Jump to content
Welcome to our new Citrix community!

Can ADC act like a firewall?

Recommended Posts

The ADC has the ability to implement ACLs that affects traffic passing through the ADC. And other filters that can apply to load balanced traffic and vpn/gateway-based traffic.

It is not meant to act as a pure network firewall in place of an actual firewall.


Your scenario is vague enough that the answer is "maybe"/"it depends".


If your users connect through the gateway/vpn to a set destination VDIs, you can write authorization/session policy rules and possibly other settings (depending on whether this is ICA Proxy or full vpn), to limit which VDIs they do or don't connect to. And different vpn vserver could have different destination IP restrictions. I know that wasn't what you asked exactly.


If users in a VDI access other resources hosted by an ADC like a set of lb vservers, you can right responder policies or maybe ACLs that restriction traffic from certain source IPs (the vdi range) from connecting to certain destination IPs if these are VIPs on this ADC.


Otherwise, if the users connect through a gateway/vpn to the VDIs and then you want to decide what those VDIs can and can't get to. And the VDI to <destination ips> is not stuff hosted by an ADC/NetsCaler like load balancing/content switching vservers, you would not make the traffic filtering decisions on this ADC. Typically. Its not in the path of that traffic flow.

Crude example:

<client originating ip> ---> <VPN VIP on ADC1>  --->  <some VDI> ----> <going to other network IPS, but not things hosted on an ADC doing load balancing>  

There's no netscaler in the path from the <VDI> to the <other destination>




Link to comment
Share on other sites

  • 2 weeks later...

The term "firewall" is poorly defined and can mean a lot of different things.


The answer to your question is "yes" if you clarify a bit and call it an "application firewall," since the ADC proxies all of the connections through it and can have policies applied that selectively reject some of those connections.  (Also, the ADC only proxies connections on IPs/ports where you've configured virtual servers, which further "filters" incoming traffic.)


However, compared to a traditional network firewall, the answer would be "no."  A Juniper SRX or Cisco Firepower is a device that forwards and filters traffic, but does not PROXY that traffic.  This is a different function which can affect how the back-end server perceives it.


What you've asked here:



Can we allow a traffic from a VDI subnet to application specific IP addresses in Citrix ADC?


Yes, that can be done.  You can write policies that take action based on source IP address and apply those policies to virtual servers.  Here's one way to do it:




There is more than one way to accomplish this, but the short answer to your question is, "Yes, you can limit access to a service on an ADC using IP address filters."  In that respect, the ADC can be LIKE a firewall, though I would not describe it as a "firewall," since that will lead to various bad assumptions.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...