION.

    Screenshot of load balancing method section

  6. Add the Persistence section and complete the following settings:

    1. Set the persistence method to COOKIEINSERT.

    2. Set the time-out to be the same as the Session time-out within Web Studio (by default, 20 minutes).

    3. Name the cookie to ease future debugging. For example, NSC_SFPersistence.

    4. Set backup persistence to NONE.

      Screenshot of persistence section

    Note:

    If the client isn’t allowed to store the HTTP cookie, the subsequent requests don’t have the HTTP cookie, and Persistence is not used.

Step 5: Create DNS records for the virtual server

On the Domain Controller, create a DNS and PTR record to map the IP address of the virtual server to an FQDN. Web Studio users within your network use this FQDN to access the Web Studio server group. For example, webstudio.example.com resolves to the load-balancer virtual server IP address (VIP).

Screenshot of persistence section

Provide this URL for users to access Web Studio servers: https://<FQDN of the virtual server>/<text you entered in the HTTP Request field when creating a monitor>. Example: https://webstudio.example.com/citrix/studio

Set up a load-balanced Web Studio deployment
June 6, 2024
Contributed by: 
C C
June 6, 2024
Contributed by: 
C C

In this article

Site feedback | Your privacy choices footer linkYour Privacy Choices | Privacy and legal terms | Cookie preferences | Consent settings | docs.cloud.com
© 1999- Cloud Software Group, Inc. All rights reserved.