NetScaler for SAP Deployment Guide

A One-Arm, High Availability Deployment with Load Balancing, SSL Offload, and Rewrite Configurations

Introduction

The Citrix NetScaler application delivery controller optimizes the delivery of Web applications — increasing security and improving performance and Web server capacity. This approach ensures the best total cost of ownership, security, availability, and performance for Web applications.  NetScaler’s array of features offers a comprehensive network system that combines high-speed load balancing and content switching with industry-leading application acceleration, layer 4-7 traffic management, data compression, dynamic content caching, SSL acceleration, network optimization, and robust application security into a single, tightly integrated solution. Deployed in front of application servers, the system significantly reduces processing overhead on application and database servers, reducing hardware and bandwidth costs.

The SAP Enterprise Service Oriented Architecture (SOA) provides a blueprint for services-based, enterprise scale business solutions that are adaptable, flexible, and open. Enterprise Services Architecture takes the concept of service-oriented architecture to a new level by transforming Web services into enterprise services. The SAP NetWeaver© platform provides you with the ability to implement Enterprise Services Architecture tailored to your specific needs at your own pace. SAP is evolving all its solutions to be compliant with the Enterprise Services Architecture blueprint.

Building new, customized solutions that support innovation is expensive and time-consuming because leveraging the functionality of your existing packaged applications is extremely difficult. Bringing Citrix and SAP Enterprise Services Architecture together reduces the dependence on customized applications, and increases flexibility and reduces time to deployment while reducing operational expenses.>

This guide walks through the details of how to configure the Citrix NetScaler for use as a front-end to the SAP Composite Application Framework and SAP ERP Web Services platforms, providing High Availability, a flexible load balancer and HTTPS encryption point for machine-to-machine web service traffic, capabilities our competitors still cannot live up to. With this deployment Citrix becomes an integral and flexible part of the SAP Enterprise SOA “applistructure” bringing together applications and technology for a fast, flexible and highly effective service oriented IT infrastructure.

What’s new

The NetScaler 10.1 release provides enhancements of a wide variety of features, and changes to some existing features and commands.

New Graphic User Interface

The NetScaler’s 10.1 new GUI departs from file-and-folder-expansion based operations to logically categorized panes plus buttons and tabs in clearer, more intuitive layout for smooth navigation.

The sleek new look and functionality offers a more intuitive command and fewer steps across the board when making configurations.  That means faster deployments and easier changes as service demands change and technology evolves. >

Configuration Utility Navigation

Features in the NetScaler configuration utility navigation tree have been reorganized to provide greater logical consistency and ease of navigation.

The feature nodes are grouped under the following top-level nodes:

• System—System and infrastructure features
• AppExpert—Grouping of all Application, Policies, templates and Layer 7 features
• Traffic Management—Core traffic management features such as load balancing, GSLB, content switching, SSL, and SSL offload
• Security—Security oriented features and functionalities>

Product Versions

NetScaler 10.1, NetScaler 10.5, NetScaler 10, NetScaler 9.3, NetScaler 9.2

http://support.citrix.com/proddocs/topic/infocenter/ic-how-to-use.html

NetScaler Configuration

Deployment Model: One-Arm, Load Balancing, SSL Offload, Re-write…Caching, Compression

The NetScalers in this example are deployed as a high availability pair. In high availability deployments, all configuration changes must be applied to the primary NetScaler.  Configuration changes made on the secondary NetScaler will not persist or replicate to the primary.  In the event the primary NetScaler fails, the secondary assumes the role of primary NetScaler.

Once the initial NetScaler IP Address (NSIP) has been configured, connect to both the primary and secondary NetScalers via an HTTP or HTTPS Web browser connection.  In this example:

NS1: http://169.145.91.205

NS2: http://169.145.91.206

Note: Java will install.

