Product Documentation

Deploying Citrix NetScaler VPX on Microsoft Azure

Mar 21, 2016

You can now deploy Citrix NetScaler VPX virtual appliance in a Microsoft Azure cloud. The NetScaler VPX virtual appliances are available as an image in the Azure Marketplace. NetScaler VPX on Azure enables customers to leverage Azure cloud computing capabilities and use NetScaler load balancing and traffic management features for their business needs. You can deploy NetScaler VPX instances in Azure either as standalone instances or as high availability pairs in active-active or active-standby modes.

This document assumes that you are familiar with Microsoft Azure terminology and network details. For information about Microsoft Azure, see the Microsoft Azure documentation at http://azure.microsoft.com/en-us/documentation/.

This document also assumes that you have basic knowledge of a NetScaler appliance. For detailed information about NetScaler appliances, see

For information about NetScaler Gateway configuration for Citrix XenApp and XenDesktop in Azure cloud, see https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/netscaler-vpx-deployment-with-xendesktop-and-xenapp-on-microsoft-azure.pdf.

Limitations and Usage Guidelines

Design characteristics of the Azure Cloud impose the following limitations on the NetScaler VPX solution for Azure:
  1. Although you can provision a NetScaler VPX instance in Azure with multiple NICs, the multiple NIC feature has a few constraints as documented in the following Microsoft article: http://azure.microsoft.com/blog/2014/10/30/multiple-vm-nics-and-network-virtual-appliances-in-azure/. Because of one of the limitations – “The order of the NICs inside the VM will be random”, if you provision a NetScaler VPX instance with multiple NICs, the instance might become unresponsive if Azure processes or your use of Azure tools shuts down and restarts the virtual machine.

    To avoid this issue, Citrix recommends that you deploy NetScaler VPX instances in single IP mode, which is available only in Azure deployments. For more information about the single IP mode and the traffic flow in a NetScaler VPX on Azure deployment, see How NetScaler VPX Works on Azure.

  2. The Azure architecture does not accommodate support for the following NetScaler features:

    Clustering

    IPv6

    Gratuitous ARP (GARP)

    L2 Mode

    Tagged VLAN

    Dynamic Routing

    Virtual MAC (VMAC)

    USIP

    GSLB

    CloudBridge Connector

  3. The Intranet IP (IIP) feature is not supported, because Azure does not provide the pool of IP addresses required for this feature. IIP is frequently used in VOIP, SIP, or server-initiated-connection deployment.
  4. If you expect that you might have to shut down and temporarily deallocate the NetScaler VPX virtual machine at any time, assign a static Internal IP address while creating the virtual machine. If you do not assign a static internal IP address, Azure might assign the virtual machine a different IP address each time it restarts, and the virtual machine might become inaccessible. For more information, see Provisioning NetScaler VPX on Azure with Static IIP.
  5. In an Azure deployment, only the following NetScaler VPX models are supported: VPX 10, VPX 200, and VPX 1000. These virtual appliances can be deployed on any instance type that has two or more cores and more than 2 GB memory. See the NetScaler VPX datasheet: https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/citrix-netscaler-vpx-data-sheet.pdf

NetScaler Features Supported on a NetScaler VPX Instance Running on a Microsoft Azure Cloud

The following features are supported on an unlicensed NetScaler VPX instance running on a Microsoft Azure cloud:

  • Web Logging
  • Content Switching
  • Load Balancing
  • SSL Offloading
  • Content Filtering
  • SSL VPN (Maximum users = 5) (Maximum ICA users = unlimited)
  • Rewrite
  • Responder
  • HTML Injection
  • Web Interface on NS
  • Appflow
  • vPath
  • Model Id 5
  • Strong encryption
  • For a XenApp and XenDesktop deployment, a VPN virtual server on a NetScaler appliance can be configured in the following modes:
    • Basic mode, where the ICAOnly VPN virtual server parameter is set to ON. The Basic mode works fully on an unlicensed NetScaler VPX instance.
    • Smart-Access mode, where the ICAOnly VPN virtual server parameter is set to OFF. The Smart-Access mode works for only 5 AAA session users on an unlicensed NetScaler VPX instance.

Note: To configure the Smart Control feature, you must apply a platinum license to the NetScaler VPX instance.

Network Architecture

In a Microsoft Azure cloud, a NetScaler VPX instance resides between the Azure cloud service endpoint and the backend servers. The NetScaler instance does not receive client requests directly. They are received on the endpoint, which forwards the requests to the NetScaler VPX instance, and the instance sends them to the servers. The response from a server follows the same path in reverse.

The following figure shows how traffic flows from a client to the server through a NetScaler VPX instance provisioned in the Azure cloud.

How NetScaler VPX Works on Azure

A regular NetScaler VPX appliance requires at least three IP addresses to function:
  • Management IP address called the NetScaler IP (NSIP) address
  • Subnet IP (SNIP) address for communicating with the server farm
  • Virtual server IP (VIP) address for accepting client requests

In the Azure network architecture, only one private IP address (internal IP address) is assigned to an instance during provisioning through DHCP.

Although you can provision a NetScaler VPX instance in Azure with multiple NICs, the multiple NIC feature has a few constraints that might make the instance unresponsive. For details about this constraint, see Limitations and Usage Guidelines.

