• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 286
  • Last Modified:

Should we allow traffic between Netscaler SNIP to XML/DDC servers VIP or between NSIP to XML/DDC servers VIP in firewall?

Hello there,

Please advise if we should allow traffic between Netscaler SNIP to XML/DDC servers VIP or between NSIP to XML/DDC servers VIP in firewall?

Netscaler is in DMZ.

Please advise.

Thanks and Regards
0
goprasad
Asked:
goprasad
  • 3
  • 3
1 Solution
 
goprasadAuthor Commented:
Please advise.
0
 
CoralonCommented:
It does not originate from the VIP.  

If you place a NIC on the internal network, then it will originate with the appropriate SNIP, if there is not, then it will use the DMZ SNIP/NSIP.

Coralon
0
 
goprasadAuthor Commented:
Thanks @Coralon, do you meant Netscaler SNIP or NSIP?
0
 
CoralonCommented:
Depends.. if the Netscaler is purely within the DMZ without a leg in the internal network, by default, it will be the same address.  Remember, the netscaler listens to all IP's on all interfaces, but if it has a leg internally, that SNIP will be used as the source.

How are you configured as far as that goes? (single-armed multi-armed, etc.)?

Coralon
0
 
goprasadAuthor Commented:
We have configured Netscaler as single arm and the device resides purely in DMZ.  
Therefore the following apply?
Can yo please elaborate on this please -  if the Netscaler is purely within the DMZ without a leg in the internal network, by default, it will be the same address.
0
 
CoralonCommented:
My apologies, I misspoke on that one.  It's been a while since I've done a Netscaler, and thinking back, you do still have to have your NSIP and a MIP/SNIP. The source of traffic for your Netscaler should be that MIP/SNIP, not the NSIP.  The NSIP is purely for management.  It will absolutely *not* be the VIP.  

You can configure it to use source addressing, which would pass that through, but that brings it's own challenges.  

Assuming you are doing the access gateway piece, you don't need source addressing. You can use the Netscaler to inject an X-Header for the client IP.  (And this is assuming you are doing *more* than just the ICA Proxy, if you are doing just the ICA Proxy, then you don't need to bother with that X-Header).

Coralon
0
  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now