Solved

Should we allow traffic between Netscaler SNIP to XML/DDC servers VIP or between NSIP to XML/DDC servers VIP in firewall?

Posted on 2014-09-10
6
264 Views
Last Modified: 2016-10-25
Hello there,

Please advise if we should allow traffic between Netscaler SNIP to XML/DDC servers VIP or between NSIP to XML/DDC servers VIP in firewall?

Netscaler is in DMZ.

Please advise.

Thanks and Regards
0
Comment
Question by:goprasad
  • 3
  • 3
6 Comments
 

Author Comment

by:goprasad
ID: 40315977
Please advise.
0
 
LVL 23

Expert Comment

by:Coralon
ID: 40316126
It does not originate from the VIP.  

If you place a NIC on the internal network, then it will originate with the appropriate SNIP, if there is not, then it will use the DMZ SNIP/NSIP.

Coralon
0
 

Author Comment

by:goprasad
ID: 40316150
Thanks @Coralon, do you meant Netscaler SNIP or NSIP?
0
 
LVL 23

Expert Comment

by:Coralon
ID: 40316159
Depends.. if the Netscaler is purely within the DMZ without a leg in the internal network, by default, it will be the same address.  Remember, the netscaler listens to all IP's on all interfaces, but if it has a leg internally, that SNIP will be used as the source.

How are you configured as far as that goes? (single-armed multi-armed, etc.)?

Coralon
0
 

Author Comment

by:goprasad
ID: 40316323
We have configured Netscaler as single arm and the device resides purely in DMZ.  
Therefore the following apply?
Can yo please elaborate on this please -  if the Netscaler is purely within the DMZ without a leg in the internal network, by default, it will be the same address.
0
 
LVL 23

Accepted Solution

by:
Coralon earned 500 total points
ID: 40318387
My apologies, I misspoke on that one.  It's been a while since I've done a Netscaler, and thinking back, you do still have to have your NSIP and a MIP/SNIP. The source of traffic for your Netscaler should be that MIP/SNIP, not the NSIP.  The NSIP is purely for management.  It will absolutely *not* be the VIP.  

You can configure it to use source addressing, which would pass that through, but that brings it's own challenges.  

Assuming you are doing the access gateway piece, you don't need source addressing. You can use the Netscaler to inject an X-Header for the client IP.  (And this is assuming you are doing *more* than just the ICA Proxy, if you are doing just the ICA Proxy, then you don't need to bother with that X-Header).

Coralon
0

Join & Write a Comment

After several days of searching and hunting for limited documentation, I wanted to share this guide to hopefully save someone the hassle of trying to figure this out on their own. I have tested this on Xendesktop 7.1 and PS 4.5 running simultaneous…
Veeam Backup & Replication has added a new integration – Veeam Backup for Microsoft Office 365.  In this blog, we will discuss how you can benefit from Office 365 email backup with the Veeam’s new product and try to shed some light on the needs and …
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
In this video tutorial I show you the main steps to install and configure  a VMware ESXi6.0 server. The video has my comments as text on the screen and you can pause anytime when needed. Hope this will be helpful. Verify that your hardware and BIO…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now