Enter the default login:

Username: nsroot

Password:  nsroot 

Licensing

When using the NetScaler system for the first time, load the license key and then enable features. Licenses are tied to the NetScaler hostname and must match.  To find hostnames, make sure the license file is in the correct location. With NetScaler release 10.1, all license files must be in the /nsconfig/license directory to be recognized. Also, check the hosts files in /nsconfig and in /etc and make sure both include lines for localhost and for the NetScaler hostname as defined in the configuration and /nsconfig/rc.conf.   In order to view NetScaler licenses:

• Click the Configuration tab, expand System, click Licenses, click the Action pull-down, choose Manage Licenses, and then check the license box. Or, click Update Licenses to Browse for new licenses. There’s also a link to request new Citrix NetScaler Licenses.

Enabling Basic Features

Enable features before configuring them. Configuration policies for offloading, compression, and caching will not be applied if the feature is not first enabled.  From the Configuration menu:

• Expand the System tab, click Settings, click Configure Basic Features, and check the following: SSL Offloading, HTTP Compression, Load Balancing, Integrated Caching, and Rewrite. Then click OK. (Note: A  indicates that a feature is NOT enabled.)

Configuring Modes

The Use Subnet IP mode is necessary.  Client Keep-Alive, and TCP Buffering improve upon TCP performance.  To enable these modes, from the Configuration menu:

• Expand the System tab, click Settings, click Configure modes, check Use Subnet IP, Client Keep-Alive, and TCP Buffering, and then click OK.

High Availability: Deployment of Paired NetScalers

In a high availability pair of NetScaler appliances, NetScalers are deployed in an active/passive configuration, with a primary NetScaler actively accepting connections and managing servers, while the secondary monitors the first. If the second NetScaler detects that the primary NetScaler is down, it assumes primary function via gratuitous ARP (GARP).    All configuration changes must be made on the primary NetScaler.  Changes made on the secondary NetScaler do NOT replicate to the primary.

Important Considerations for NetScaler High Availability Deployment

• The passwords for both NetScalers ‘nsroot’ account must To change these, do so manually on each NetScaler, as they are not synchronized.
• Both NetScaler high availability peers must be running the same version of
• Set the configuration files in ‘ns.conf’ to match on both NetScalers by doing the following:
  • Configure the primary and secondary NetScalers with their own unique NSIPs.
  • Make sure the ‘node ids’ and ‘IP addresses’ point toward each other.
  • Configure Remote Procedure Call (RPC) node passwords onto both NetScalers. Initially, all NetScalers are configured with the same RPC node passwor To enhance security, change these default RPC node passwords by completing the following steps:
    • On the primary NetScaler, expand System, expand User Administration, click on nsroot (User Name), click Action pull-down menu, and select Change Password.

• While connected to the primary NetScaler, add the secondary node:
  • Expand the System tab, click High Availability, click Add and enter the Node ID and IP address for the secondary HA peer. In this example: ‘2’, and 169.145.91.206. 

• Connect to the secondary NetScaler and configure it as the secondary device:
  • Expand the System tab, click High Availability, click Open, and choose Stay Secondary.
  • Using the same steps, enter the Node ID and IP address for the primary HA peer. In this example:  ‘1’ and 145.91.205.

• Disable HA monitoring on unused network interfaces (note this must be done on both primary and secondary NetScalers). In this configuration, interface 1/1 is the management interface, and interface 1/4 is the traffic interface. It is important to turn off HA Monitoring on unused interfaces, otherwise HA Node Synchronization will not be successful.

• Expand System, expand Network, click Interfaces, double-click the interface number(s), and check OFF next to HA Monitoring.

Add SNIP Addresses

IP addresses that are added after HA Synchronization is complete are replicated on both primary and secondary NetScalers. Note that VIP addresses are created later during Load Balancing and SSL Offloading configuration, and not at this time. On the primary NetScaler:

1. Expand System, expand Network, click IPs, click the IPV4s tab, and click Add to create SNIPs.
2. In the IP Address field, enter SNIP 2.0.55, and in the Netmask field enter 255.255.255.0 and then click Create.
3. To create the second SNIP, again click Add and enter IP 2.1.55, enter same Netmask 255.255.255.0 and click Create to see the second screen below.

