Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1604
Views
0
Helpful
2
Replies

Netscaler deployment

Limitless1801
Level 1
Level 1

‎10-25-2013 08:27 PM - edited ‎03-11-2019 07:56 PM

Hi,

We are deploying two Netscalers that are going to be sitting in our DMZ. The firewall also has an IPS module in it that inspects all the inbound/outbound traffic. The team deploying the Netscalers want to connect one interface to the DMZ and the other interface to the inside network. Personally, I don't believe this deployment is safe since:

1. The traffic is not completely seen by the firewall since once it hits the device it will go to the internal network (I understand that the device has ACL, Routing, etc capabilities)

2. Traffic won't be seen by the IPS.

3. Netscaler will be in charge of the internal network security once the firewall hands off the traffic to the device.

I don't have a lot of expertise on firewalls and their deployment's best practices so I need some help from the experts.

Thanks in advance. Rafael.

Labels:
0 Helpful
2 Replies 2

mvsheik123
Level 7
Level 7

‎10-28-2013 09:58 AM

Hi,

All your concerns are valid. Traffic from internet to NetScalar in DMZ will still be inspected. We installed Netscalers in DMZ for citrix form couple of years back and nothing directly connects to Inside. if I remember correct, you can deploy them in One-arm or two-arm deployment scenarios. if you go with one-arm , they do not need to connect 2nd interface. Talk to the deployment team and discuss with them about your security concerns.

hth

MS

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-28-2013 12:49 PM

I have seen it done both ways. I have also seen the Netscaler completely in parallel with the firewall - acting in essence as the only security layer for the VIPs it was serving up.

In either the "one-armed" or "two-armed" setup the inbound traffic (and the replies to the remote clients) still come through the ASA and IPS module (assuming you have the inspection policy setup to do so). Two-armed (Netscaler with both DMZ and Inside network interfaces) keeps the ASA from having to handle the incoming traffic twice and also keeps you from having to created DMZ-Inside access-lists for the Netscaler VIPs to distribute traffic to the backend real servers (presumably on the inside network).

Citrix Netscaler is a pretty well-designed box security-wise and even has the option (with Platinum license I believe) of application layer firewall that is more capable than the ASA in that particular sense.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card