Citrix ADC Load Balance Config for CyberArk PSM

At the time of this post, CyberArk does not have documentation on load balancing Privileged Session Management (PSM) traffic for Citrix ADC, though they provide an example config for F5, it doesn’t translate to Citrix. Hopefully, this would help something that is trying to do this for ADC.

## Add PSM Backend Servers ##
add server PSM-01 x.x.x.x -comment cyberark
add server PSM-02 x.x.x.x -comment cyberark

## Create  RDS Health Monitor & PSM Health Monitor ##
add lb monitor CyberArk-PSMHealth-monitor HTTP-ECV -send "GET /psm/api/health" -recv PASS -LRTM DISABLED -interval 30 -resptimeout 10 -destPort 443 -secure YES -sslProfile ns_default_ssl_profile_backend
add lb monitor CyberArk-RDSHealth-monitor USER -scriptName nsrdp.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -LRTM DISABLED -interval 30 -resptimeout 10

## Create TCP Service Group, bind backend servers and health monitors with service group monitor threshold/weight of 2 ##
add serviceGroup CyberArkPSM-TCP3389-SG TCP -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -cltTimeout 9000 -svrTimeout 9000 -CKA NO -TCPB NO -CMP NO -monThreshold 2 -downStateFlush DISABLED -comment "SM: CyberArk PSM Service Group"
bind serviceGroup CyberArkPSM-TCP3389-SG PSM-01 3389
bind serviceGroup CyberArkPSM-TCP3389-SG PSM-01 3389
bind serviceGroup CyberArkPSM-TCP3389-SG -monitorName CyberArk-PSMHealth-monitor
bind serviceGroup CyberArkPSM-TCP3389-SG -monitorName CyberArk-RDSHealth-monitor

## Create LB TCP VIP ##
add lb vserver CyberarkPSM_TCP3389_VS TCP x.x.x.x 3389 -persistenceType NONE -cltTimeout 9000
bind lb vserver CyberarkPSM_TCP3389_VS CyberArkPSM-TCP3389-SG

Couple of things to call out, the PSM monitor presumes the PSM Health Check backend server setup is configured with ResponseMode of Classic. Notice the PSM monitor has the destPort override of 443, without it service group port would be used causing the probe to fail. Also the monThreshold for the service group set to 2, both health checks need to pass for ADC to mark the backend server as up.

References >
Deploy PSM Health Check | CyberArk Docs
Example for configuring a load balancer | CyberArk Docs
Set up PSM high availability | CyberArk Docs

Troubleshooting > If the service group gets marked as down, start with the monitor details on the group, Last response should provide some guidence.

Leave a comment

Your email address will not be published. Required fields are marked *