4. To view SNIPs: Expand System, expand Network, and click IPs.

Important Concepts regarding IP Addresses, Interfaces, and VLANs

Assigning IP addresses to interfaces is done virtually through the use of port-based VLANs. By default, all the interfaces on the system are in a single port-based VLAN as untagged interfaces. This VLAN is the default VLAN with a VID equal to 1.

When an interface is added to a new VLAN as an untagged member, the interface is automatically removed from the default VLAN and placed in the new VLAN.  This becomes a convenient feature, in that when the NetScaler is plugged into a switch that is using VLANs with tagging, it’s just a matter of checking the box to turn on tagging.  VLANs are typically used to separate subnet traffic. Also, if Trunking is turned on, an interface will be shown as a member of more than one VLAN.

Important NetScaler IP Addresses

Acronym	Description	Usage
NSIP	NetScaler IP Address	The NetScaler IP (NSIP) is the management IP address for the appliance, and is used for all management related access to the appliance. There can only be one NSIP.
SNIP	Subnet IP Address	The Subnet IP address (SNIP) opens access to a NetScaler from an external host that is residing on another subnet. When a subnet IP address is added, a corresponding route entry is made in the route table. Only one such entry is made per subnet. The route entry corresponds to the first IP address added in the subnet. In addition, the NetScaler uses the SNIP as the source IP Address for outgoing packets, when the “USNIP” mode is enabled. USNIP is enabled by default. (With USNIP enabled, this removes the necessity of configuring a MIP, thus saving the additional IP Address for other uses). This can also be used as the Tagged VLAN IP.
MIP	Mapped IP Address	The mapped IP address (MIP) represents the client when the NetScaler is communicating with the backend managed server. Mapped IP addresses (MIP) are used for server-side connections and Reverse NAT. Think of this as the client’s source address on the server-side of the NetScaler, assuming a two-arm proxy deployment. Think of it as the Tagged VLAN IP. When using the USNIP mode above, MIP’s are unnecessary.
VIP	Virtual IP Address	The Virtual Server IP address (VIP) represents the public facing IP address of the managed services. ARP and ICMP attributes on this IP address allow users to host the same vserver on multiple NetScaler residing on the same broadcast domain.
DFG	Default Gateway	IP Address of the router that forwards traffic outside of the subnet where the appliance is installed.

Note: If both USIP mode and USNIP mode are enabled, USIP mode takes precedence over USNIP mode.

Creating VLANs

A NetScaler appliance supports Layer 2 port and IEEE 802.1q tagged VLANs. VLANs restrict traffic to a group of hosts. Configure a network interface as a part of multiple VLANs by using IEEE 802.1q tagging. From Configuration:

• Expand System, expand Network, click VLANs, and then click Add to perform the following Interface Bindings

• In the VLAN ID field, create VLAN 4, and, under the Interface Bindings tab, check the box to bind it to interface 1/4. And click Create.  Do the same for the following:
• Create VLAN 200 and assign it SNIP 10.0.2.55 and bind it to interface 1/4 with VLAN tagging enabled.
• Create VLAN 201 and assign it SNIP 10.2.1.55 and bind it to interface 1/4 with VLAN tagging enabled.

Configuration

The following is the Network configuration that was used to develop this deployment guide.

