Citrix Netscaler IP addresses

Can someone explain the usage of Netscaler Virtual server IP address and the Mapped IP address ?
If I understand Netscaler appliance when it sits in the DMZ, it should have at least 2 Nics connected to External Firewall and 2 Nics connected to the internal firewall.
 So how do Netscaler Virtual server IP address and the Mapped IP address get used when the traffic comes in or goes out ?
Is Mapped IP the IP address of the interface of Netscaler facing the inside Network ?

Any explanation ?

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Citrix's support stance is to not use dual homed interfaces on NetScaler.  Their preference is to have one set of NetScalers in the DMZ for VPN/ICA proxy and another set in your private network for load balancing.  Failing that, the NetScalers should be in the DMZ with only a DMZ interface.  All IPs (NSIP, SNIP, VIPs) should reside in the DMZ.

Here is a rundown on the various IPs:

-NetScaler IP (NSIP): Used for management of the NetScalers.  The NSIP is also the source of authentication (LDAP, RADIUS, etc) traffic.

-Subnet IP (SNIP): The SNIP has (I believe) completely replaced the MIP with NS 11.0, that is to say MIPs have been deprecated.  Communication to private services (DNS, ICA, Web Interface, StoreFront, etc.) originate from the SNIP.

-Virtual IPs: VIPs are used to provide for load balancing and high availability of services.  For example, a typical XenApp deployment will have two StoreFront servers for high availability.  You can point users directly to one StoreFront server, though if that server goes down users won't be able to connect unless you change DNS, tell them to use a different IP, etc.  Instead you should use a VIP that serves as a front end to the StoreFront servers.  You point users (and DNS) to the VIP rather than directly to any particular StoreFront server.  You can use VIPs for a variety of services: DNS, WWW, etc.  You can use them for far more than just Citrix stuff.
jskfanAuthor Commented:
So the external traffic will come in to Virtual Server(inside Netsacaler) that points to Access Gateway, then goes to MIP, then to Xenapp servers.
NSIP is the Management interface

I believe the traffic that goes back to external users from inside has a separate interface
MarkLead Sales Engineer - Public SectorCommented:

That is not Citrix' standpoint at all. Even on the SDX platform, it is routinely positioned to have a SINGLE deployment of NetScaler appliances be able to be connected to multiple different security zones without compromising your security.

Mapped IPs (MIPs) are no longer supported with firmware v11. The only value in learning about them now is to understand how they need to be "dealt with" in terms of upgrades of the appliances to newer firmware versions.

In a nutshell, the NetScaler is the actual endpoint that your client will terminate its connection to. Through proxying, the user's session is extended to the actual back-end server via a connection that originates on the NetScaler. MIPs are basically IPs that are used for this back-end server communication, sort of like performing a NAT on a firewall device. In the newer version of firmware, the option was added to perform this translation using an IP already coded on the NS for actual network communication - the SNIP. This method is what is supported moving forward.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mburdick, I've had Citrix tell me that at Synergy.  I had always deployed in two arm mode prior to that, and still do occasionally.  I think like most things, it depends upon who you talk to at the vendor.
jskfanAuthor Commented:
I will get back on this later
Thank you Guys!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.