NetScaler ADC – Hidden vServer for HTTPS redirect

This posting is ~5 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.

Starting with release 11.1, NetScaler ADC offers an easy way to redirect traffic from HTTP to HTTPS within the configuration of a load-balanced vServer. With 11.1, Citrix introduced the paramter  -redirectFromPort and -redirectURL.

While playing with a NetScaler ADC in my lab, I discovered a strange error message as I tried to configure the redirect.

NetScaler HTTP Redirect Error Message

Patrick Terlisten/ Creative Commons CC0

Internal vserver couldn’t be set?! Okay, there was already a vServer, that was listening on port 80. After removing the vServer, I was able to setup the redirection and it was working as expected.

A hidden vServer

Later, I was really suprised to find a hidden vServer in the output of the “stat lb vserver” command.

> stat lb vserver lb_vsrv_https_httpredir_31 -fullValues

Virtual Server Summary
                                          vsvrIP  port     Protocol
lb_vsrv_https_httpredir_31    80         HTTP

lb_vsrv_https_httpredir_31                                  DOWN

                                              Health              actSvcs
lb_vsrv_https_httpredir_31                         0                    0

lb_vsrv_https_httpredir_31                         0

Virtual Server Statistics
                                          Rate (/s)                Total
Vserver hits                                       0                    0
Requests                                           0                    0
Responses                                          0                    0
Request bytes                                    108                 1131
Response bytes                                    66                  690
Total Packets rcvd                                 1                   15
Total Packets sent                                 1                   12
Current client connections                        --                    3
Current Client Est connections                    --                    0
Current server connections                        --                    0
Requests in surge queue                           --                    0
Requests in vserver's surgeQ                      --                    0
Requests in service's surgeQs                     --                    0
Spill Over Threshold                              --                    0
Spill Over Hits                                   --                    0
Labeled Connection                                --                    0
Push Labeled Connection                           --                    0
Deferred Request                                   0                    0
Invalid Request/Response                          --                    0
Invalid Request/Response Dropped                  --                    0
Vserver Down Backup Hits                          --                    3
Current Multipath TCP sessions                    --                    0
Current Multipath TCP subflows                    --                    0

The name of the vServer is always the same (name of the vServer plus suffix _httpredir_##). Sometimes, the vServer has an other ending number after a reboot. There is no hint to this vServer in the config of the NetScaler. The behaviour is the same for NetScaler ADC 11.1 and 12.0.

I don’t think that this some kind of a hack or an issue. But I think that’s something you should know when working with HTTPS redirection, or for troubleshooting purposes.

4.3/5 - (14 votes)
Patrick Terlisten
Follow me

Leave a Reply

Your email address will not be published.