It is always benificial to use LDAPs (Secure LDAP) instead of plain text based authentication when authenticating users through your access gateways.
Netscaler 11 finally provide us with the ability to create a secure monitor for LDAPs services. The ldaps monitor is used to verify that the loadbalanced Domain Controllers are functioning right. It will login as a domain account (service account, so make sure the password never expires and ensure the account is at least member of Domain User group), perform an LDAP query, and look for a positiv response. Since this kind of monitor is a Perl script, it uses NSIP as the source IP.
The Netscaler is also used as an SSL offloading device, therefor we will choose SSL_TCP as a protocol for our LDAPs load balancing vserver (of course this requires a valid certificate on the backend domain controllers).
So how do we create the LDAPs monitor:
1. Logon to your Netscaler and navigate to: Traffic Management – Load Balancing – Monitors and Click Create a monitor:
Give it a name and use Type: LDAP
Scroll down a little bit and Check the Secure box as showen below…
Click On the Special Parameters tab and:
- use the Script Name drop-down list and select the nsldap.pl script
- In the Base DN field, enter your domain name in LDAP format (e.g. dc=company,dc=com)
- In the Bind DN field, enter the User Principal Name of the service account (ex. serviceaccountname@domain.com)
- Fanally, In the Password field, enter the password for the service account and click Create
Note! In Filter field you must enter: cn=Builtin (if you are Netscaler 12) and the Bind DN could look something like this if you prefer: cn=Ldap-SA,cn=Service-Accounts,dc=envokeit,dc=com
Now it is time to create the Load balancing server group and Load balancing virtual server.
Start by defining the domian controller servers you would like to loadbalance (in my case I’ll only have one). You can of course skip this step and just enter the IPs of the domain controllers while creating the service group…
Expand Traffic Management – Load Balancing – Service
Create a Load Balancing Service Group, give it a name and use SSL_TCP as Protocol
Bind your already defined DC servers or enter their IPs
Bind the LDAPs monitor you created
Hit Bind – OK and the load balancing service group should be pointing up…
Finally create a Load balancing virtual server and use protocal SSL_TCP
Note! Assign an internal IP if you are not planning to hide the LBvServer behind a Content switch vserver.
In this case as you see below I’m using a non direct adressable vServer because I’ll be hiding this behind a Content Switch using SSL_TCP as a protocol.
Now bind your certificate to the Load balancing virtual server and you are done 🙂
Do not forget to have your certificates on the domain controllers as well, otherwise the service will show a DOWN status…
A question for you Peter, the server certificate that I’ll use for my Load Balancer can be signed from another authority that the certificates installed on my domain controllers?
Hi mate,
That should work.