Jump to content
Welcome to our new Citrix community!

Server Placement in Secure Network with Double Hop DMZ Configuration


avinash shitole

Recommended Posts

Double Hop DMZ Configuration with one NetScaler in DMZ and one in Secure Network ?

With 3 Their Security Model we have setup something like below

NetScaler-1 in DMZ1 , NetScaler-2 and Store Front in DMZ2  and XenApp in Secure/Internal  Zone

 

Internet--> DMZ1 -->         DMZ2--->                                 Secure Zone

User         NetScaler         NetScaler-2 ,StoreFront            XenApp

 

I understood that we can put NetScaler-2 and Storefront in Secure/Internal Zone along with XenApp Server.

My question is what will be in DMZ2? as for inbound connection(Internet User Browser to XenApp Server ) there must be Staging server in DMZ2

 

Internet--> DMZ1 -->       DMZ2--->      Secure Zone

User         NetScaler        ??                  NetScaler-2 ,StoreFront and XenApp

 

 

Link to comment
Share on other sites

There are several protocols/traffic to consider:

  • LDAP
  • RADIUS
  • HTTP to StoreFront
  • ICA
  • HTTP to STA Servers

For LDAP, RADIUS, and HTTP, those can easily be configured to double-hop through Load Balancing VIPs on a NetScaler in DMZ2.

 

NetScaler Gateway supports double-hop ICA through a NetScaler Gateway in DMZ2. This same ICA double-hop will also handle STAs. https://docs.citrix.com/en-us/netscaler-gateway/12/double-hop-dmz/ng-double-dmz-how-it-works-con.html

Link to comment
Share on other sites

11 hours ago, avinash shitole said:

understood that we can put NetScaler-2 and Storefront in Secure/Internal Zone along with XenApp Server.

My question is what will be in DMZ2? as for inbound connection(Internet User Browser to XenApp Server ) there must be Staging server in DMZ2

 

Here's the problem if you don't keep NS2 in the DMZ2, you kind of mess up the whole point of the double-hop config and the double DMZ network.  

Gateway doesn't support more hops than 2; so you either keep NS-2 in the DMZ2 or you move it to DMZ1 and you poke a hole straight from NS1 (DMZ1) all the way through DMZ2 to NS2 in secured zone.

 

Note below. But I can load a diagram later if it will help.

 

 

The NS2 (Double Hop) should really be in the DMZ2 as that is the point, traffic leaving DMZ1 talks to something in DMZ2 before being sent agains the internal network.

 

Internet--> DMZ1 -->         DMZ2--->                                 Secure Zone

User         NetScaler         NetScaler-2,                                Storefront, XenApp

                 GW1                   GW2 (double hop)

                                             internal lb resources like LDAP, DNS, or StoreFront, or XML Brokers

 

Typical Config: (Keep in NS2 in DMZ2)

So in this scenario, NetScaler1 (DMZ1) still handles authentication AND storefront communication.

Which means, either the NS1 talks directly to Domain Controllers probably in the secure Zone or you use NS2 to host an lb vserver VIP for ad traffic that only NS1 can use.

That would determine whether we going straight from DMZ1 through DMZ2 to secure zone without stopping or from NS1 to NS2.

 

For storefront, NS1 does the storefront communication not the NS2 gateway double hop vpn vserver.  

So the typical config keeps storefront in DMZ2. However, you can move storefront to the secure zone. And use NS2 to host the lb vserver for storefront. And then then Gateway1 on NS1 directs traffic to the SToreFront LB VIP on NS2.  VIP and NS2 are still in DMZ2, while actual storefront servers are in secured zone.

 

GW2 (vpn vserver) in double hop mode, has authentication OFF (as GW1 on NS1) handles that. Double Hop ON.  And no STA list, session policy list or anything else.

It receives STA traffic over SSL from GW1, and the actual ICA Proxy over SSL from GW1 and it passes it to the STA's and actuall XA server/VDA destinations on the internal network.

 

GW1 (vpn vserver) on NS1 in DMZ1: has authentication ON, double-hop OFF. Has the authentication policies, session policies, sta list.  But it also has a NEXT HOP specific as the GW2 (vpn vip) on NS2 in DMZ2.

It will still need to reach authentication destinations from NS1 to LDAP destination in secured zone by crossing through DMZ2 or by hitting the LDAP vip on NS2 in the DMZ2.

It will still talk to storefront, which isn't handled by the double hop gateway, but may be a lb vserver on NS2 in DMZ2.

Only the STA communication and the actual ICA proxy is forwarded to the GW2 (vpn vserver) on NS2 in DMZ2. 

 

Alternate Config (you mentioned):

nternet--> DMZ1 -->       DMZ2--->      Secure Zone

User         NetScaler        ??                  NetScaler-2 ,StoreFront and XenApp

 

The problem here is that you will have the NS in DMZ1 talking stright to Secure Zone with nothing in DMZ2 doing anything. Which is probably not what your security team wants.

NS to LDAP/Radius for authentication would go straight to secure zone (or hit a lb vip on NS2 or not in this case)

NS to StoreFront

NS to NS2 for STA's (if doing a double hop gateway)

NS to NS2 for HDX/ICA aka  XA/VDA destinations (if doing a double hop gateway)

 

But this doesn't provide much in the way of security as just skipping the double hop config and crossing the firewall boundaries directly. In this case, by NS2 not being in the DMZ2, you simplify some of the firewall port crossing but you are kinda skipping the role of DMZ2 as well.

 

 

 

 

 

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...