It is always benificial to use LDAPs (Secure LDAP) instead of plain text based authentication when authenticating users through your access gateways.

Netscaler 11 finally provide us with the ability to create a secure monitor for LDAPs services.  The ldaps monitor is used to verify that the loadbalanced Domain Controllers are functioning right. It will login as a domain account (service account, so make sure the password never expires and ensure the account is at least member of Domain User group), perform an LDAP query, and look for a positiv response. Since this kind of monitor is a Perl script, it uses NSIP as the source IP.

The Netscaler is also used as an SSL offloading device, therefor we will choose SSL_TCP as a protocol for our LDAPs load balancing vserver (of course this requires a valid certificate on the backend domain controllers).

So how do we create the LDAPs monitor:

1. Logon to your Netscaler and navigate to:  Traffic Management – Load Balancing – Monitors and  Click Create a monitor:
Give it a name and use Type: LDAP

 

monitor_create

 

 

 

 

 

Scroll down a little bit and Check the Secure box as showen below…

secure_ldap

 

 

 

 

 

 

Click On the Special Parameters tab and:

  • use the Script Name drop-down list and select the nsldap.pl script
  • In the Base DN field, enter your domain name in LDAP format (e.g. dc=company,dc=com)
  • In the Bind DN field, enter the User Principal Name of the service account (ex. serviceaccountname@domain.com)
  • Fanally, In the Password field, enter the password for the service account and click Create
    ldaps_special_param

 

 

 

 

 

 

 

Note! In Filter field you must enter: cn=Builtin (if you are Netscaler 12) and the Bind DN could look something like this if you prefer: cn=Ldap-SA,cn=Service-Accounts,dc=envokeit,dc=com

Now it is time to create the Load balancing server group and Load balancing virtual server.
Start by defining the domian controller servers you would like to loadbalance (in my case I’ll only have one). You can of course skip this step and just enter the IPs of the domain controllers while creating the service group…

dc_server_ip

 

 

 

Expand Traffic Management – Load Balancing – Service
Create a Load Balancing Service Group, give it a name and use  SSL_TCP as Protocol

ldap_lbvs_ssl

 

 

 

 

 

 

Bind your already defined DC servers or enter their IPs

dc_binding

 

 

 

 

 

 

 

Bind the LDAPs monitor you created

ldaps_monitor_binding

 

 

 

 

 

 

 

Hit Bind – OK and the load balancing service group should be pointing up…

ldaps_sf_up

 

 

 

Finally create a Load balancing virtual server and use protocal SSL_TCP
Note! Assign an internal IP if you are not planning to hide the LBvServer behind a Content switch vserver.
In this case as you see below I’m using a non direct adressable vServer because I’ll be hiding this behind a Content Switch using SSL_TCP as a protocol.

dc_lbvs_ssl

 

 

 

 

 

 

 

 

Now bind your certificate to the Load balancing virtual server and you are done 🙂
Do not forget to have your certificates on the domain controllers as well, otherwise the service will show a DOWN status…