Citrix Netscaler, Load Balancing SQUID which acts as an Internet Forwarding Proxy

squid

In this setup two SQUID servers are being used as an ‘Internet Forwarding Proxy’.  Note that SQUID has other kind of use cases, so this load balancing setup might not be correct for all of them. The customer demands that these squid servers are load balanced to ensure high availability. These server primarily ‘proxy’ Web Browser traffic towards the Internet. Note that sometimes business applications also need to connect to the Internet, utilizing these kind of proxy’s. (Lately I see a lot of on-premise cloud software connecting ‘up to the cloud’. Most of the time these are not so well coded and have issues utilizing/handling a forwarding proxy)

A side note: The Netscaler itself can also be used as an Internet Forwarding Proxy Server, for that have a look over here. http://blogs.citrix.com/2010/02/25/netscaler-feature-of-the-day-deploy-as-a-forward-proxy/ the customer can not utilize the Netscaler for this because of some specific technical requirements.

—–

This is not going to be an end to end manual for the load balancing SQUID , but i’ll highlight the specifics, lets get started.

netscaler_login_105

When defining the ‘Load Balancing Virtual Server’ on the Netscaler, choose HTTP as protocol type. This will support both HTTP and HTTPS proxy purposes, on the same TCP/IP Port. In this example port TCP/IP port 8080, which is frequently used when configuring a Web Browsers Proxy. Since we utilize the HTTP protocol, we can use X-Forwarding later on, which doesn’t work when we ‘just’ use TCP as a protocol type.

vserver

Continuing with the ‘Load Balancing Virtual Server’ the Load Balancing Method can be ‘Least Connection’ or ‘Round Robin’. I’ve set the Persistence to ‘COOKIEINSERT’ and I’ve set the corresponding timeout to zero, ‘0’. Zero will ensure the ‘stickiness/persistence’ will be in place as long as the users browser is ‘open’. (if a end-user closes the browser, or if a application/service gets restarted the persistence will be reset. When a new sessions is then started again it might get balanced to the other servers.) The Backup Persistence is set to ‘SOURCEIP’. If, for some reason, an browser or application (who is utilizing the Internet Explorer Proxy Config for example) could not handle HTTP based Cookies, for some reason, the backup persistence will be used. Sessions will point to the same server for the time of as defined under ‘backup time-out’ in this case, 480 minutes or 8 hours.

vserver2

Next up is the configuration of a ‘Service Group’. A service group defines a set of common application/service specific load balancing parameters for a group of servers who are configured consistent at the ‘application’ level. For SQUID I set the ‘Client IP’ option to ENABLED and inserted a string called ‘X-Forwarded-For’. This is a HTTP type Header. (see http://en.wikipedia.org/wiki/X-Forwarded-For). When combining these configuration parameters the SQUID admin can see the ‘real’ client IP address. If we do not configure this, then by default, the admin would see the Netscalers SubNet IP (SNIP). X-Forward-For, or X Forwarding passes on the IP address of the ‘real’ client that is connecting through the load balancer.

To be more specific, the IP of the System on which the browser is accessing the Netscaler Virtual Server. (when in a LAN scenario). In SQUID the admin can allow access through the proxy, request authentication or block access on basis of the clients ‘real’ IP.

svgroup

When everything is in place, up and running & tested then next up is the configuration of the proxy in the Browser, for example Internet Explorer. (In large scale do this by means of GPO). Click on settings, Internet Options, Connection, LAN Settings. Disable ‘Automatic Detect Settings’ or enable ‘Web Proxy Auto Discovery, WPAD. (see https://technet.microsoft.com/en-us/library/dd361887.aspx) Enable the proxy server and fill in a DNS name or Netscaler Virtual Server IP (VIP). Also fill in the same DNS or VIP for ‘Secure:’ or check mark ‘Use the same proxy for all protocols. (NOTE: I’ve only tested HTTP and HTTPS)

Most of the time you would like to bypass the proxy for local addresses. NOTE: Microsoft defines a ‘local address‘ as a Single Label Name, without a FQDN for Example. HTTP://intranet. If you wan’t to bypass HTTP://intranet.domain.com or HTTP://intranet.domain.local or any other FQDN defining a ‘local TLD”  you will need to create ‘Exceptions’

system-proxy-config

Now it is time to do some testing. Try loading a external webpage over HTTP and HTTPS.

The configuration here only configured Internet Explorer for the use of the Proxy. Other browsers most of the time will ‘read’ these settings from IE/Windows Registry and apply them. This is also through for the most server side application. Sometimes an applications is not ‘enabled’ to configure itself on basis of Internet Explorer Proxy Settings. If that is the case, and if it needs to use the proxy you can configure the proxy for the computer/server system as a whole. This can be done by executing a Netshell Command, via the command prompt.

netsh winhttp import proxy source=ie

Note: you will need an elevated command prompt and administrator rights for this to work.

Greetings,

Ronny.