Jump to content
Welcome to our new Citrix community!

Security Experts - CS VIP on 443 and LB Services also on 443 on the backend. Security Concerns?


Kenneth Burks

Recommended Posts

Hi all,

 

Are there any security concerns with having a content switching VIP (SSL on port 443) that is NAT'd in from the firewall which would load balance to backend web servers (apache, jboss, etc) that are also listening on port 443. I would like to hear opinions on if in the context of Content Switching using the Netscaler ADC, would it be best practice to always have different ports on back end services vs the 443 front end? Or is this simply security through obfuscation? Any opinions?

Link to comment
Share on other sites

hi!

 

as you have an SSL vip the client connection terminates on the Netscaler. When you have backend services ssl it sends tha data to the servers using a secure channel. At this point the netscaler is the client connecting to an ssl server.

this adds extra protection between the netscaler and the server.

 

You could have different ports but i don't think it would make any difference as  in the backend  a new tcp and ssl session is formed.

 

Client --SSL--> VIP --SSL-->server 

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...