Body
Overview
Content Switching Virtual Servers allow us to direct traffic to different services/servers using the same Virtual IP. This is Citrix's methodology of how our Microsoft ARR servers work today. The Content Switching Virtual Server directs traffic to the appropriate service based off of certain criteria. In our case, we examine the contents of the URL (hostname), and route that traffic accordingly.
Content Switching Virtual Servers (CSVS) augment existing Load Balancing Virtual Servers (LBVS); in fact, the actions that are bound to the policies of a CSVS must point to defined LBVS! I know that sounds a bit confusing, but just think of a CSVS directing traffic based on the client's URL request to the appropriate LBVS. Hopefully this becomes clearer as we go through this document.
Fortunately for us, all of our public sites are *.nic.edu so we can bind that certificate to a CSVS. However, if we wanted to put a service that belongs in another domain using a different certificate behind this same CSVS, we can leverage SNI to bind multiple certificates to this CSVS. So, if we did switch to named certificates for everything rather than a wild card, CSVS is still a viable solution.
Requirements
- A free IP address if you are create a new Content Switching Virtual Server
- Certificates to bind to the the CSVS
- You are familiar with the steps covered in Basic Reverse Proxy/Load balance setup and SSL Virtual Servers and Services
Procedure
- Create your Server and Services/Service Groups under Traffic Management->Load Balancing
Creating the Load Balancing Virtual Server
- Create a "Virtual" Virtual server for the Service you just created. However, prefix the name of the Virtual Server with "cs-vs" so we know it's used in Content Switching. Also, set the IP Address Type to Non Addressable
- When you click OK, you are presented with the Virtual Server summary screen. Bind this Virtual Server to the service you had created earlier and click Continue
- Because this "virtual" Virtual Server is using SSL, bind a certificate to this server.
Creating the Content Switching Action
- Now that you have built a Load Balancing Virtual Server for the Content Switching Action to point to, Navigate to Traffic Management->Content Switching->Actions and click on Add
- Prefix the name of the Content Switching Action with "cs-act_"
- And select the LBVS server you just created for this action to point to
- The action should look something like this
Creating the Content Switching Policy
- Now we create the Content Switching Policy that determines when the CSVS invokes the action we just created. Navigate to Traffic Management->Content Switching-Policies and click Add
- Prefix the name of the policy with "cs-pol_". In case you are wondering, this makes it easier to parse through the configuration via CLI when you SSH into the ADC. Select the Action you just created for the Policy to tell the client to do should the Expression be true
- Now for the fun part - the Expression.
http.req.header("host").set_text_mode(ignorecase).contains("sdc-t2019-dcc") || http.req.header("host").set_text_mode(ignorecase).contains("mytestbox")
- The expression above evaluates the host part of the URL to see if it contains either the string "sdc-t2019-dcc" || (logical OR) "mytestbox". If it needed to contain both for some reason, we would use the && (logical AND). Here is an expression used for a different policy
http.req.header("host").set_text_mode(ignorecase).contains("clconnect.nic.edu") && (CLIENT.IP.SRC.IN_SUBNET(10.0.0.0/8) || CLIENT.IP.SRC==23.99.3.236 || CLIENT.IP.SRC==23.99.4.206 || CLIENT.IP.SRC==23.99.7.131 || CLIENT.IP.SRC==23.99.7.165 ||CLIENT.IP.SRC==23.99.91.55 || CLIENT.IP.SRC==104.209.34.227 || CLIENT.IP.SRC==138.91.242.26 || CLIENT.IP.SRC==191.236.119.221)
- The expression above also evaluates the host, but then allows clients using the specific IP address/Subnets to be processed. Any request from a client IP not listed in the expression is dropped. This is handy since you can not control this at the firewall level since a Content Switched Virtual IP is handling various sites and services.
The next section goes over creating a Content Switching Virtual Server. Today, we have to Content Switching Virtual Servers setup in the Production Environment and we simply bind new Content Switching Policies to either of these two existing Content Switching Virtual Servers. If you are simply presenting a new service, you can skip past this section this step and go to "Binding the Content Switching Policy to the Content Switching Virtual Server" |
Creating a Content Switching Virtual Server
- Now that we have a Policy, we can create the Content Switching Virtual Server. Navigate to Traffic Management->Content Switching->Virtual Servers and click Add.
- Though this form is slightly different than adding a Load Balancing Virtual Server, we populate the same set of fields: Name, Protocol, IP Address and click Ok
Binding the Content Switching Policy to the Content Switching Virtual Server
- Now we are presented with the Content Switching Virtual Server summary page. Notice that the only window we are presented with is Content Switching Policy Binding. Add/Bind the cs-pol_ that you just created and click OK.
You can stop here if you are simply adding another service to this content switched virtual server. The next section covers some additional configuration we can apply to a Content Switched Virtual Server if you created a brand new one |
- The Content Switching Virtual Server is built, but we have a couple of things to do. We will need to harden the Virtual Server with the correct SSL Ciphers and SSL Parameters (for turning off legacy SSL and TLS protocols). However, there is one more SSL Parameter to change: SNI
- SNI is disabled by default. We can enable it so we can bind multiple certificates to this Virtual Server if need be. Click on the Pen icon and edit the SSL Parameters window and check SNI Enable
- Now that we have enabled SNI, we need to bind some Certificates to it. Click on + Certificate under Advanced Settings on the right
- When you add a certificate, be sure to check the Server Certificate for SNI before you Bind it
- Now that you have your Content Switching Virtual Server built, you can test the existing policies by updating your hosts file until you are ready to update DNS. Also, you can add additional Policy/Actions to your Content Switching Virtual Server.
So, to recap the steps to build out or add a service to a Content Switching Virtual Server:
Load Balancing/Server->Load Balancing/Service->Load Balancing/Virtual Server (non-addressable)->Content Switching/Action->Content Switching/Policy->Content Switching/Virtual Server