VLAN Legend	Primary NetScaler	Primary/Secondary NetScaler	Secondary NetScaler
VLAN 1 VLAN 200 VLAN 201 802.1q TRUNK	IP Addresses: NSIP: 169.145.91.205 / 24	Shared IP Addresses: VIP: 10.2.1.53 / 24 VIP:    10.2.0.53 / 24 VIP:    10.2.1.54 / 24 VLAN 200: Interface1/4, Tagged SNIP: 10.2.0.55 / 24 VLAN 201: Interface 1/4, Tagged SNIP: 10.2.1.55 / 24 VLAN 4: Interface 1/4, Untagged VLAN 1: (Mgmt) Interface 0/1, Untagged SNIP: 169.145.91.207 / 24	IP Addresses: NSIP: 169.145.91.206 / 24

Topology

Topology 1.0. Citrix/SAP Enterprise SOA Physical Network Diagram

	Port	Protocol	LB Method, Persistency,&Client Timeout
SAP Portal	20100:50000:50200 20100:50001:50201	HTTP HTTPS	Persistence Persistence
SAP  Composite	20000:50000:50200 20000:50001:50201	HTTP HTTPS	Persistence Persistence
SAP ERP	20101:50000:50200 20101:50001:50201	HTTP HTTPS	Persistence Persistence

Protocol/ Port Requirements

Protocol Requirements for SAP and ERP

Table 1.0. Protocol Requirements for SAP

Load Balancing Configuration

To configure Load Balancing, create  the  objects  in  logical  formation  from  the  backend  servers  to  the forward facing internet IP Address in three  steps: 1) Create Servers; 2) Create Service Groups; 3) Create Virtual Server (Load Balancing).

Step 1: Create Servers

Create server objects that point to the backend application and database servers. In this step, refer to these servers by Server Name, as opposed to IP Address, and then assign them availability monitors.

• In this example, backend servers consist of the SAP Portal, plus Composite and ERP Servers with the following IP addresses:

SAP Portal: 10.2.1.33

SAP Composite: 10.2.0.33

SAP ERP: 10.2.1.34

1. To create them, expand Traffic Management, expand Load Balancing, click Servers, and then click Add.
2. Enter server name, check IP Address and enter address, check Enable after entering values, and then click Create.

Step 2: Create Service Groups

Service Groups are containers for managing load balancing and SSL services to several instances of the same service (port number) on either the same or different servers (IP address).

In this example, the Service Group for the SAP Portal that will distribute the load across the two SAP backend services on ports 50000 & 50200 is added.

1. Expand Traffic Management, expand Load Balancing, click Service Groups, and then click Add.
2. Enter Service Group Name, under Protocol select HTTP, and check Enable Health Monitoring.
3. Click the Members tab, and under Specify Member(s) check IP Based, enter the Port number (50000), and then click Add. Click OK, and then repeat for other port numbers.

4. Establish availability monitors so that, if the service fails, NetScaler’s Load Balancing feature automatically sends traffic to other available servers/services.

• • Click the Monitors tab, select an availability monitor, and then click Add.

5. The compression computation is an off-loaded task for both http and https from the SAP servers. For optimal performance, enable TCP Buffering and Compression on the services.

• • Select the Advanced tab and, under Settings check TCP Buffering and Compression, and then click

6. Create separate Service Groups for the SAP Composite Application Framework and ERP servers. Because the SAP Composite Application Framework and ERP servers are on separate physical servers, and because they are separate load balancing groups and services, they need separate Service Groups as well. On the primary NetScaler:

• • Expand Traffic Management, expand Load Balancing, click Service Groups, and then click Add.

• • Enter Service Group Name, under Protocol select either SSL or HTTP, and check Enable Health Monitoring. 

7. Establish availability monitors as in Step 4.

• • Click the Monitors tab, check Enable Health Monitoring and then select an availability monitor.

8. Also for this Service Group, enable TCP Buffering and Client-Keep-Alive. On the primary NetScaler:

• • Select the Advanced tab and, under Settings check TCP Buffering and Client-Keep-Alive, and then click

9. After configuring all the services, view a summary of the Service Groups added:

• • Expand Traffic Management, expand Load Balancing, and click Service Groups.

