Citrix NetScalers or ADC’s have two different types of licencing available to them. Either the traditional permenent licence where you upload a licence file to the appliance reboot it and its done, or pooled licences. Pooled licences are more flexible and require Citrix ADM to host and manage these licences. They can be checked out by NetScalers, enabling you to quickly upscale/downscale and reallocate licences quickly.
However there are some problems here, when switching to pooled licences, Its a lot more administrative work as these licences tend to expire and you have to “manage” these licences like you work with CVAD licences. Also I’ve yet to come across and real use case where you need to juggle licences for NetScalers (ADC’s) in this manner and I’ve worked with A LOT of use cases. Finally once you switch to pooled licences you cannot physically switch that NetScaler (ADC) back to permanent licences.
It appears that future sales of NetScalers will have no choice but to goto pooled licences (I won’t get into that discussion here but safe to say I’m not a fan).
This post will centre on VPX’s based on Azure (or any cloud for that matter), it is possible to switch back to running a pair with permanent licences with some juggling.
The high level tasks to put an HA pair back to permanent licences are as follows:
- Backup configs
- Shutdown secondary appliance
- Delete secondary appliance
- Remove secondary appliance from HA config of the Primary
- Reprovision Secondary appliance from cloud marketplace
- Apply basic wizard config to appliance (including permanent licence)
- Apply extra config to appliance
- Set Primary appliance as stay primary in HA config
- Set Secondary appliance as stay secondary in HA Config
- Create HA pair FROM “PRIMARY APPLIANCE”
- Monitor and confirm HA pair are functioning correctly
- Failover the pair and test
- Perform same steps above on remaining NetScaler (ADC)
For a pair of ADC’s in the cloud you need to use INC mode which means that each ADC has more settings etc that are individual to each ADC. So these actions listed above are slightly more at risk as especially during a failover as if some configured items are missing then the appliance will not function correctly and even worse sometimes can just delete that config from the ns.conf file meaning that when failing back this may not resolve the issue as the config will be gone.
It is critical to plan and document each step of the process you need to follow and more so have backups of everything before starting the process.
I’ve written the below steps to help you with this process of migrating a cloud based NetScaler (ADC) back to permanent licences from pooled licence mode.
Take full backup of ADC’s prior to rebuild and document attached nic’s vnets and IP’s etc
| Nic’s (Names) | vNet/Subnet | IP’s |
| Complete here | Complete here | Complete here (etc) |
| Item | Configuration |
| SNIPS | |
| PBR’s | |
| Routes | |
| NetProfile | |
| VLANS |
- Shutdown secondary node
- Change primary node HA “ADC01” to “Stay Primary”
- Remove HA node from the configuration and Save the configuration (**See notes below**)
- Remove the Nics from the Azure Load Balancers
- Reconfigure ALB Monitor to include port other than port 9000
- Delete the secondary VM
- Deploy a new ADC using BYOL ADC using Firmware 13.0
- Upgrade to firmware if necessary to same revision as Primary
- Obtain HOSTID and retrieve licence
- Install licence
- Add nics to VM
- Add SNIPS from document above maintaining the previous names
- Add PBR’s from document above maintaining the previous names
- Add Routes from document above maintaining the previous names
- Add Netprofile from document above maintaining the previous names
- Configure VLAN’s from document above maintaining the previous names
- Set ADC02 to Stay Secondary and save config
- Add ADC02 to HA from ADC01
- Ensure sync occurs correctly and examine the config to ensure it looks correct
- Reattach and verify azure nics to the Azure Load Balancers ALB’s
- change both ADC’s to actively participate in HA
- Test authentication works with existing ADC
- Failover ADC’s to newly built ADC and test authentication functions
- Ensure all load balancing/GSLB etc is reporting healthy and is as expected
- Test ICA connection through Azure and ensure functionality
- Save configuration
**Important Note**
When rebuilding existing ADC environments which utilise Azure Load Balancers it should be noted that removing a node from HA causes a problem. ALB’s monitor ADC’s on port 9000, this is only open and active on a primary ADC in an HA pair. when the pair is broken the port is inactive and ALB believes the service to be down.
When rebuilding the full issue is if you delete an recreate a secondary ADC instance you have to remove the HA configuration from the Primary in order to readd the new one which then closes the port stopping the service from ALB from functioning. Please note this may be avoidable by configuring a different or additional port for the ALB to monitor on, perhaps port 80 etc, but this then must be removed or returned quickly when the HA pair is rejoined to avoid issues with the ALB determining which NetScaler (ADC) is the primary.
Author: Dale Scriven
