SSL service monitoring

The NetScaler appliance has built-in secure monitors, TCPS and HTTPS. You can use the secure monitors to monitor HTTP as well as non-HTTP traffic. To configure a secure HTTP monitor, select the monitor type as HTTP, and then set the secure flag. To configure a secure TCP monitor, select the monitor type as TCP, and then set the secure flag.The secure monitors work as described below:

  • Secure TCP monitoring. The NetScaler appliance establishes a TCP connection. After the connection is established, the appliance performs an SSL handshake with the server. After the handshake is over, the appliance closes the connection.
  • Secure HTTP monitoring. The NetScaler appliance establishes a TCP connection. After the connection is established, the appliance performs an SSL handshake with the server. When the SSL connection is established, the appliance sends HTTP requests over the encrypted channel and checks the response codes.

The following table describes the available built-in monitors for monitoring SSL services.

Monitor type Probe Success criteria (Direct condition)
TCP TCP connection; SSL handshake Successful TCP connection established and successful SSL handshake.
HTTP TCP connection; SSL handshake; Encrypted HTTP request Successful TCP connection is established, successful SSL handshake is performed, and expected HTTP response code in server HTTP response is encrypted.
TCP-ECV TCP connection; SSL handshake (Data sent to a server is encrypted.) Successful TCP connection is established, successful SSL handshake is performed, and expected TCP data is received from the server.
HTTP-ECV TCP connection; SSL handshake (Encrypted HTTP request) Successful TCP connection is established, successful SSL handshake is performed, and expected HTTP data is received from the server.

Sample configuration for HTTPS-ECV health check monitor

HTTP services have predefined monitors capable of Extended Content Verification (ECV). These monitors are used when a validation is required beyond a successful TCP connection. These monitors validate the service as UP, when all the following criteria are met:

  • A successful TCP connection.
  • A particular type of request must be generated.
  • A specific message is expected in reply from the Receive String.

For these monitors, a request string is configured along with a reply string. If the reply string received by the NetScaler monitor matches the configured string, then the service is marked UP.

Bind a monitor to a service by using the GUI

  1. Navigate to Traffic Management > Load Balancing > Services, create a service, and specify the protocol as SSL. Click OK.
  2. Click in the Service to Load Balancing Monitor Binding pane, and click Add Binding.
  3. Choose the monitor type as HTTPS-ECV and click Edit.
  4. In the Configure Monitor pane under Basic Parameters tab, enter values for the following parameters:
    • Send String – The string that the monitor must send to the service.
    • Receive String – The string that the monitor must receive to mark the service as UP.
  5. Click OK to complete the monitor configuration.
  6. Click Select.
  7. Click Bind to bind the HTTPS-ECV monitor to the service.
  8. Click Close.

Note

Prior to NetScaler release 12.0 build 56.20, Basic Parameters and Advanced Parameters are named Standard Parameters and Special Parameters respectively.

Bind a monitor to a service by using the CLI

At the command prompt, type:

bind service <servicename> -monitorName https-ecv

Example:

bind services1 -monitorName https-ecv