Step 3: Create Virtual Server (Load Balancing)

The Virtual Server or Virtual IP Address is the logical entity on the system that accepts client connections from the Internet and distributes them to the service groups/objects. The Vserver or VIP is the public facing Internet connection.

• In this example: The public facing IP Address for SAP Portal is 10.2.1.53, and the default port for SAP is 50000. Note: Most enterprise organization will use port 80 on the public facing portal.

1. To open the Create Virtual Server pane: expand Traffic Management, expand Load Balancing, click Virtual Servers, and click Add.

2. Select the Service Groups tab, and check the SAPCompositeService as Active. This binds the public VIP to the services.

Load Balancing Methods & Persistence

NetScaler is capable of several load balancing methods. In order to direct traffic correctly to SAP 7.0+ servers, NetScaler must be configured to persist traffic based on the value in the SAP cookie ‘saplb_*’ issued from the SAP servers. This applies to the SAP Portal, Composite and ERP servers. By default, NetScaler uses the ‘Least Connections’ load balancing algorithm, until a value is issued to ‘saplb_*’.

• From the Create Virtual Server pane, click the Methods and Persistence tab, under Method select Token, and then, in the Rule field, configure a rule to extract the value from the ‘saplb_*’ cookie.
• SAP 7.0+: The rule for ‘saplb_*’ cookie persistence: HTTP.REQ.COOKIE. VALUE (“saplb_*”)

*More information regarding the SAP Load Balancing Identifier and its contents can be found here: http://  help.sap.com/saphelp_nw70/helpdata/EN/f2/d7914b8deb48f090c0343ef1d907f0/frameset.htm

Configure the other HTTP services the same as above. Also, add additional VIPs for SAPPortalSSL Application Framework. Configure the ERP VIPs for both HTTP and SSL. Finally, do the same for SAP and ERP VIPs.

• Click the Service Group tab, check the appropriate service group.

• Select the Methods and Persistence tab, and configure the LB Method Token rule to extract the value from the ‘saplb_*’ cookie.

• SAP 7.0+: The rule for ‘saplb_*’ cookie persistence: HTTP.REQ.COOKIE. VALUE(“saplb_*”)

SSL Offload Configuration

Importing the SAP Portal server certificate

Configure HTTPS to the front end of load-balancing connections as the first step toward establishing secure communications. If required, securing the communications on the back-end from the NetScaler to the SAP servers is the second step, though that depends on security requirements. In other words, from the NetScaler SNIP to the back-end SAP servers, the communications can use either cleartext HTTP, or, secure HTTPS. The procedure to configure HTTP and HTTPs is the same except that HTTPS services have an SSL certificate bound to them.

For more information on setting SSL on SAP:

http://help.sap.com/saphelp_nw04s/helpdata/en/9a/ 53a2a4a45e244aa189c2b7065a0b78/content.htm

In this guide we chose to use HTTPS as a proof point, that HTTPS communication can be performed between the NetScaler and the back-end SAP servers using non-standard ports, e.g. 50001, 50201.

1. For secure communications using HTTPS on the back-end, Export both the certificate and key from the SAP Portal into PKCS#12

2. Upload this file to the NetScaler using a tool such as WINSCP, http://winscp.net. Then place the file in the /nsconfig/ssl directory on the NetScaler:

• Expand Traffic Management, and click SSL. In the SSL configuration pane under Tools, click on Import PKCS#12. (Enter the Import Password and PEM Passphrase if required.)

4. Expand Traffic Management, and click SSL. In the SSL configuration pane under SSL Certificates, click Create Certificate.

Binding the SSL Certificate to Services and VIPs

Once the SSL certificate is installed on the NetScaler, bind it to the SSL services and VIPs created earlier. To do so, on the primary NetScaler:

• Expand Traffic Management, expand Load Balancing, click Service Groups, select a Service Group and click

• Then select SSL Settings tab, and, from Available Certificates, select the proper certificate and click Add.

