What to submit when asking for layer4/load balancer services.
This document will help with what to put in the request when asking for layer4 services.
Things to keep in mind
Currently only specific subnets can be load balanced with the layer4 switch. If your server is not on one of these subnets it may have to move to a load balanced subnet, depending on your service needs.
Load balanced subnets as of 6/3/2024 are:
Subnet SLB Health Check IP Load Balancer Description 144.92.197.128/25 144.92.197.131 Citrix/Netscaler Portal Production Public(Note: VIPs are also behind firewall) 144.92.8.0/24 144.92.8.6 Citrix/Netscaler Portal Production Private 144.92.170.0/25 144.92.170.2 Citrix/Netscaler (ITE) Test Public(Note: VIPs are also behind firewall) 144.92.7.0/24 144.92.7.5 Citrix/Netscaler (ITE) Test Private 128.104.1.128/25 128.104.1.194 Citrix/Netscaler General purpose server load balancing - Production network(Note: VIPs are also behind firewall) 128.104.236.0/23 128.104.236.4 Citrix/Netscaler Learn @ UW (Production) 144.92.127.0/25 144.92.127.4 Citrix/Netscaler Learn @ UW (Beta) 144.92.119.128/25 144.92.119.134 Citrix/Netscaler Learn @ UW (WebDAV Beta) 144.92.49.192/26 144.92.49.198 Citrix/Netscaler General purpose server load balancing - Test network (Note: VIPs are also behind firewall) 144.92.9.0/24 144.92.9.7 Citrix/Netscaler General purpose server load balancing - Production network (Note: VIPs are also behind firewall) 144.92.128.0/25 144.92.128.6 Citrix/Netscaler Restricted Data - Test Subnet (Note: VIPs are also behind firewall) 144.92.201.128/25 144.92.201.134 Citrix/Netscaler Restricted Data 2 - Production Subnet (Note: VIPs are also behind firewall) 128.104.155.0/24 128.104.155.6 Citrix/Netscaler AIMS VM network (Note: VIPs are also behind firewall) 128.104.46.0/24 128.104.46.6 Citrix/Netscaler LTG/LIRA - Production Subnet (Note: VIPs are also behind firewall) 128.104.31.64/26 128.104.31.70 Citrix/Netscaler Restricted Data 3 - Production Subnet (Note: VIPs are also behind firewall) 128.104.22.0/24 128.104.22.6 Citrix/Netscaler General purpose server load balancing - Production network (Note: VIPs are also behind firewall) 144.92.104.0/24 144.92.104.6 Citrix/Netscaler General purpose server load balancing - Production network (Note: VIPs are also behind firewall) 144.92.26.96/27 144.92.26.105 Citrix/Netscaler General purpose server load balancing - Production network (Note: VIPs are also behind firewall) 128.104.54.0/24 128.104.54.6 Citrix/Netscaler DoIT Shared Web Hosting Network 3 (Note: VIPs are also behind firewall) 128.104.53.160/27 128.104.53.190 Citrix/Netscaler OCIS Logging (Note: VIPs are also behind firewall) 128.104.50.0/24
2607:f388:2:1::/64128.104.50.6
2607:f388:2:1::6Citrix/Netscaler CCI Shared L4 Services (Note: VIPs are also behind firewall) 128.104.221.0/25 128.104.221.6 Citrix/Netscaler CCI Shared Restricted Data L4 Services (Note: VIPs are also behind firewall) 128.104.82.0/25 128.104.82.6 Citrix/Netscaler DoIT Data Center Prod Restricted Data 3 (Note: VIPs are also behind firewall) 10.130.165.0/24 10.130.165.6 Citrix/Netscaler OCIS Logging (Note: VIPs are also behind firewall) 10.128.127.0/24 10.128.127.6 Citrix/Netscaler DoIT Shared Web Hosting RFC1918 Network 10.130.171.128/25 10.130.171.168 Citrix/Netscaler DoIT VOIP 144.92.5.128/25 144.92.5.134 Citrix/Netscaler AIMS VDI Access Points 10.128.112.160/27 10.128.112.166 Citrix/Netscaler