Replace Citrix with A10 how to convert the configuration.

Product Discussions ADC - Application Delivery
1

Hi,

I have 9 services running on IBM WebSphere. Three of these services are using Layer 7 (HTTPS), while the other seven use Layer 4. Currently, all services are behind a Citrix load balancer, but we plan to replace it with a pair of A10 ADCs.

All services are on the same VLAN. We will create a virtual Ethernet (VE) interface on the A10 ADCs and tag it with the same VLAN as the services.

Here’s the traffic flow:

app topology.png
app topology.png1938×644 106 KB

May I ask for help with the configuration on the A10? like convert from Citrix configuration.

  • What is the SSL, SSL_BRIDGE, and TCP option on the A10 device?
  • How to handle the connection reuse, the close notify, client timeout, server timeout, persistence with SSLSESSION, cookieName JSESSIONID?
  • What is “-cip ENABLED client-ip -usip NO -userproxyport YES” will be on the A10 configuration?

since the app check the license for the connection so I would like to terminate the connection right after the timeout or finish the transaction.

Any help is appreciated.

2

A10 ADC has excellent feature parity with the Citrix NetScaler, but the terminology differs a bit. The vast majority of these configurations are handled via SLB Templates which are bound to Virtual Ports.

  • What is the SSL, SSL_BRIDGE, and TCP option on the A10 device?SSL: A10 uses Client-SSL templates (connection between client and A10) and Server-SSL templates (connection between A10 and Real Server)SSL_Bridge: this is equivalent to a Layer 4 Virtual Port on A10. Configure the Virtual Port as type TCP to pass all SSL traffic through the A10 to backend serverTCP option: for the TCP Virtual Port configure and bind a TCP Template with the desired TCP options
  • How to handle the connection reuse, the close notify, client timeout, server timeout, persistence with SSLSESSION, cookieName JSESSIONID?Connection Reuse: configure and bind Connection Reuse template to the virtual Port. SNAT is required to support this configurationClose Notify: Enable this within the client-ssl template and bind to the virtual portClient Timeout: configure in TCP Template and bind to virtual portServer Timeout: Need more detail here. What condition are we timing out? After the timeout, do we reset the client connection?Persistence: configure and bind SSL-SID or Source-IP Persistence template to virtual port
  • What is “-cip ENABLED client-ip -usip NO -userproxyport YES” will be on the A10 configuration?I’m not familiar with all of these flags, but they appear to be related to Source NAT configuration for the connection. By default, A10 will preserve the original Client IP for the connection. Return traffic from the back end server must route through the A10 unless DSR is configured.
    Source NAT is configured per Virtual Port and can be “auto” (uses A10 interface IP) or a SNAT Pool. When using SNAT, the original client IP may be inserted as a header in L7 protocols or within the TCP header on a TCP L4 virtual port

I hope this helps get you started with the conversion. The Application Delivery Controller and Command Line Reference documentation cover all of the above topics.