Citrix Consulting helps you shorten the distance between great ideas and game-changing business outcomes. Our experts partner closely with customers to apply their decades of technical expertise and leading practices to design and implement Citrix solutions, improve adoption, and enhance security. This is the first post in a series in which Citrix consultants will share lessons from the field.

As many of our customers expand their remote work programs or extend into the cloud (or both!), there is an increasing need to securely scale HDX connections, no matter where user resources are located. Ensuring that you have the user workload capacity on-prem or in the cloud is only half the equation. In this blog post, I’m going to discuss how to scale your Citrix Gateway capabilities using either physical or virtual Citrix ADC appliances.

If you look at our Citrix ADC MPX device datasheet, you’ll see that our largest hardware appliances are rated at a maximum of 35,000 concurrent HDX proxy connections. Similarly, our virtual ADC VPX appliances are limited by the underlying hypervisor or cloud platform and have a maximum limit of 9,000 concurrent HDX connections to a single appliance.

So what happens when you need more concurrent HDX proxy users than a single high-availability ADC pair can handle?

That’s where multi-tier ADC architecture comes into play.

Diagram 1 – An example of multi-tier ADC architecture

Multi-tier ADC architectures enable us to expand the number of supported HDX proxy users in a single data center while still using a single access URL. If done correctly, the user experience is no different from what you get using a single HA ADC pair!

You might be asking, what about Clustering? Clustering is another great method of scaling out Citrix ADC services (just ask some of our largest customers)! In this article I’ll be focusing on multi-tier ADC as an alternative to clustering for those customers whose needs are scoped solely to HDX proxy communication.

How It Works

The idea behind the Citrix ADC multi-tier architecture is to use a set of Tier 1 Citrix ADCs configured in an active-passive high-availability (HA) pair using SSL bridge load balancing to intelligently send HDX connections to a set of Tier 2 ADC appliances running Citrix Gateway vServers.

In this deployment architecture, all user authentication and SSL connection termination are completed at Tier 2. The Tier 1 ADC appliances are solely used to intelligently load balance the overall client connection load amongst the Tier 2 devices. This way, Tier 1 ADCs are not responsible for SSL encrypt\decrypt but rather offload those connections to Tier 2.

Diagram 2 – Tier services

High Availability

Citrix Consulting always recommends that customers deploy Citrix ADCs in HA pairs to ensure availability of critical user resources. With multi-tier architecture, this rule applies to Tier 1 ADCs, which are in the critical data flow path. A failure of one of these devices without HA would be a denial of service for any remote HDX users.

In contrast, at Tier 2 we have multiple options to provide HA. The first option is to use active standalone ADCs in an N+1 configuration to provide availability of HDX resources (see Diagrams 1 and 2). In this configuration if a Tier 2 ADC fails, the affected sessions will need to re-authenticate and launch their (still running) resources. However, by using N+1 or higher, we ensure there is enough ADC capacity to deal with the failure of at least one Tier 2 device.

The other option is to use Tier 2 ADCs in HA pairs. This configuration requires additional ADC appliances but ensures that a failure of a single device will not disrupt user connections if Session Reliability is configured.

Diagram 3 – Tier 2 using HA pairs

Both of these architectures can provide high availability of resources. When deciding between them, consider the business requirements and cost of each.

Key Configurations

If you’re looking to set up your own ADC multi-tier architecture, here are the key configurations to include:

  • Utilize SSL_Bridge as the load balancing Protocol and Least Connection as the load balancing Method at Tier 1 under most circumstances.
  • Use SSLSESSION as the primary Persistency Method at Tier 1 with SOURCEIP as the backup. While COOKIEINSERT is normally our recommended method of persistency, since we are not terminating SSL traffic at Tier 1, we are limited in our ability to insert data into the communication stream. By using SSLSESSION with SOURCEIP as backup, we also account for the fact that SSL session IDs can change during the lifetime of the SSL connection.
  • Enable USIP Mode on Tier 1 to send the client IP address to Tier 2 ADC devices. This allows for logging and processing of client IPs at Tier 2.
  • Set the Default Route of Tier 2 ADCs to the SNIP of the Tier 1 ADCs. This avoids asymmetric routing back from Tier 2 to clients.
  • Enable Layer 3 Mode on Tier 1 to ensure that packets from Tier 2 are routed back to client devices.
  • Configure the communication SNIP on Tier 1 to be in the same Layer 2 network as the Gateway vServer IPs on Tier 2. This ensures that communication between the ADC Tiers does not have to be routed.

Considerations

Now that you understand how multi-tier ADC architecture works, here are some additional considerations and lessons learned from our field teams:

  • Citrix Virtual Apps users who launch several seamless applications may have multiple HDX connections. Ensure you are appropriately accounting for these connections when sizing ADC resources.
  • Certificates are only required on Tier 2 Gateway services as there is no SSL termination at Tier 1.
  • Remember to set your persistency timeout appropriately for your user ICA sessions or they will be disconnected!
  • Unified Gateway is also compatible with this architecture and would reside at Tier 2.
  • There are still potential limitations on Tier 1 ADC bandwidth and CPU that you should consider when attempting to scale this architecture to 10s and 100s of thousands of users.
  • Removing and adding Tier 2 ADCs is a straightforward process through modification of the SSL Bridge load balancing vServer in Tier 1.
  • While we recommend consistency as much as possible, when using N+1 multi-tier architecture the ADC firmware versions of Tier 2 appliances are not required to match.
  • Global Server Load Balancing (GSLB) can be used to extend this architecture across other resources locations. The primary GSLB address would point to the Tier 1 ADC load balancing vServers in each datacenter with Tier 1 also hosting the ADNS service.
  • In this architecture, your Gateway Callback URL in StoreFront needs to point to the individual Tier-2 Gateway which performed authentication. This can easily be accomplished by providing the VServer IP Address of each Gateway when defining it inside StoreFront and using a separate URL for each Gateway Callback. These are the same Callback configurations necessary when doing GSLB discussed here.
  • As of the publication date of this post, our field team recommends the latest ADC 12.1 or 13.0 firmware release. For businesses that are more risk adverse, you can use releases that are marked as Maintenance Phase.

Multi-tier ADC architecture is a design that our Consulting teams have successfully used for years to scale Citrix ADC deployments beyond single appliances. If you need to quickly deploying scalable and flexible remote access to your HDX resources, consider ADC multi-tier and contact our experienced Professional Services group to assist in designing and building a solution to meet your needs.