Jump to content
Welcome to our new Citrix community!

Netscaler Gateway loopback and VIP


Michael Hu

Recommended Posts

How would I add a loopback address to a Netscaler Gateway (virtual server)?  In the past we would add the loopback address to the Windows Servers when the Citrix Secure Gateway was behind a VIP.  Can't find how to accomplish this with the Netscaler Gateway. 

 

Running Netscaler VPX 12.0.56.20

 

Thanks. 

Link to comment
Share on other sites

It's been so long since I've even had to think of that config, that I actually forgot something about it and all my sg docs are on old laptops :). 

I don't think you need a loopback address anymore...what was the scenario/traffic flow that required that with Secure Gateway?

 

The vpn vserver is either on a netscaler ha pair or if load balanced, persistence would solve the problem; a loopback address like we had in Secure Gateway shouldn't be needed.

 

Link to comment
Share on other sites

On 5/7/2019 at 1:56 PM, Rhonda Rowland1709152125 said:

It's been so long since I've even had to think of that config, that I actually forgot something about it and all my sg docs are on old laptops :). 

I don't think you need a loopback address anymore...what was the scenario/traffic flow that required that with Secure Gateway?

 

The vpn vserver is either on a netscaler ha pair or if load balanced, persistence would solve the problem; a loopback address like we had in Secure Gateway shouldn't be needed.

 

 

I have not been able to get it to work behind a VIP.  I believe the issue is the Netscaler gateway is discarding the packets because it does not know the VIP address.  

 

Not Working:  (BigIp is doing Source NAT).  

Client--->Firewall--->BigIP VIP--->Netscaler Gateway ---> Server

 

Working:

Client-->Firewall--->Netscaler Gateway--->Server

 

 

Link to comment
Share on other sites

Why do you have  a VIP in front of your NS Gateway vpn vserver?

You should be able to use the gateway in an NS ha pair, without load balancing and just get your gateway working.

 

If you decided you need to load balance to scale out, you can, but you have to use the correct persistence, and it would also affect how your storefront/wi to gateway configuration would have to be updated.  But the original reason for using a "Loopback" address on the secure gateway should have no relevance on the NS Gateway config.  (But it might help to know how you were originally using your SG; as you might be trying to do something the secure gateway-way and need to modify to a NS gateway way instead.)  

Edited by Rhonda Rowland
added additional note
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...