Oracle Identity Manager private production network 144.92.22.128/25 144.92.22.134 Citrix/Netscaler LIMITED-HOSTING-CSSC_PRD 128.104.80.0/23 128.104.80.6 Citrix/Netscaler webhosting cluster (public) V.Ponelis and J.Simon 144.92.164.176/28 144.92.164.180 Citrix/Netscaler SIS Production Public IP network, client side of layer4, private side of firewall 10.134.192.64/26 10.134.192.68 Citrix/Netscaler SIS Production RFC1918 IP network, client side of layer4, private side of firewall 128.104.136.128/25 128.104.136.132 Citrix/Netscaler UW Systems - PeopleSoft as a Service (PSaaS) - Production Environment 10.130.214.0/24 10.130.214.6 Citrix/Netscaler Cybersecurity syslog and logging service - private network 128.104.136.64/26 128.104.136.68 Citrix/Netscaler IBM Cloud Object Storage - External 128.104.52.128/26 128.104.52.134 Citrix/Netscaler WID - DISCOVERY-EQUIPMENT 144.92.227.48/28 144.92.227.52 Citrix/Netscaler Exadata Cloud at Customer(C@C) Layer4 VIP Network (1 of 2) 10.128.222.192/26 10.128.222.198 Citrix/Netscaler EXADATA-BACKUP-NET 128.104.144.16/28 128.104.144.20 Citrix/Netscaler Exadata Cloud at Customer (C@C) Layer4 VIP Network (2 of 2) 128.104.144.128/25 128.104.144.134 Citrix/Netscaler Firewalled general purpose platform subnet in Computer Science 144.92.29.224/27 144.92.29.228 Citrix/Netscaler Office Of CyberSecurity - CyberArk Public IPs 10.134.94.192/26 10.134.94.196 Citrix/Netscaler Office Of CyberSecurity - CyberArk Component Servers 10.134.95.0/26 10.134.95.4 Citrix/Netscaler Office Of CyberSecurity - CyberArk Vault Servers 2607:f388:2:1::/64 2607:f388:2:1::6 Citrix/Netscaler CCI Shared Virtual Machine Network
Request Examples/Templates that can be used in WiscIT cases:
New
- You'll need a new IP assigned for the Virtual IP(VIP). This is currently handled by the DoIT Datacenter Team. Their process can be found https://kb.wisc.edu/doit/internal/6530
- Virtual IPs (VIPs) are also behind the firewall. Firewall rules will have to be configured to allow access to the VIPs. The DoIT-SEO firewall team handles firewall rule requests for most of the subnets listed above via https://platform.doit.wisc.edu/firewall/. WiscNIC can help determine subnet administration. If all else fails, please create a WiscIT ticket via the Help Desk.
Example #1 - New VIP
Please forward this case to Network Services-OpEng.
I need the following Load Balancer(L4) configuration created:
VIP = <144.92.170.11> (SOME-SERVICE.WISC.EDU), Port: <TCP443 -or- UDP443>;
- If SSL, are we terminating the SSL on the L4 or passing it through to the server?
- If Terminating SSL on the L4, the certificate and key can be attached to the case as a password protected PKCS12 and NS will reach out when we need the password.
- Intermediate and Root certs can be directly attached to the case.Metric = <LEAST CONNECTIONS -or- ROUNDROBIN -or- SRC IP/SRC PORT>; Others
Persistence = <YES -or- NO>; If Yes, what Type? <SOURCE IP -or- SRCIPDESTIP -or- SSL SESSION ID -or- COOKIE INSERT>; Others
Health Check = <HTTP -or- HTTPS -or- TCPS -or- TCP>; Others
Server = <144.92.170.22 (server1.doit.wisc.edu)>, Port: <8443>
Server = <144.92.170.23 (server2.doit.wisc.edu)>, Port: <8443>
Server = <144.92.170.24 (server3.doit.wisc.edu)>, Port: <8443>
Backup Servers(Optional)
- Server = <144.92.170.254 (server-bkp.doit.wisc.edu)>, Port: <8443>Notes: This can be configured like the existing VIP <144.92.170.10:443>.
Date/Time when this can be done: <ANYTIME>
Thank you,
<NAME HERE>
<EMAIL HERE>
<PHONE# HERE>
Example #2 - New Port for an existing VIP
Please forward this case to Network Services-OpEng.
I need the following Load Balancer(L4) configuration created for existing VIP <144.92.170.11>:
VIP = <144.92.170.11> (SOME-SERVICE.WISC.EDU), Port: <TCP8443 -or- UDP8443>;
- If SSL, are we terminating the SSL on the L4 or passing it through to the server?
- If Terminating SSL on the L4, the certificate and key can be attached to the case as a password protected PKCS12 and NS will reach out when we need the password.
- Intermediate and Root certs can be directly attached to the case.
Metric = <LEAST CONNECTIONS -or- ROUNDROBIN -or- SRC IP/SRC PORT>; Others
Persistence = <YES -or- NO>; If Yes, what Type? <SOURCE IP -or- SRCIPDESTIP -or- SSL SESSION ID -or- COOKIE INSERT>; Others
Health Check = <HTTP -or- HTTPS -or- TCPS -or- TCP>; Others
Server = <144.92.170.22 (server1.doit.wisc.edu)>, Port: <8443>
Server = <144.92.170.23 (server2.doit.wisc.edu)>, Port: <8443>
Server = <144.92.170.24 (server3.doit.wisc.edu)>, Port: <8443>
Backup Servers(Optional)
- Server = <144.92.170.254 (server-bkp.doit.wisc.edu)>, Port: <8443>
Notes: This can be configured like the existing VIP <144.92.170.10:8443>.
Date/Time when this can be done: <ANYTIME>
Thank you,
<NAME HERE>
<EMAIL HERE>
<PHONE# HERE>
Add Server(s) to an existing VIP
Example #1
Please forward this case to Network Services-OpEng.
Please add the following server to existing VIP <144.92.170.10:443>
Server = <144.92.170.22 (server1.doit.wisc.edu)>, Port: <443>
Date/Time when this can be done: <ANYTIME>
Thank you,
<NAME HERE>
<EMAIL HERE>
<PHONE# HERE>Change
Example #1 - Change existing VIP configuration
Please forward this case to Network Services-OpEng.
Please change existing VIP <144.92.170.10:443> from >SOURCIP> persistence to <COOKIE INSERT>.
Date/Time when this can be done: <ANYTIME>
Thank you,
<NAME HERE>
<EMAIL HERE>
<PHONE# HERE>
Example #2 - Certificate Update
Please forward this case to Network Services-OpEng.
Please update the certificate for <SOME-SERVICE.WISC.EDU> (144.92.170.11).
- The certificate and key can be attached to the case as a password protected PKCS12 and NS will reach out when we need the password.
- Intermediate and Root certs can be directly attached to the case.
Date/Time when this can be done: <ANYTIME>
Current Certificate expires on: <DATE HERE>
Thank you,
<NAME HERE>
<EMAIL HERE>
<PHONE# HERE>
Delete
Example #1
Please forward this case to Network Services-OpEng.
Please delete the following server from all associated VIPs.
Server = <144.92.170.22 (server1.doit.wisc.edu)>
Date/Time when this can be done: <ANYTIME>
Thank you,
<NAME HERE>
<EMAIL HERE>
<PHONE# HERE>
Citrix/Netscaler Metrics and Health Checking
- Metrics for the Citrix Netscaler can be found here.
- Health checks for the Citrix Netscaler can be found here
- UW - Madison's Load Balancing capabilities