Optional — RADIUS Load Balancing

BEST PRACTICE: In large deployments, configure load balancing to distribute RADIUS authentications among Imprivata appliances within the Imprivata enterprise.

This section describes how to configure the Citrix NetScaler Gateway load balancer to distribute the traffic load to all your Imprivata appliances in production. If your Citrix NetScaler Gateway license does not include load balancing, another load balancing solution should be used.

In a large deployment, you should not configure the Citrix NetScaler Gateway to send all RADIUS requests to one Imprivata appliance.

NOTE:

This topic offers instructions on making these configurations via CLI commands, or in the Citrix NetScaler graphical user interface console. When using the console, Citrix may present a warning message "Classic authentication policies are deprecated". You can safely ignore these messages.

Add Load Balancing Servers

  1. In the Citrix NetScaler console, go to Traffic Management > Load Balancing > Servers > Add.
  2. Configure the fields as follows:
Name sample-aapl-server1
Select Domain Name > FQDN Enter the FQDN of an Imprivata appliance in production.

Repeat this process to add all the Imprivata appliances in production.

Add Load Balancing Servers in CLI

Edit the sample command below to add load balancing servers via the command line. Replace the code in blue with the FQDNs of your Imprivata appliances in production:

add server sample-appl-server1 server1.sample.eng

add server sample-appl-server2 server2.sample.eng

Add Load Balancing Service Group

  1. In the Citrix NetScaler console, go to Traffic Management > Load Balancing > Service Groups > Add.
  2. Configure the fields as follows:
Name sample-service-group
Protocol RADIUS
Cache Type SERVER

Add Load Balancing Service Group in CLI

Edit the sample command below to add a load balancing service group via the command line:

add serviceGroup sample-service-group RADIUS -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport NO -cltTimeout 120 -svrTimeout 120 -CKA NO -TCPB NO -CMP NO

NOTE:

This Load Balancing Service Group does not have any 'service group members' yet. You will add the Imprivata production appliances in the next section.

Add Load Balancing Service Group Members

Add the Imprivata production appliances (the 'service group members' you created above) to the currently-empty Service Group:

  1. In the Citrix NetScaler console, go to Traffic Management > Load Balancing > Service Groups.

  2. Select your Load Balancing Service Group.

    The section Load Balancing Service Group > Service Group Members lists no service group members.

  3. Click the > link.

  4. On the Create Service Group Member page, select Server Based.

  5. You don't actually have to 'create' the members (you did this already), so click the > to select them.

  6. Check each of the Imprivata production appliance servers, and click Select.

  7. Back on the Create Service Group Member page, set the Port to 1812.

  8. Click Create.

  9. Back on the Load Balancing Service Group page, click OK.

Add Load Balancing Service Group Members in CLI

Edit the sample commands below to bind the Imprivata production appliances to the load balancing service group via the command line. Add another line of code for each Imprivata production server you need to bind to the load balancing server:

				bind serviceGroup sample-service-group sample-appl-server1 1812
				bind serviceGroup sample-service-group sample-appl-server2 1812

Add Load Balancing Virtual Server

In the Citrix NetScaler console, go to Traffic Management > Load Balancing > Virtual Servers

Configure the fields as follows:

Name sample-lb-virtual-server  
Protocol RADIUS  
IP Address Type IP Address Enter the IP address of the NetScaler load balancer.
Port 1812  

Add Load Balancing Virtual Server in CLI

Edit the sample command below to add the load balancing virtual server via the command line. Replace the code in blue with the IP address of your load balancing server:

add lb vserver sample-lb-virtual-server RADIUS 10.1.1.1 1812 -persistenceType NONE -cltTimeout 120

Bind Virtual Server Service Group

  1. In the Citrix NetScaler console, go to Traffic Management > Load Balancing Virtual Server page > Service Groups:
  2. In the section Services and Service Groups, Click > to select the Service Group.
  3. Select the Service Group you created and click Select.
  4. On the ServiceGroup Binding page, your service group is displayed. Click Bind.

Bind Load Balancing Virtual Server Service Group in CLI

Edit the sample command below to bind the load balancing virtual server service group via the command line:

bind lb vserver sample-lb-virtual-server sample-service-group

Configure RADIUS Server to Point to Load Balancer

Edit the Authentication RADIUS Server to point to the NetScaler load balancer instead of the Imprivata appliance.

In the Citrix NetScaler console, go to VPN Virtual Server Authentication RADIUS Policy Binding > Configure Authentication RADIUS Server.

Configure the fields as follows:

Server IP IP Address Enter the IP address of the NetScaler load balancer.
Secret Key Enter the Secret Key,
and again in the Confirm Secret Key field.		 This is the same key as the "encryption key"
entered in the Imprivata Admin Console >
Applications > Remote access integrations.
Click Test Connection.    
Time-out (seconds) 3  

Configure RADIUS Server to Point to Load Balancer in CLI

Edit the sample command below to configure the RADIUS server to point to the load balancer via the command line.

  • Replace the server name in blue with the IP address of the NetScaler load balancer.
  • Replace <shared secret> with the secret key / shared secret you created in the Imprivata Admin Console:

set authentication radiusAction sample-radius-server -serverIP 10.1.1.1 -serverPort 1812 -radKey <secretkey>

Imprivata Admin Console — Add SNIP to RADIUS Client Integration

Edit the Citrix NetScaler integration to point to the Subnet IP (SNIP) address. (You can find the SNIP address in the Citrix console > System > Network > IPs > IPV4s):

  1. In the Imprivata Admin Console, go to Applications > Remote access integrations.

  2. In the section Your integrations, click on the Nickname for your Citrix NetScaler integration.

  3. In the section RADIUS client information, add the SNIP address.

  4. Click Save.