Citrix Netscaler IP addresses

jskfan used Ask the Experts™
Can someone explain the usage of Netscaler Virtual server IP address and the Mapped IP address ?
If I understand Netscaler appliance when it sits in the DMZ, it should have at least 2 Nics connected to External Firewall and 2 Nics connected to the internal firewall.
 So how do Netscaler Virtual server IP address and the Mapped IP address get used when the traffic comes in or goes out ?
Is Mapped IP the IP address of the interface of Netscaler facing the inside Network ?

Any explanation ?

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Citrix's support stance is to not use dual homed interfaces on NetScaler.  Their preference is to have one set of NetScalers in the DMZ for VPN/ICA proxy and another set in your private network for load balancing.  Failing that, the NetScalers should be in the DMZ with only a DMZ interface.  All IPs (NSIP, SNIP, VIPs) should reside in the DMZ.

Here is a rundown on the various IPs:

-NetScaler IP (NSIP): Used for management of the NetScalers.  The NSIP is also the source of authentication (LDAP, RADIUS, etc) traffic.

-Subnet IP (SNIP): The SNIP has (I believe) completely replaced the MIP with NS 11.0, that is to say MIPs have been deprecated.  Communication to private services (DNS, ICA, Web Interface, StoreFront, etc.) originate from the SNIP.

-Virtual IPs: VIPs are used to provide for load balancing and high availability of services.  For example, a typical XenApp deployment will have two StoreFront servers for high availability.  You can point users directly to one StoreFront server, though if that server goes down users won't be able to connect unless you change DNS, tell them to use a different IP, etc.  Instead you should use a VIP that serves as a front end to the StoreFront servers.  You point users (and DNS) to the VIP rather than directly to any particular StoreFront server.  You can use VIPs for a variety of services: DNS, WWW, etc.  You can use them for far more than just Citrix stuff.


So the external traffic will come in to Virtual Server(inside Netsacaler) that points to Access Gateway, then goes to MIP, then to Xenapp servers.
NSIP is the Management interface

I believe the traffic that goes back to external users from inside has a separate interface
Lead Sales Engineer - Public Sector

That is not Citrix' standpoint at all. Even on the SDX platform, it is routinely positioned to have a SINGLE deployment of NetScaler appliances be able to be connected to multiple different security zones without compromising your security.

Mapped IPs (MIPs) are no longer supported with firmware v11. The only value in learning about them now is to understand how they need to be "dealt with" in terms of upgrades of the appliances to newer firmware versions.

In a nutshell, the NetScaler is the actual endpoint that your client will terminate its connection to. Through proxying, the user's session is extended to the actual back-end server via a connection that originates on the NetScaler. MIPs are basically IPs that are used for this back-end server communication, sort of like performing a NAT on a firewall device. In the newer version of firmware, the option was added to perform this translation using an IP already coded on the NS for actual network communication - the SNIP. This method is what is supported moving forward.
mburdick, I've had Citrix tell me that at Synergy.  I had always deployed in two arm mode prior to that, and still do occasionally.  I think like most things, it depends upon who you talk to at the vendor.


I will get back on this later
Thank you Guys!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial