Configuring Skype for Business frontend pool loadbalancing via Citrix Netscaler VPX


– 3rd party Trusted certificate imported in Netscaler, take a look on my previous articles:
Installing certificate into Citrix Netscaler VPX -part 1

Installing certificate into Citrix Netscaler VPX -part 2

– Skype Front End Servers up and running. I assume that External HTTP is listening on 8080 and External HTTPS on 4443. In my scenario, I have two FE servers configured MGMTSFBFE01 and MGMTSFBFE02.


Connect and login to Netscaler via SSH (I use Putty)

1. First we create servers:

add server MGMTSFBFE01.mgmt.local
add server MGMTSFBFE02.mgmt.local

2. Create custom Monitors:

add lb monitor monitor-SFB-TCP4443 TCP -LRTM ENABLED -destPort 4443 -secure YES
add lb monitor monitor-SFB-TCP8080 TCP -LRTM ENABLED -destPort 8080

3. Create Service Groups

add serviceGroup service-SFB-FE_8080 HTTP -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP YES -appflowLog DISABLED
add serviceGroup service-SFB-FE_4443 SSL -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP YES -appflowLog DISABLED

4. Bind Monitors

bind serviceGroup service-SFB-FE_8080 MGMTSFBFE01.mgmt.local 8080 -CustomServerID „\“None\““
bind serviceGroup service-SFB-FE_8080 MGMTSFBFE02.mgmt.local 8080 -CustomServerID „\“None\““
bind serviceGroup service-SFB-FE_8080 -monitorName monitor-SFB-TCP8080
bind serviceGroup service-SFB-FE_4443 MGMTSFBFE01.mgmt.local 4443 -CustomServerID „\“None\““
bind serviceGroup service-SFB-FE_4443 MGMTSFBFE02.mgmt.local 4443 -CustomServerID „\“None\““
bind serviceGroup service-SFB-FE_4443 -monitorName monitor-SFB-TCP4443

5. Create Virtual Servers for Skype

add lb vserver vserver-SFB-FE_80 HTTP 80 -persistenceType COOKIEINSERT -timeout 180 -cookieName MS-WSMAN -cltTimeout 180
add lb vserver vserver-SFB-FE_443 SSL 443 -persistenceType COOKIEINSERT -timeout 180 -cookieName MS-WSMAN -cltTimeout 180


6. Bind Virtual Servers to Service Groups

bind lb vserver vserver-SFB-FE_80 service-SFB-FE_8080
bind lb vserver vserver-SFB-FE_443 service-SFB-FE_4443

7.  configure SSL

set ssl vserver vserver-SFB-FE_443 -tls11 DISABLED -tls12 DISABLED
bind ssl vserver vserver-SFB-FE_443 -certkeyName SFB_FE_Certificate


Installing certificate into Citrix Netscaler VPX -part 2

In my previous article, I have imported Godaddy SAN certificate into my Netscaler, but this Certificate is signed by an intermediate Certificate Authority, so we have to install intermediate Certificate Authority’s certificate on the NetScaler as well. This Intermediate Certificate then must be linked to the Server Certificate.

On SAN certificate, go to Certification Path, pick Intermediate CA and hit View Certificate, then in Details, hit Copy to File:




Choose Base-64 format:


Save the file locally:



Now we go back to Netscaler administration, SSL\Certificates and Install:


On our SAN certificate, choose Action\Link


Choose Intermediate CA certificate:

Once linked, SSL certificate is ready to be added into Loadbalancing Virtual Server.

Installing certificate into Citrix Netscaler VPX -part 1

In my future articles, I am going to write about Skype for Business(SFB) Front End Pool Load Balancing via Citrix Netscaler VPX. In order to do it, we need to import SFB SAN certificate into Netscaler. Windows certificates can not be imported on NetScaler in PFX format, so we must first convert the certificate to PEM format.

Open MMC console, add Certificates Snap-in(choose local computer store), then go to Personal Certificates in find your SAN certificate. ( I am using SAN certificate from GoDaddy.) Right click on certificate, All Tasks&Export



Choose Yes, export the private key:


Store it on local drive:

Hit finish


Now login to Netscaler and make sure SSL Offloading is enabled. (Under Configure Basic Features)


Then go to SSL\Tools\Import PKCS#12



Type Oupout name, in my case SFB_FE_certificate.cer, in PKCS12 file, browse for PFX from you local drive, type password, choose DES3 encoding format and type your passphrase. Hit OK.

Under Manage Certificates / Keys / CSRs you will be able to see newly imported certificate, but we are not done yet.

Now go to SSL\Certificates and hit Install


Choose imported CER file:

Certificate is now imported:


In second part, I will show you how to import server certificate for Intermediate Certificate Authority and bind it to SAN certificate.