Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Netscaler 9.3 Source IP and Firewalls

Posted on 2014-10-05
Medium Priority
Last Modified: 2016-10-25
I am not a networking expert but was hoping of someone could clarify this for me.

We are using a Citric Netscaler 9.3 which has one of it load balanced services set to use Source IP.  This is needed so we see the clients actually IP address instead of seeing all connections in the log as coming from the Netscaler. Anyway now  this is working perfectly but I was told that by default a route will drop a packet if the source IP differs from what is was received on....

I do not manage our firewall but am interested to learn more about his for my own knowledge.
Question by:compdigit44
  • 2
LVL 65

Accepted Solution

btan earned 2000 total points
ID: 40363516
this FAQ is useful insight for interest

By enabling this mode, you compromise the client-to-server reuse ratio because the appliance cannot reuse the connections for other clients. The appliance only reuses the connection for the same client. Therefore, this mode is more useful in an environment where the appliance is deployed in a non-obtrusive manner, yet provides core benefits of syn-attack, surge protection, and WAN latency.

For example, the following scenario explains the internal working of the NetScaler appliance when the USIP address mode is enabled on it:

Consider that eth client C1 initiates 10 connections to the server S1. The NetScaler appliance multiplexes client requests across 10 server connections and when C1 has finished browsing, these connections are put in the shared pool. Only client C1 can now use these shared pool connections, whenever it decides to access the site again. These connections are timed out after three minutes of inactivity. The appliance cannot reuse connection of C1 for other clients; instead, it opens a new connection to the server for other clients. The reuse pool is now fragmented based on the client IP address. As a result, this feature dramatically reduces the client-server total connection difference.

Surge protection works on the total number of server connections and with source IP set to ON, the appliance has a lot of shared pool connections for HTTP protocols. A large reuse pool, therefore, artificially inflates the total server connections. The surge protection feature does not work as expected because it aggressively throttles the server Opens per second.

Restriction for HTTP protocols: Due to the restrictions in NetScaler appliance port manipulation, this option only works for 64,000 simultaneous server connections. The source IP address of the client is retained but the source port is changed to that of the appliance owned IP address so that connection reuse can be achieved. This restriction is not applicable for the non-HTTP protocols.
The USIP address mode is mandatory with the Direct Server Return (DSR) mode: You must enable the USIP address mode with the DSR mode because the return packets have to go directly to the clients from the backend server. If the source IP address is changed on the appliance from the client IP address to that of and MIP or SNIP address of the appliance, the packets cannot be sent to the client directly from the backend server.

The USIP address mode is mandatory with Session-less VServer: In the DSR mode or for Intrusion Detection System (IDS), servers maintaining sessions are not required as the appliance only performs switching and forwarding functionality. To avoid creation of sessions, the user has to configure Session-less VServer on the appliance. The USIP address mode is required as in DSR mode the backend server needs to respond directly to the client. In IDS load balancing it is required because the IDS load balancing works in the transparent mode and the Source/Destination IP addresses need to be retained.

Also in the aspects of FW and routing
Firewall and routing

Instead of changing the destination IP the destination MAC is changed (see paragraph “How it works” for details) the SNIP must reside in the same routing subnet as the VIP of the virtual server. If for example the VIP and SNIP are in 10.0.0.x and the server in 192.16.0.x then the packet is never routed . The SNIP sent outs a package from the 10.0.0.x subnet and therefore should not be routed, as a result no server picks up the packet (the NIC with the provided MAC listens on the 192.168.0.x subnet).

Incomplete SYN

From eDocs: Because the appliance does not proxy TCP connections (that is it does not send SYN-ACK to the client), it does not completely shut out SYN attacks. By using the SYN packet rate filter, you can control the rate of SYNs to the server. To control the rate of SYNs, set a threshold for the rate of SYNs. To get protection from SYN attacks, you must configure the appliance to proxy TCP connections. However, that requires the reverse traffic to flow through the appliance.

Because there’s an incomplete SYN Intrusion Detection / Protection Systems (IDS / IPS) could mark the traffic as malicious and therefore break it.
LVL 20

Author Comment

ID: 40363930
Wow this is a great reason.... I have to admit thought you answer was do in-depth it was a bit over my head.

So does using USIP on a Netscaler require any changes on the firewall????
LVL 65

Expert Comment

ID: 40365025
no changes as NS is to send over the actual Src IP as stated. The key takeaway is the FW has to assume the syn attack and surge protection which NS can do as well but due to this change of retaining Src IP, the benefits are not of effect from NS anymore or minimal.
Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Citrix policies are the most efficient method to configure and tune XenDesktop environments, allowing organizations to control connection, security and bandwidth settings based on various combinations of users, devices or connection types.  Citrix …
If your vDisk VHD file gets deleted from the image store accidentally or on purpose, you won't be able to remove the vDisk from the PVS console. There is a known workaround that is solid.
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question