• Follow the same procedure for SSL VIPs.

Rewrite Configuration

Rewrite for SAP Applications

The NetScaler Rewrite feature is a general-purpose HTTP(S) header and body modification utility. Use it to: Add HTTP(S) headers to an HTTP(S) request or response; Make modifications to individual HTTP(S) headers and to delete HTTP(S) headers. Use it also to control modifications to the HTTP(S) body in both requests and responses. The NetScaler Rewrite feature ensures nimble customization of all application delivery demands possible from SAP Enterprise and SOA architecture.

In this guide, the NetScaler Rewrite feature was used specifically for the rewriting of content body machine-to-machine, soap:xml requests, so that all requests could be served by the NetScaler; load-balanced and transported over secure communications using HTTPS with a non-standard port 50001 to the SAP Composite Application Framework and ERP Servers.

Because the NetScaler performs request-and-response, header-and-body rewrites, this is made possible. Although in this case, header rewrites were not necessary because the load balancing function took care of this automatically. The next section shows how to use content body rewrites:

Rewrite for SAP Composite Application Framework

1. To begin, configure the Rewrite actions for the two backend SAP Composite Application Framework

• Complete the first two Rewrite actions on the content body, for HTTP connections between the NetScaler and the SAP Composite server.
  • Expand AppExpert, expand Rewrite, and click In the Rewrite Actions pane, click Add.

• Replace any occurrence of the hostname “http://vsv20000:50000” or “http://vsv20000:50200” with the NetScaler VIP “http:// sapcenv:50000” in the body of all responses that are sent through  the  NetScaler to clients.

• The next two Rewrite actions are for HTTPS connections between the NetScaler and the SAP Composite server.
• Expand AppExpert, expand Rewrite, and click In the Rewrite Actions pane, click Add.

• Replace any occurrence of the hostname “http://vsv20000:50000” or “http://vsv20000:50200” with our NetScaler VIP of “https://sapcenv:50001” in the body of all responses that are sent through the NetScaler to clients.

2. Then, configure the rewrite policies for the two backend SAP Composite Application Framework servers, to engage the rewrite actions just created.

• The first two rewrite policies are for HTTP connections between the NetScaler and the SAP Composite server. Give the policy a name, invoke the action, and give them an expression value of TRUE.
• Expand AppExpert, expand Rewrite, click Policies, and, in the Rewrite Policies pane, click Add.

• Follow the same procedure for all the Rewrite actions.

Bind the Policies to the Virtual Servers

• To bind policies to the virtual servers:

1. Expand Traffic Management, expand Load Balancing, and click Virtual Servers.
2. Click on the virtual server to be bound, and click Open. In the Configure Virtual Server pane, click on Policies tab, select the Rewrite (Request) pull-down, and select Response. Finally, click on Insert Policy near the very bottom, and bind policies as below.

• Follow the same procedures to bind the SSL Rewrite policies to the SSL VIPs.

Conclusion

With a combination of this deployment example plus the array of other deployment options possible, the Citrix NetScaler exceeds SAP’s external load balancer recommendations for Business Suite deployments while optimizing the delivery of service traffic to Business Suite servers. NetScaler’s High Availability deployment not only ensures availability, it also increases capacity, performance, security and manageability should any of those features fail on the primary NetScaler. These are just a few ways NetScaler’s specialized processes work to eliminate server infrastructure overhead and maximize SAP Business Suite value.  To learn more about how NetScaler can bring these benefits to Business Suite installations, or any other application delivery requirement, please visit the following links:

http://www.citrix.com.

http://www.citrix.com/products/netscaler-application-delivery-controller/overview.html

http://support.citrix.com/proddocs/topic/netscaler/ns-gen-netscaler-wrapper-con.html

http://support.citrix.com/proddocs/topic/netscaler-gateway/ng-edocs-con.html>