Avatar of jnordeng
jnordeng
 asked on

How to properly Secure the Management IP in an HA and singular node without breaking portal web page.

Hello.  Via audit and best practice we are working to eliminate port 80 for use on our Netscaler's.  I have 2 IP's on the HA Clusters I have some questions about.  (The env is Netscaler, Storefront, XenApp)

If I enable Secure Access only on the Management Portal IP, the page will no longer load.  Everything I see says to secure the NSIP which I have done, however; the Management IP is used on Traffic Domain 1 and is important in the HA Clusters.  This fails the same on a single node not part of an HA.  Is there another process to secure the Management IP?  This is used if we should fail over to continue monitoring the HA rather than 1 individual node.

Our Netscaler's are running version 11.1.63.15 and are Netscaler MPX 9700 FIPS.

The secondary IP is considered a floating subnet IP between the 2 nodes.  I only have the 2 HA's in production in test a singular node.  So wanted to inquire as to the expected action should I enable the Secure Access only on the Network IP page options?

Thanks in advance for your assistance.
CitrixNetScaler

Avatar of undefined
Last Comment
jnordeng

8/22/2022 - Mon
Sam Jacobs

I'm not sure what you mean by the Management Portal IP.
The NSIP (NetScaler IP) is the management IP.
Are you referring to the SNIP (Subnet IP), which is shared by the two nodes?
jnordeng

ASKER
We have an IP set that you can use and it will go between the two NSIP's in a management cluster.  It is configured in a separate traffic zone so that the traffic is separated from the traffic being passed through the Netscaler.  This was a requirement for security and at the business level.  So the mgmt IP is in a different subnet than the NSIP and SNIP.  Does that help?

Thanks
Sam Jacobs

I've heard of the NSIP and its corresponding SNIP bound to a separate interface and VLAN for security purposes but have not heard of the management IP being different than the NSIP.
The various IPs on the appliance are:
    NSIP
    SNIP or MIP
    VIP
... as defined here: https://www.schalley.eu/2014/07/18/netscaler-nsipsnipmipvip/

If you could point me to any documentation regarding another type of IP, I would appreciate it. Thanks.
Your help has saved me hundreds of hours of internet surfing.
fblack61
ASKER CERTIFIED SOLUTION
jnordeng

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question