Netscaler 9.3 Source IP and Firewalls

I am not a networking expert but was hoping of someone could clarify this for me.

We are using a Citric Netscaler 9.3 which has one of it load balanced services set to use Source IP.  This is needed so we see the clients actually IP address instead of seeing all connections in the log as coming from the Netscaler. Anyway now  this is working perfectly but I was told that by default a route will drop a packet if the source IP differs from what is was received on....

I do not manage our firewall but am interested to learn more about his for my own knowledge.
LVL 20
compdigit44Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
this FAQ is useful insight for interest

By enabling this mode, you compromise the client-to-server reuse ratio because the appliance cannot reuse the connections for other clients. The appliance only reuses the connection for the same client. Therefore, this mode is more useful in an environment where the appliance is deployed in a non-obtrusive manner, yet provides core benefits of syn-attack, surge protection, and WAN latency.

http://support.citrix.com/article/CTX121974
For example, the following scenario explains the internal working of the NetScaler appliance when the USIP address mode is enabled on it:

Consider that eth client C1 initiates 10 connections to the server S1. The NetScaler appliance multiplexes client requests across 10 server connections and when C1 has finished browsing, these connections are put in the shared pool. Only client C1 can now use these shared pool connections, whenever it decides to access the site again. These connections are timed out after three minutes of inactivity. The appliance cannot reuse connection of C1 for other clients; instead, it opens a new connection to the server for other clients. The reuse pool is now fragmented based on the client IP address. As a result, this feature dramatically reduces the client-server total connection difference.

Surge protection works on the total number of server connections and with source IP set to ON, the appliance has a lot of shared pool connections for HTTP protocols. A large reuse pool, therefore, artificially inflates the total server connections. The surge protection feature does not work as expected because it aggressively throttles the server Opens per second.

Restriction for HTTP protocols: Due to the restrictions in NetScaler appliance port manipulation, this option only works for 64,000 simultaneous server connections. The source IP address of the client is retained but the source port is changed to that of the appliance owned IP address so that connection reuse can be achieved. This restriction is not applicable for the non-HTTP protocols.
The USIP address mode is mandatory with the Direct Server Return (DSR) mode: You must enable the USIP address mode with the DSR mode because the return packets have to go directly to the clients from the backend server. If the source IP address is changed on the appliance from the client IP address to that of and MIP or SNIP address of the appliance, the packets cannot be sent to the client directly from the backend server.

The USIP address mode is mandatory with Session-less VServer: In the DSR mode or for Intrusion Detection System (IDS), servers maintaining sessions are not required as the appliance only performs switching and forwarding functionality. To avoid creation of sessions, the user has to configure Session-less VServer on the appliance. The USIP address mode is required as in DSR mode the backend server needs to respond directly to the client. In IDS load balancing it is required because the IDS load balancing works in the transparent mode and the Source/Destination IP addresses need to be retained.

Also in the aspects of FW and routing
http://www.ingmarverheij.com/citrix-netscaler-dsr-poor-mans-load-balancing-solution/
Firewall and routing

Instead of changing the destination IP the destination MAC is changed (see paragraph “How it works” for details) the SNIP must reside in the same routing subnet as the VIP of the virtual server. If for example the VIP and SNIP are in 10.0.0.x and the server in 192.16.0.x then the packet is never routed . The SNIP sent outs a package from the 10.0.0.x subnet and therefore should not be routed, as a result no server picks up the packet (the NIC with the provided MAC listens on the 192.168.0.x subnet).

Incomplete SYN

From eDocs: Because the appliance does not proxy TCP connections (that is it does not send SYN-ACK to the client), it does not completely shut out SYN attacks. By using the SYN packet rate filter, you can control the rate of SYNs to the server. To control the rate of SYNs, set a threshold for the rate of SYNs. To get protection from SYN attacks, you must configure the appliance to proxy TCP connections. However, that requires the reverse traffic to flow through the appliance.

Because there’s an incomplete SYN Intrusion Detection / Protection Systems (IDS / IPS) could mark the traffic as malicious and therefore break it.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
compdigit44Author Commented:
Wow this is a great reason.... I have to admit thought you answer was do in-depth it was a bit over my head.

So does using USIP on a Netscaler require any changes on the firewall????
0
btanExec ConsultantCommented:
no changes as NS is to send over the actual Src IP as stated. The key takeaway is the FW has to assume the syn attack and surge protection which NS can do as well but due to this change of retaining Src IP, the benefits are not of effect from NS anymore or minimal.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Citrix

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.