As many other lab rats out there, I know I am not alone in regards to one of the potential biggest constraints when dealing with your home lab: the single external IP address.
Having only one external IP address does complicate things when a particular service you need to run only works over a single port and worse than that, an extremely common one: 443.
When writing the ‘DaaS – the Complete Guide’ book, I had to deploy several things that require SSL and only work over 443. Some good examples are the Microsoft ADFS and Nutanix Xi Frame Secure Gateway Appliance (SGA). Knowing that both are relatively common services, I knew there had to be a way to get both these behind the same IP address sharing the same port, behind a Citrix ADC Content Switch (CS).
I had done it before with the Microsoft RD Gateway so I was sure we could pull this off. Looking for information on the internet, I did find many guides for ADFS (and they work) but none for the Frame SGA. That is when Rody Kossen came to the rescue and explained to me what he had done on his own lab and the details around it.
Even though what he tested does work, it has a bit of a limitation: for each VM your ‘users’ would hit in the lab, a separate Load Balancing Virtual Server (LB VS) would be required. And for each of these, a new CS policy would be required. This is fine if you have indeed a tiny test environment with a handful of VMs. But if you are willing to go a bit bigger (i.e. to load test the Nutanix AHV/Frame environment) that becomes an issue. That said, one of the benefits of this approach is the fact the Frame SGA is not required at all. Put the CS in front, create the policy/LB VS for the VM part of the AHV/Frame solution and you are done. Again, no SGA needed.
But in my case, as this is for the book, the SGA was needed. The reason is simple: as in the book we are mimicking as close as possible a real production Nutanix AHV/Frame environment, in this case the SGA would be there for sure. So, without further ado, this is what I have done, modifying the concept/idea from Rody to get it working with the SGA:
- I created two non-addressable LB VS, one for ADFS, one for the SGA. Behind the ADFS one I have my ADFS server and behind the SGA one I have my SGA appliance. The certificates used for each of these are bound to the LB VSs.
- One key detail is to create a new HTTP profile (you can copy the default one) and make sure websockets are enabled on that. This profile you will have to bind to both the SGA LB VS and the actual CS.
- Then you need your CS policies (two for the ADFS, one for the SGA). These look like this:
The policy for the SGA as you can see is quite simple: HTTP.REQ.HOSTNAME.STARTSWITH(“192-168-“). Why is that? Reason is Frame will use an FQDN like X-X-X-X.company.com to reach the VMs, where X-X-X-X is the IP address of each individual VM running under AHV. In my case, I use 192.168.X.X for these so this policy works perfectly.
- Then you need your CS VS and here this is what I have:
With the three CS policies bound and simply with a target LB VS server set for each:
- The same certificates are bound to the CS VS but with SNI enabled.
- Finally one thing that has to be done on the ADFS LB VS is two rewrite policies/actions:
And as explained, these policies must be bound to the ADFS LB VS:
That is all! With this, you will be able to share that single IP address with both ADFS and Frame SGA, no matter how many VMs you are hosting on AHV for your Frame workloads.
And as this is a CS VS, you can indeed get RD Gateway, the Citrix ADC gateway, all behind that single IP. Parallels RAS unfortunately does not work due to the initial handshake but you can indeed change it to use any port (i.e. 444) so at the end you can have all these solutions behind this one single IP address.
Again thanks to Rody for taking the time to reach out and assisting.
Cheers.
CR