Implementing a De-Militarized Zone (DMZ) within any network is a good measure to protect servers that are on an internal or trusted network. This recipe will show a step-by-step implementation of NetScaler in a single-hop DMZ environment and multi-hop DMZ setup.
The Citrix NetScaler and Access Gateway are one and the same device but with different licenses. The Access Gateway functionality can be enabled with the Access Gateway universal license. The universal license, by default, enables five users to connect concurrently. Additional concurrent user licenses can be obtained for the number required (for example, a 100-user license).
Before the task begins, please make sure you have configured NetScaler with the Netscaler IP address, that is for management purposes (it will prompt in the initial configuration), and without which you will not be able to access the device. Also, the latest NetScaler devices come with two management interfaces; take care to not plug them into the same virtual local area network (VLAN), which would cause loops and broadcast storms.
Inbound Internet traffic to your network should be avoided at all costs; hence it is always recommended to set up NetScaler in a DMZ zone that is isolated from the trusted network (your internal network) and the Internet. It acts as a buffer zone between two enemies and does not allow direct contact between them.
This can be achieved by physically locating the web servers that will be accessed by the public network in a different subnet and by blocking any traffic from going beyond the DMZ to the trust zone, or by configuring the internal and DMZ subnets in two different VLANs, or having NetScaler's legs in two boats—one in DMZ and the other in the trust network. We shall discuss each of these options in the following recipes:
LB-Basic_LB_Topology
We will now be configuring the DMZ and internal zone in different VLANs:
Configure the virtual server IPs that are accessible over the Internet. The client reaches out to this IP address and establishes a TCP connection in order to access the backend servers.
Configure the VIP and its corresponding services and the server object applicable.
Go to Load Balancing | Virtual Servers:
By default, NetScaler assigns monitors to each of the services configured; load balancing, by default, is the least connection.
Please note to configure Subnet-IPs (SNIPs) while creating multiple VLANs and bind them to the respective VLANs.
We will now configure SNIP/MIP.
Go to System | Networking | IP (here you can see all the types of configured and configurable IPs):
Note
SNIP/MIP should be configured in the same subnet as the backend servers that are being load balanced.
A multi-hop DMZ setup has several layers of firewall protection that provide extra security to the internal network. It divides the DMZ into two stages, hence two access gateways need to be deployed in this scenario, one for each stage:
The access gateway needs to be configured with a default gateway or static routes to reach the internal network, so that users can access resources in the network. When clients connect, they can access the resources using the Citrix XenApp online plugin and not the access gateway plugin. Only ICA traffic is supported in this setup.
A simple way to accomplish this is to run the access gateway wizard, which will help in creating the virtual server and binding the certificates. External servers need to be configured for authentication and authorization. A detailed working on access gateway integration will be discussed later in the access gateway integration for the Citrix XenApp and XenDesktop (Become an expert) recipe.
The first recipe is pretty straightforward and has NetScaler in the DMZ and the server farm in the internal network. The VIP will be configured with a public IP and we can further restrict its access to the Internet by applying ACLs and also making use of external authentication.
In the second option, the access gateway in the first DMZ receives the client connections and redirects these connections to the web interface in the second DMZ. The access gateway in the second DMZ is a proxy that allows ICA traffic to traverse the second DMZ, to reach the backend server farm.
This section dwells on a few miniscule must-know facts on the Citrix NetScaler and its deployment.
Whenever the load balancing method is selected as metric-based (for example, least connection), NetScaler initially starts with Round Robin for what is known as the slow start period. For each new server added, it will initially be round robin for the slow start period. At this time, the <show lb server> output will show round robin as the current method.
In the NetScaler Configuration Utility GUI under System | Licenses, there will be a tick mark for all the licenses that are activated in the box. Features that are not enabled but have licenses would be shown as Capture_notenabled:
Capture_notenabled.
The licenses can be downloaded from My Citrix (http://citrix.com/downloads).