Ensuring Always-On Access with Citrix GSLB & HA for a Financial Institution

Challenge

A mid-sized financial institution with operations in two regional datacenters faced a critical need. Ensuring seamless, secure, and uninterrupted access to Citrix-hosted applications for their staff regardless of which site they connect from was top priority. They needed a solution that would provide high availability, geographic load balancing, and full compatibility with Citrix Workspace App and thin clients. Security and identity federation were also top priorities due to the sensitive nature of financial data.

Approach

We designed and deployed a highly available, multi-site Citrix networking architecture using Citrix NetScaler (VPX) and Global Server Load Balancing (GSLB):

• NetScaler HA Pairs: At both datacenters, we deployed two NetScaler VPX instances per site in a high availability (HA) configuration, ensuring fault tolerance in case of node failure.
• Citrix GSLB (Global Server Load Balancing) was implemented in an Active-Active setup using the Least Bandwidth routing algorithm. Given the institution’s low latency and high bandwidth between the two sites, this setup allowed for optimized distribution of traffic and session resilience.
• ADNS Services and Subdomain Delegation were configured to allow site-specific name resolution and seamless routing.
• Metric Exchange Protocol (MEP) was set up to keep both sites in constant sync about service health and availability.
• Session Persistence was carefully implemented to support Citrix Workspace App (CWA), web browsers, and thin clients—ensuring user sessions remained stable, even when traversing between GSLB sites.
• Security & SAML Integration: The NetScalers were configured as SAML Service Providers (SP) and integrated with the customer’s enterprise Identity Provider (IdP). This enabled federated SSO access across devices, platforms, and user scenarios—enhancing both security and user experience.

Results

• 99.99% availability of Citrix resources across both sites, with automatic site-to-site failover and minimal user impact.
• Improved login consistency and session reliability for users connecting from thin clients and unmanaged devices.
• Balanced traffic across datacenters, reducing the load on any one site while maximizing performance.
• Compliance-aligned identity federation with centralized control over user authentication and access policies.
• A scalable architecture ready to support future growth and regional expansion without major redesign.