• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3698
  • Last Modified:

How design a Citrix Netscaler deployment?

Hello Everyone,

Just purchased a new Netscaler 8200.  We want to use this for reverse proxy, NLB and SSL vpn.  I am trying to figure out the best deployment scenario for our environment.  

Basic Setup:
The netscaler has a management nic.  Is this interface any different then the other interfaces?  Does having a management nic on different network mean that it would be a 2 arm deployment?

If everything is behind a firewall should I even bother with a management nic?  With the management nic routing becomes more complicated.

For SSL vpn is it best to have a nic the inside and one on the DMZ?  Or should I just have a single nic in the DMZ?  

Reverse proxy
If we want to do reverse proxy in the DMZ for servers that reside on internal network is single arm ok?

1 Solution

Following Citrix document will give you comprehensive details of how to setup SSL VPN and reverse proxy.


Single arm should be okay for Reverse proxy setup. Single arm setup is easy to implement and troubleshoot; not many network changes required and provides good security..

jdfloryAuthor Commented:
Is single arm ok for vpn?  Should I be looking at each service separately?  Like single arm for reverse proxy and dual arm for vpn?

If I have single arm for vpn would have to open all ports from netscaler to inside network?

gsmartinManager of ITCommented:
First, the NetScaler IP (NSIP) address is the IP address at which you access the NetScaler for management purposes. The NetScaler can have only one NSIP, which is also called the Management IP address. You must add this IP address when you configure the NetScaler for the first time. If you modify this address, you must reboot the NetScaler. You cannot remove an NSIP address. For security reasons, NSIP should be a non-routable IP address on your organization's LAN.  

FYI... This is Citrix's description of NSIP.  I have my Management IP (NSIP) configured and isolated on a separate internal management network.

Other interfaces have their specific purpose and it's important to understand each i.e. SNIP (Subnet IP), MIP (Mapped IP), VIP (Virtual IP).  SNIP is typically used as your VLAN IP, MIP is typically used as a Last resort proxy (atleast one MIP has to be configured), and VIP is used as a virtual IP address to virtually sit in front of your servers, which the client machines will communicate to.


Further, in respect to VPN, I have a single arm configuration for VPN with multiple VLANs on the same interface and it works very well with no problems.  The single arm configuration was easier to deploy when I was new to the Netscaler, but now I am working on switching over to the dual arm configuration.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Tackle projects and never again get stuck behind a technical roadblock.
Join Now