Jump to content
Welcome to our new Citrix community!

WAF Placement for Netscaler

Recommended Posts

Hi, We have recently deployed a VDI solution via a Netscaler Gateway. It is perfectly working now and can be accessed from internet via a DNAT public IP which internally directs to the netscaler. Now we have a requirement to deploy this setup behind our WAF. Basically the WAF will be opened to internet and it will act as a reverse proxy for the netscaler. The WAF will do SSL offloading and the netscaler will receive all requests from external clients as if they were originated by the WAF (from WAF's IP). We have failed to get this to work and I seek your expertise on this matter. Want to make sure whether there are any limitations on this reverse proxy architecture behind a WAF.


Thanks in advance.

Link to comment
Share on other sites

  • 2 weeks later...

Typically, VPN solutions need to be able to directly interact with the client, and don't take well to being put behind an SSL proxy. They cope ok with NAT, but not a proxy.


Thus, for example, when we wish to use Citrix ADC to load-balance a VPN solution, we use "SSL-Bridge" mode.... which uses a TCP proxy, but the SSL session level is passed straight through to the VPN server.


Whilst the WAF might work for some of the initial pages (the NG's login page), I could see it having issues beyond that, especially when the ICA client launches (which, whilst it may be SSL on port 443 for convenience, is not at all HTTP [WAF = WEB application firewall])


Apart from "because that's the way we like to do things", why do you feel you need the WAF in front of the Citrix Gateway? 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...