Should we allow traffic between Netscaler SNIP to XML/DDC servers VIP or between NSIP to XML/DDC servers VIP in firewall?

Hello there,

Please advise if we should allow traffic between Netscaler SNIP to XML/DDC servers VIP or between NSIP to XML/DDC servers VIP in firewall?

Netscaler is in DMZ.

Please advise.

Thanks and Regards
goprasadAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

goprasadAuthor Commented:
Please advise.
0
CoralonCommented:
It does not originate from the VIP.  

If you place a NIC on the internal network, then it will originate with the appropriate SNIP, if there is not, then it will use the DMZ SNIP/NSIP.

Coralon
0
goprasadAuthor Commented:
Thanks @Coralon, do you meant Netscaler SNIP or NSIP?
0
CoralonCommented:
Depends.. if the Netscaler is purely within the DMZ without a leg in the internal network, by default, it will be the same address.  Remember, the netscaler listens to all IP's on all interfaces, but if it has a leg internally, that SNIP will be used as the source.

How are you configured as far as that goes? (single-armed multi-armed, etc.)?

Coralon
0
goprasadAuthor Commented:
We have configured Netscaler as single arm and the device resides purely in DMZ.  
Therefore the following apply?
Can yo please elaborate on this please -  if the Netscaler is purely within the DMZ without a leg in the internal network, by default, it will be the same address.
0
CoralonCommented:
My apologies, I misspoke on that one.  It's been a while since I've done a Netscaler, and thinking back, you do still have to have your NSIP and a MIP/SNIP. The source of traffic for your Netscaler should be that MIP/SNIP, not the NSIP.  The NSIP is purely for management.  It will absolutely *not* be the VIP.  

You can configure it to use source addressing, which would pass that through, but that brings it's own challenges.  

Assuming you are doing the access gateway piece, you don't need source addressing. You can use the Netscaler to inject an X-Header for the client IP.  (And this is assuming you are doing *more* than just the ICA Proxy, if you are doing just the ICA Proxy, then you don't need to bother with that X-Header).

Coralon
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Citrix

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.