To prevent this limitation, you can deploy NetScaler VPX instance in Azure with single IP architecture, where the three IP functions of a NetScaler appliance are multiplexed onto one IP address. This single IP address uses different port numbers to function as the NSIP, SNIP, and VIP.

The following image illustrates how a single IP address is used to perform the functions of NSIP, SNIP, and VIP.

Note: The single IP mode is available only in Azure deployments. This mode is not available in the on-premise NetScaler VPX, NetScaler VPX on AWS, and NetScaler VPX instances running in other deployments.
Traffic Flow Through Port Address Translation
Note: This document refers to the Azure public virtual IP (VIP) address as the cloud service IP address to avoid confusion with the NetScaler virtual IP (VIP) address.

In an Azure deployment, when you provision the NetScaler VPX instance as a virtual machine (VM), Azure assigns a cloud service IP address and an internal IP address (non-routable) to the NetScaler virtual machine. Endpoints are defined for the NetScaler instance and each endpoint is assigned a public port and a private port. The NetScaler instance listens on the internal IP address and private port.

The client request that originates from the Internet is received by the Azure cloud service endpoint on the cloud service public IP address and public port. This endpoint performs port address translation (PAT) to map the public IP address and port to the internal IP address and private port of the NetScaler virtual machine, and forwards the traffic to the virtual machine.

The following figure shows how Azure performs port address translation to direct traffic to the NetScaler internal IP address and private port.

In this example, the cloud service IP address assigned to the VM is 140.x.x.x, and the internal IP address is 10.x.x.x. When the endpoints are defined, public HTTP port 80 is defined as the port on which the client requests are received, and a corresponding private port, 10080, is defined as the port on which the NetScaler virtual machine listens. The client request is received on IP address 140.x.x.x at port 80. Azure performs port address translation to map this address and port to internal IP address 10.x.x.x on private port 10080 and forwards the client request.

For information about port usage guidelines while defining endpoints, see Port Usage Guidelines.

For information about endpoints, see http://azure.microsoft.com/en-in/documentation/articles/virtual-machines-set-up-endpoints/

Note: You can also configure multiple cloud service IP addresses for multiple virtual servers with unique FQDNs configured on the NetScaler VPX VM. For more information, see Configuring Multiple Azure VIPs for a NetScaler VPX in the Azure Cloud.

Traffic Flow Through Network Address Translation

You can also request an instance-level public IP address (PIP) for your NetScaler virtual machine. If you use a PIP, you need not define an endpoint to receive traffic. The incoming request from the Internet is received on the PIP. Azure performs network address translation (NAT) and forwards the traffic to the internal IP address of the NetScaler instance.

Note that you can create a PIP only through Windows PowerShell or REST APIs. For more information about PIP, see https://msdn.microsoft.com/en-us/library/azure/dn690118.aspx.

The following figure shows how Azure performs network address translation to map the NetScaler internal IP address.

In this example, the PIP assigned to the NetScaler virtual machines is 156.x.x.x and the internal IP address is 10.x.x.x. No endpoints are defined. The client request is received on PIP 156.x.x.x. Azure performs network address translation to maps the PIP to the internal IP address 10.x.x.x, and forwards the client request.

Note: Citrix recommends that you use the cloud service IP address to receive traffic from the Internet, and use either the cloud service public IP address or the PIP to access the NetScaler instance for management purposes. Also, note that NetScaler high availability does not work if you use PIP to receive client traffic from the Internet.

Port Usage Guidelines

You can configure additional endpoints while creating the NetScaler virtual machine or after the virtual machine is provisioned. Each endpoint has a public port and a private port.

Before adding endpoints, note the following guidelines regarding the port numbers you can use:
  1. The following ports are reserved by the NetScaler virtual machine. You cannot define these as private ports when using the cloud service IP address for requests from the Internet.

    Ports 21, 22, 80, 443, 8080, 67, 161, 179, 500, 520, 3003, 3008, 3009, 3010, 3011, 4001, 5061, 9000, 7000.

    However, if you want Internet-facing services such as the VIP to use a standard port (for example, port 443) you have to create port mapping by using the Azure endpoint. The standard port is then mapped to a different port that is configured on the NetScaler for this VIP service.

    For example, a VIP service might be running on port 8443 on the NetScaler instance but be mapped to public port 443. So, when the user accesses port 443 through the cloud service IP, the request is actually directed to private port 8443.

  2. Cloud service IP does not support protocols in which port mapping is opened dynamically, such as passive FTP or ALG.
  3. Azure load balancer does not work with PIP. Therefore, in the current NetScaler high availability (HA) design, a PIP cannot be used as a VIP, that is, as an Internet-facing interface. For more information about configuring NetScaler VPX HA in the Azure cloud, see Configuring NetScaler VPX in High Availability Mode in Azure.
  4. In a NetScaler Gateway deployment, you need not configure a SNIP address because the NSIP can be used as a SNIP when no SNIP is configured.
  5. You must configure the VIP address by using the NSIP address and some nonstandard port number. For call-back configuration on the backend server, the VIP port number has to be specified along with the VIP URL (for example, url:port).

    Example:

    If the VPN virtual server FQDN is vip.test.com, and the VPN virtual server is running on port 8443 then, the call-back URL will be: https://vip.test.com:8443