Jump to content
Welcome to our new Citrix community!

NetScaler VPX change subnets (DMZ move)

Recommended Posts

Greetings All,

We have a basic configured VPX NetScaler Appliance on VMware which sits in the operational VLAN. 

Outside access to Citrix Farm is through Public IP then NAT to Web Access Proxy Server in DMZ which ports connections to operational VLAN to NetScaler (Citrix Farm lives here too)

We would like to move the VPX to the DMZ VLAN for improved and secure access. 

As I see it we have 3 x options:

Option 1: Move all IPs to DMZ (requires FW rules on our ASA and changing WAP porting to NAT on ASA) - Security best practice is to split DMZ and internal onto separate NetScaler VPX (using Hop?) so you don't straddle the firewall. So not recommended. 

 Option 2: Add 2nd VPX NetScaler applicance to DMZ VLAN and set Hop to original VPX in Operations VLAN - requires additional license? 

Option 3: Add 2nd Interface to VPX for DMZ, chnage VIP to this subnet, then change WAP setting to new VIP (now with DMZ VLAN IP address) - recommended although does not comply to our policy (dual interface with both Operational VLAN with DMZ VLAN). I am leaning more towards this one atm.

Any other options I can consider?  Comments on above?

Thanks in advance.

Link to comment
Share on other sites

I always recommend separate appliances since NetScaler doesn't have ideal options for configuring multiple routing tables on a single appliance. Each appliance is a separate license.


NetScaler's multi-routing (i.e. VRF) options include: Traffic Domain and Partitions. But not every feature works, especially Gateway.

Link to comment
Share on other sites

  • 1 month later...

I'm back with an update, and another question :-)

I have set up 2 x VPX Appliances, 1 in DMZ and 1 in Internal secure network (the proxy)

I have followed your previous threads on setting most of this up, however I am using ADC Gateway version (Citrix Support gave me a couple of trial licenses for the POC, we currently use Gateway), so I have no way of getting the Web Interface servers set up as LB vServer on the proxy NS. ATM just a http 500 error once successfully authenticated at gateway (I hit the session policy too - confirmed this, just no WI behind wall) 

The web interface servers are running HTTP (not secure) so opening up DMZ to them is off the cards I think. 

Is there another way I can get the web interface working with the double hop configuration on ADC Gateway?

Only other alternative is I stand up a couple of secure StoreFront servers ahead of schedule for this POC, I was going to do this and replace the old Citrix Farm with latest release anyway.  

Thanks in advance.




Link to comment
Share on other sites

  • 2 months later...

Set up the Double Hop configuration successfully with new Storefront server for PoC.  

Deployed new RADIUS servers (Microsoft NPS, using MFA) on internal network.  Set up RADIUS authentication only on Gateway (no secondary authentication with LDAP) ,  as the Gateway NS in DMZ, Firewall only has TCP\443 and UDP\1812 port open between DMZ NS and Proxy NS sitting in internal network, opening LDAP port in DMZ was a step too far for our firewall security posture so left it out - not sure what the consequences are for this?



Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...