NetScaler ADC - Hidden vServer for HTTPS redirect

Starting with release 11.1, NetScaler ADC offers an easy way to redirect traffic from HTTP to HTTPS within the configuration of a load-balanced vServer. With 11.1, Citrix introduced the paramter  -redirectFromPort and -redirectURL.

While playing with a NetScaler ADC in my lab, I discovered a strange error message as I tried to configure the redirect.

Patrick Terlisten/ Creative Commons CC0

Patrick Terlisten/ Creative Commons CC0

Internal vserver couldn’t be set?! Okay, there was already a vServer, that was listening on port 80. After removing the vServer, I was able to setup the redirection and it was working as expected.

A hidden vServer

Later, I was really suprised to find a hidden vServer in the output of the “stat lb vserver” command.

> stat lb vserver lb_vsrv_https_httpredir_31 -fullValues

Virtual Server Summary
                                          vsvrIP  port     Protocol
lb_vsrv_https_httpredir_31    80         HTTP

lb_vsrv_https_httpredir_31                                  DOWN

                                              Health              actSvcs
lb_vsrv_https_httpredir_31                         0                    0

lb_vsrv_https_httpredir_31                         0

Virtual Server Statistics
                                          Rate (/s)                Total
Vserver hits                                       0                    0
Requests                                           0                    0
Responses                                          0                    0
Request bytes                                    108                 1131
Response bytes                                    66                  690
Total Packets rcvd                                 1                   15
Total Packets sent                                 1                   12
Current client connections                        -- 3
Current Client Est connections                    -- 0
Current server connections                        -- 0
Requests in surge queue                           -- 0
Requests in vserver's surgeQ                      -- 0
Requests in service's surgeQs                     -- 0
Spill Over Threshold                              -- 0
Spill Over Hits                                   -- 0
Labeled Connection                                -- 0
Push Labeled Connection                           -- 0
Deferred Request                                   0                    0
Invalid Request/Response                          -- 0
Invalid Request/Response Dropped                  -- 0
Vserver Down Backup Hits                          -- 3
Current Multipath TCP sessions                    -- 0
Current Multipath TCP subflows                    -- 0

The name of the vServer is always the same (name of the vServer plus suffix httpredir##). Sometimes, the vServer has an other ending number after a reboot. There is no hint to this vServer in the config of the NetScaler. The behaviour is the same for NetScaler ADC 11.1 and 12.0.

I don’t think that this some kind of a hack or an issue. But I think that’s something you should know when working with HTTPS redirection, or for troubleshooting purposes.