Citrix NetScaler

How to load balance Citrix Director 7.6 using a Citrix NetScaler

Citrix Director is a very important piece of any XenDesktop or XenApp environment. You don’t want to have a single point of failure for this, especially if your help desk relies on it. I saw a Twitter post the other day asking how to load balance Director 7.6 and figured I’d write up this guide. I also have a couple of BONUS tricks that will make Director easier to use for your end users.

Citrix Director should not be used on your Delivery Controllers in large production environments. It’s a pretty heavy web app and the more users you have using it the more load there will be on your Delivery Controllers. The best thing to do is setup separate dedicated web servers for the Director role. Also note it’s best practice to have a separate SQL databases for Site configuration, Logging, and Monitoring but most all 7.6 deployments I’ve seen in the real world have it all combined (and I blame the Citrix installation wizard for this, they should made it easier for folks to understand and change during installation). In this example I’m going to assume you have setup 2 dedicated Director 7.6 servers and connected them to your Delivery Controllers. On the NetScaler, the config is no different than any other website you would load balance:

1. Create 2 servers. In this example I have created srv_dir01 and srv_dir02:

Advertisement. Scroll to continue reading.

2. Now create a service group. You can use HTTP or SSL. In this example I have created svcgrp_director and made it HTTP.

3. Now add your 2 members (the 2 servers you created in step 1):

4. Make them port 80 if using HTTP or 443 if SSL:

Advertisement. Scroll to continue reading.

5. Now add an HTTP monitor

6. Now create a load balanced vserver and make the protocol HTTP or SSL and choose the appropriate port depending on what you have done so far. In this example HTTP and port 80:

7. Now bind the service group you created in the previous step:

Advertisement. Scroll to continue reading.

8. Set the persistence to Source IP. You can also use Cookie Insert with Source IP as backup if you prefer. I usually only use Cookie Insert for external websites where you may have users using a forward proxy. Set the cookie timeout to 0 so the NetScaler doesn’t have to consume resources keeping track of the cookie if you use this method. When users close their browser the cookie expires automatically. For an internal website like Director, Source IP should be just fine for you. I left the default 2 min timeout in this example:

9. Your load balanced vserver should be Up at this point. Create a nice friendly name in DNS for your vserver IP like “http://director.yourdomain.com” and try it out.

Table of Contents

Toggle

BONUS #1

1. You’ll notice if you navigate to “http://director.yourdomain.com” you’ll get the IIS start page. You don’t want your end users to have to remember to type out “http://director.yourdomain.com/Director” to get to the actual Director login page. That gets annoying real quick:

Advertisement. Scroll to continue reading.

2. The easy thing to do is use a NetScaler Responder policy to redirect users to the right URL. Go to your Responder Actions and create a new redirect action. In this example I have created resact_director_redirect and it redirects to:

"http://director.yourdomain.com/Director/"

(yes, leave the quotes just like in the screenshot:

Advertisement. Scroll to continue reading.

3. Now create a Responder Policy and bind your new Action to it. My policy is set to:

HTTP.REQ.URL.CONTAINS("Director").NOT

which means if the URL does not contain “Director”, then it’s going to redirect to the Director home page.

4. Now go bind your new Responder Policy to your Load Balanced vserver:

Advertisement. Scroll to continue reading.

6. Now try hitting “http://director.yourdomain.com” in your browser and voila, it will automatically redirect to “http://director.yourdomain.com/Director/”

BONUS #2

Do you use Director 7.6 in a NOC or put it up on a monitor that sits in a public place always displaying your Citrix environment stats? You’ll notice that Director 7.6 will automatically kick you out after about 4 hours of idle time on the website. Unless you have someone in front of the screen all the time to keep typing in credentials, this can get very annoying. To modify this value to something longer just edit the Director web.config file and edit the cookie timeout value for the session. If using Server 2012 make sure you open Notepad in “Run as Administrator” mode then open this:

C:\inetpub\wwwroot\Director\web.config

Advertisement. Scroll to continue reading.

and head down to this section:

Change the session state timeout value from 245 minutes to whatever your preference is. Example, for 7 days it would be 10080 minutes. The lowest you can go with Director 7.6 (without modifying some other settings) is 11 minutes otherwise you will get this message immediately after logging in:

Advertisement. Scroll to continue reading.

Note that even setting it this low it will popup with the message after a few min and kick you out around the 6 minute mark. So if have a reason to get very precise there are some other settings you would have to modify in the web config or even easier just calculate and trial and error until you hit the number you are looking for.

4 Comments

  1. Cleriston

    December 29, 2015 at 7:57 PM

    Congratulations Jason! Very useful post.
    Any tips for configure NetScaler for both XenDesktop and Director access with the same FQDN?

    Like,

    if the use type https://citrix.mydomain.com -> Go to Citrix XenDesktop portal (integrated with Storefront) default…
    if the user type https://citrix.mydomain.com/director -> Go to Director Load balance configured with your greats steps above

  2. Joe

    February 2, 2016 at 4:51 PM

    In the beginning of this article you describe a few best practices, for example, separating the databases and not running Director on the Delivery Controller. However, the rest of the article proceeds to show how to load balance Director using HTTP instead of HTTPS. Usernames and passwords should never traverse a network unencrypted.

  3. Jason Samuel

    February 4, 2016 at 8:34 PM

    Cleriston, you should be able to use Rewrite/URL Transformation policies to accomplish what you are looking to do.

    Joe, absolutely agreed with you. HTTP should only be used in a test or lab environment. Everything in any production environment should be using SSL/TLS.

  4. MC

    February 26, 2016 at 12:19 PM

    Excellent article well written..

    With regards to the responder policy – How would one set up an expression if the word ‘Director’ also appeared in the FQDN of the address being used to get to it… e.g xddirector.something.local

    Realised all packets were getting dropped when trying to test that one out.. Might be obvious but wasn’t getting very far…

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Apache

Today I would like to go over proper URL redirection when using SSL but first I would like to preface this by describing what...

Exchange 2003

A useful Exchange 2003 guide I wrote for a friend’s blog originally but I am posting it here on mine now for your viewing...

Citrix Workspace

You can use FIDO2 hardware security keys plugged into your physical desktop over the Citrix HDX remoting protocol for use with virtualized Windows Desktop...

Cloud Design Architecture

The community-driven paperback book initiated by my friends Bas van Kaam and Christiaan Brinkhoff is available for sale on Amazon. If you haven’t picked...

JasonSamuel.com was launched in 2008 as a platform to give back to the IT community by sharing knowledge and expertise. Over the years, it has become a trusted global resource for the latest insights, how-to guides, and thought leadership on enterprise mobility, security, virtualization, cloud architecture, automation, and other cutting-edge technologies. Today, it serves as a go-to reference hub for IT professionals, attracting hundreds of thousands of unique visitors from around the world each month. Learn more on the About Me page.
Copyright © 2008-2025 JasonSamuel.com

Exit mobile version