?
Solved

Should we allow traffic between Netscaler SNIP to XML/DDC servers VIP or between NSIP to XML/DDC servers VIP in firewall?

Posted on 2014-09-10
6
Medium Priority
?
274 Views
Last Modified: 2016-10-25
Hello there,

Please advise if we should allow traffic between Netscaler SNIP to XML/DDC servers VIP or between NSIP to XML/DDC servers VIP in firewall?

Netscaler is in DMZ.

Please advise.

Thanks and Regards
0
Comment
Question by:goprasad
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 

Author Comment

by:goprasad
ID: 40315977
Please advise.
0
 
LVL 25

Expert Comment

by:Coralon
ID: 40316126
It does not originate from the VIP.  

If you place a NIC on the internal network, then it will originate with the appropriate SNIP, if there is not, then it will use the DMZ SNIP/NSIP.

Coralon
0
 

Author Comment

by:goprasad
ID: 40316150
Thanks @Coralon, do you meant Netscaler SNIP or NSIP?
0
 
LVL 25

Expert Comment

by:Coralon
ID: 40316159
Depends.. if the Netscaler is purely within the DMZ without a leg in the internal network, by default, it will be the same address.  Remember, the netscaler listens to all IP's on all interfaces, but if it has a leg internally, that SNIP will be used as the source.

How are you configured as far as that goes? (single-armed multi-armed, etc.)?

Coralon
0
 

Author Comment

by:goprasad
ID: 40316323
We have configured Netscaler as single arm and the device resides purely in DMZ.  
Therefore the following apply?
Can yo please elaborate on this please -  if the Netscaler is purely within the DMZ without a leg in the internal network, by default, it will be the same address.
0
 
LVL 25

Accepted Solution

by:
Coralon earned 2000 total points
ID: 40318387
My apologies, I misspoke on that one.  It's been a while since I've done a Netscaler, and thinking back, you do still have to have your NSIP and a MIP/SNIP. The source of traffic for your Netscaler should be that MIP/SNIP, not the NSIP.  The NSIP is purely for management.  It will absolutely *not* be the VIP.  

You can configure it to use source addressing, which would pass that through, but that brings it's own challenges.  

Assuming you are doing the access gateway piece, you don't need source addressing. You can use the Netscaler to inject an X-Header for the client IP.  (And this is assuming you are doing *more* than just the ICA Proxy, if you are doing just the ICA Proxy, then you don't need to bother with that X-Header).

Coralon
0
Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

At the beginning of the year, the IT world was taken hostage by the shareholders of LogMeIn. Their free product, which had been free for ten years, all of the sudden became a "pay" product. Now, I am the first person who will say that software maker…
If your vDisk VHD file gets deleted from the image store accidentally or on purpose, you won't be able to remove the vDisk from the PVS console. There is a known workaround that is solid.
In this video tutorial I show you the main steps to install and configure  a VMware ESXi6.0 server. The video has my comments as text on the screen and you can pause anytime when needed. Hope this will be helpful. Verify that your hardware and BIO…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question