Hi, Infrastructure Info: Our internal and external domain is the same (domain.com). We have two sites; A (Headquarters) and B (Daughter site). We have an Exchange 2010 [(mail.domain.com) same as our public DNS record] and Citrix [(app.domain.com) same as our public DNS record] server at site A. The A records were created this way because some users work internally and externally. We wanted them to be able to use internal and external resources without any reconfiguring issues or having to remember new addresses. Site B connects to Exchange and Citrix at site A via a VPN. Problem: The problem we have is; if the VPN goes down we have to make a manual internal DNS change to have the users in site B look to the public addresses of the Exchange and Citrix in order to access them. Is there a way I can still keep the internal and external records the same, but have users at site B look towards the public address in a failure? Is there a router/firewall rule that can be created? We have Outlook Anywhere configured and we think this works fine in a failure. It's the Citrix server that is the problem.

Dennis, This is actually a Citrix related configuration item. If you update your ICA file to have multiple servers listed, it will fix your issue. If it fails on the first connection after X timeout, it will automatically attempt the next server. Address=16.13.32.112 Address=10.13.12.113 Think of DNS as a book keeper -- it only is there for keeping track of where things are. Something else, be it server, workstation, network appliance, needs to notify DNS to change the record. Also -- have you ever thought about a F5 load balancer? You can put in logic to update a set of DNS records after a certain timeout or a level of latency (ms). This doesn't provide as good as an experience as above as the users experience will be VPN goes down > Launching Application Fails > Relaunch Application ... The above will enable the session to remain active. Let me know if you have any other questions. -Brenton

We're using a Netscaler VPX to manage the incoming connections. If the VPN goes down won't everyone still be looking towards the local address of the Citrix server instead of the public? I forgot to mention that site B has a DC running DNS at their location.

Site B's DNS server still will not be state aware if the VPN tunnel goes down. Do you only have one NetScaler or do you have Netscalers on both ends? NetScalers can do Applicaton Queries and fail over to a new location if it determines that an application is no longer available. Also warrents the question, if you are using a NetScaler, why are you re-encrypting the traffic within the VPN tunnel? Unless you don't use encryption, you are doing an encryption factor of 2, slowing down application performance. I would point all traffic from Site B to the exteral interface. There is no value in taxing your VPN appliance for that traffic. Let me know your thoughts -Brenton

We do not have a Netscaller at both ends. That's a good point. What about the users at site A who are next to the server? How will they access the server locally without an internal A record?

Dennis -- You should be able to configure what subnets connect to what frontend servers in the NetScaller. So if the ICA Client is coming from 172.16.1.0/24 connect to the internal IP. If the client is outside that range, connect to the External IP. That's really how I'd configure it. I don't believe a static route will be necessary, its just configuring the NetScaller to offer up the correct ICA files to the correct users. -Brenton

Dennis, I spoke over this scenario with one of my Citrix guys here and we came up a couple of other ideas for you. #1 You can split Site B's DNS into a primary zone and point that zone to the external interface. #2 You can deploy a different PNAgent to the workstations at Site B to point to the external interface of the netscaler. Let me know how this works out for you. We have a few other ideas but I think one of the last couple of posts should be your magic bullet. Cheers, -Brenton

Dennis, I spoke over this scenario with one of my Citrix guys here and we came up a couple of other ideas for you. #1 You can split Site B's DNS into a second zone and point that zone to the external interface. #2 You can deploy a different PNAgent to the workstations at Site B to point to the external interface of the netscaler. Let me know how this works out for you. We have a few other ideas but I think one of the last couple of posts should be your magic bullet. Cheers, -Brenton

From your last post I think I understand what you mean by making changes in Web Interface Management on the Citrix server, but I'm not making a connection to how the users will be able to find the server with the incorrect (local) IP. These two "new" options you provided sound very interesting. I'm not very familiar with either though. Would splitting the DNS cause any issues on the network or with management of the two sites?

Dennis, While Splitting your DNS is an option, it will take a lot more work than what is on the surface. You will have to change DHCP, DNS, and it will provide more managment overhead. It doesn't really provide for a scalable solution. I still firmly believe that you should be looking at Citrix to solve your issue. Take a look at: http://forums.citrix.com/thread.jspa?threadID=300272 Essentially you just need to point the Citrix Receiver / PNAgent to the external interface at the remote location. You can also purchase a branch repeater: http://www.citrix.com/English/ps2/products/product.asp?contentID=1350184 Even with a Branch Repeater, you will still need to point the Citrix Receiver to the correct interface on the Branch Repeater. ---------------- So I thought about this last night... why are you concerned about losing the VPN tunnel? 1) If your tunnel goes down, it probably means that your internet connection went down, and pointing to an external interface, won't do much for you. 2) If you frequently have your VPN tunnel go down, then you may need to invest in a new vpn concentrator. -Brenton

The reason for this is because we wanted a more automated solution in the event the VPN were to go down; which it did recently. I did forget to mention that we have 3 internet connections at site A and the VPN failed to come back up when it switched over to the secondary internet connection. We also have a public service that offers DNS failover. I can set different IPs on one A record. If one IP can't be reached, the A record will failover to the second one. After thinking about it, not only is this question based on Citrix, but Exchange as well. If the VPN goes down, the users at site B will be pointing to the location address for our mail server instead of the public used in Outlook Anywhere.

Dennis, Sorry for the delayed response. I found a great article outlining why DNS Failover is not a good idea (might explain it better than I). I agree with all of the points: http://serverfault.com/questions/60553/why-is-dns-failover-not-recommended I would recommend architecting the solution around your VPN connection. I don't get an indication if you have a budget or not and that makes this difficult to provide an accurate solution for your secondary site. The general philosophy is you can have it Good, Fast, or Cheap; Pick Two. If you want it good and fast, you have to spend the money to make it an enterprise solution. If you want is fast and cheap, you are going to sacrifice quality. If you want it done properly I would say: 1. Citrix Server or Branch Repeater at Site B 2. Exchange Hub/CAS at Site B 3. Enterprise VPN Concentrator at Site A and Site B that can round robin VPN endpoints upon failure Any other direction is going less than robust, and will require scripting or a software package to perform the failover. The point I am getting at is that you are looking at building a failover solution for a faulty VPN appliance/connection. The only reason why a VPN appliance should go down is if all of the the internet connections goes down. I would suggest looking into a new Border Gateway device that is robust enough to auto netgotiate a new endpoint. If you don't have a money tree, I'd suggest you look at http://www.untangle.com/ . Its fairly inexpensive and can do a lot of what you are looking for. I hope this helps. -Brenton