Citrix Director is a very important piece of any XenDesktop or XenApp environment. You don’t want to have a single point of failure for this, especially if your help desk relies on it. I saw a Twitter post the other day asking how to load balance Director 7.6 and figured I’d write up this guide. I also have a couple of BONUS tricks that will make Director easier to use for your end users.
Citrix Director should not be used on your Delivery Controllers in large production environments. It’s a pretty heavy web app and the more users you have using it the more load there will be on your Delivery Controllers. The best thing to do is setup separate dedicated web servers for the Director role. Also note it’s best practice to have a separate SQL databases for Site configuration, Logging, and Monitoring but most all 7.6 deployments I’ve seen in the real world have it all combined (and I blame the Citrix installation wizard for this, they should made it easier for folks to understand and change during installation). In this example I’m going to assume you have setup 2 dedicated Director 7.6 servers and connected them to your Delivery Controllers. On the NetScaler, the config is no different than any other website you would load balance:
1. Create 2 servers. In this example I have created srv_dir01 and srv_dir02:
2. Now create a service group. You can use HTTP or SSL. In this example I have created svcgrp_director and made it HTTP.
3. Now add your 2 members (the 2 servers you created in step 1):
4. Make them port 80 if using HTTP or 443 if SSL:
5. Now add an HTTP monitor
6. Now create a load balanced vserver and make the protocol HTTP or SSL and choose the appropriate port depending on what you have done so far. In this example HTTP and port 80:
7. Now bind the service group you created in the previous step:
8. Set the persistence to Source IP. You can also use Cookie Insert with Source IP as backup if you prefer. I usually only use Cookie Insert for external websites where you may have users using a forward proxy. Set the cookie timeout to 0 so the NetScaler doesn’t have to consume resources keeping track of the cookie if you use this method. When users close their browser the cookie expires automatically. For an internal website like Director, Source IP should be just fine for you. I left the default 2 min timeout in this example:
9. Your load balanced vserver should be Up at this point. Create a nice friendly name in DNS for your vserver IP like “http://director.yourdomain.com” and try it out.
BONUS #1
1. You’ll notice if you navigate to “http://director.yourdomain.com” you’ll get the IIS start page. You don’t want your end users to have to remember to type out “http://director.yourdomain.com/Director” to get to the actual Director login page. That gets annoying real quick:
2. The easy thing to do is use a NetScaler Responder policy to redirect users to the right URL. Go to your Responder Actions and create a new redirect action. In this example I have created resact_director_redirect and it redirects to:
"http://director.yourdomain.com/Director/"
(yes, leave the quotes just like in the screenshot:
3. Now create a Responder Policy and bind your new Action to it. My policy is set to:
HTTP.REQ.URL.CONTAINS("Director").NOT
which means if the URL does not contain “Director”, then it’s going to redirect to the Director home page.
4. Now go bind your new Responder Policy to your Load Balanced vserver:
6. Now try hitting “http://director.yourdomain.com” in your browser and voila, it will automatically redirect to “http://director.yourdomain.com/Director/”
BONUS #2
Do you use Director 7.6 in a NOC or put it up on a monitor that sits in a public place always displaying your Citrix environment stats? You’ll notice that Director 7.6 will automatically kick you out after about 4 hours of idle time on the website. Unless you have someone in front of the screen all the time to keep typing in credentials, this can get very annoying. To modify this value to something longer just edit the Director web.config file and edit the cookie timeout value for the session. If using Server 2012 make sure you open Notepad in “Run as Administrator” mode then open this:
C:\inetpub\wwwroot\Director\web.config
and head down to this section:
1 2 3 4 5 6 7 8 9 10 11 |
sessionState mode="Custom" cookieless="UseCookies" regenerateExpiredSessionId="true" timeout="245" cookieName="DESKTOPDIRECTORSESSION" customProvider="Citrix.Dmc.WebService.CustomSessionStateProvider"> providers> add name="Citrix.Dmc.WebService.CustomSessionStateProvider" type="Citrix.Dmc.WebService.CustomSessionStateProvider" /> /providers> /sessionState> |
Change the session state timeout value from 245 minutes to whatever your preference is. Example, for 7 days it would be 10080 minutes. The lowest you can go with Director 7.6 (without modifying some other settings) is 11 minutes otherwise you will get this message immediately after logging in:
Note that even setting it this low it will popup with the message after a few min and kick you out around the 6 minute mark. So if have a reason to get very precise there are some other settings you would have to modify in the web config or even easier just calculate and trial and error until you hit the number you are looking for.
Jason Samuel is a visionary product leader and trusted advisor with a proven track record of shaping strategy and driving technology innovation. With extensive expertise in enterprise end-user computing, security, cloud, automation, and virtualization technologies, Jason has become a globally recognized authority in the IT industry. His career spans consulting for hundreds of Fortune 500 enterprises across diverse business sectors worldwide, delivering cutting-edge digital solutions from Citrix, Microsoft, VMware, Amazon, Google, and NVIDIA that seamlessly balance security with exceptional user experiences.
Jason’s leadership is amplified by his dedication to knowledge-sharing as an author, speaker, podcaster, and mentor within the global IT and technology community. Recognized with numerous prestigious awards, Jason’s contributions underscore his commitment to advancing technology and empowering organizations to achieve transformative results. Follow him on LinkedIn.
Cleriston
December 29, 2015 at 7:57 PM
Congratulations Jason! Very useful post.
Any tips for configure NetScaler for both XenDesktop and Director access with the same FQDN?
Like,
if the use type https://citrix.mydomain.com -> Go to Citrix XenDesktop portal (integrated with Storefront) default…
if the user type https://citrix.mydomain.com/director -> Go to Director Load balance configured with your greats steps above
Joe
February 2, 2016 at 4:51 PM
In the beginning of this article you describe a few best practices, for example, separating the databases and not running Director on the Delivery Controller. However, the rest of the article proceeds to show how to load balance Director using HTTP instead of HTTPS. Usernames and passwords should never traverse a network unencrypted.
Jason Samuel
February 4, 2016 at 8:34 PM
Cleriston, you should be able to use Rewrite/URL Transformation policies to accomplish what you are looking to do.
Joe, absolutely agreed with you. HTTP should only be used in a test or lab environment. Everything in any production environment should be using SSL/TLS.
MC
February 26, 2016 at 12:19 PM
Excellent article well written..
With regards to the responder policy – How would one set up an expression if the word ‘Director’ also appeared in the FQDN of the address being used to get to it… e.g xddirector.something.local
Realised all packets were getting dropped when trying to test that one out.. Might be obvious but wasn’t getting very far…