Jump to content
Welcome to our new Citrix community!

Securing Custom LB Port Configuration


Recommended Posts

Hi All,

I have a load balancer configured to use a custom TCP port(5058). What steps do I need to take to secure this configuration?

Specifically:

  • Should I create n TCP profile on the load balancer for this port? If so, what type of profile  makes the most sense?
  • How can i add the certificates if possible?
  • Are there any other profile settings or changes you would advise to make sure unauthorized access is prohibited and data on this port is encrypted in transit and at rest?
  • Are there any other considerations around securing a custom TCP port on the load balancer that I should be aware of?

Please let me know if you have any recommendations or need additional details about my current configuration. My goal is to dial in the proper security controls for this custom integration while maintaining availability and load balancing functionality.

Thanks 

Manoj

Link to comment
Share on other sites

On 1/10/2024 at 8:10 AM, Manoj Rana said:

Hi All,

I have a load balancer configured to use a custom TCP port(5058). What steps do I need to take to secure this configuration?

Specifically:

There is no way to secure a TCP load-balancer.

 

Do you think about SSL offloading? In case you would need a SSL_TCP loadbalancer. You may bind certificates there. Services would be SSL_TCP as well.

Link to comment
Share on other sites

Thanks Johannes.

 

If there is no way to secure the TCP load balancer. I think SSL_TCP is better than just TCP. I will try and give it a go.

 

Also, I want to know if you know about SQL Load balance.

 

It doesn't work if it is behind the 2 VIPs.  But if I remove one of the VIP. It always works 

image.thumb.png.ad3132a7bee06606caf3bbeb5b96f716.png

 

Do you know if this is expected behavior or am i missing something?

Thanks 

Manoj

 

Link to comment
Share on other sites

18 minutes ago, Manoj Rana said:

Also, I want to know if you know about SQL Load balance.

 

It doesn't work if it is behind the 2 VIPs.  But if I remove one of the VIP. It always works 

image.thumb.png.ad3132a7bee06606caf3bbeb5b96f716.png

 

Do you know if this is expected behavior or am i missing something?

Thanks 

Manoj

 

Hi Manjo,

 

I don't see why this should not work. It would be an SQL load balancer of the correct type (MS-SQL, MY-SQL or Oracle) on the internal NetScaler. On the DMZ NetScaler, it would be a vServer of the same type, pointing to the vServer on the internal NetScaler.

 

I have never seen something like that, as it's rather rare to see an SQL being published on the internet. At least not for a reason (I found several SQL Servers on the internet, mostly MS-SQL servers, all of which had been there by mistake).

 

There is another method you could use, in case this does not work: Create a load balancer of Type TCP or even ANY on the DMZ NetScaler. This will just do a simple, stupid forward of all traffic to the internal NetScaler. The port number would be your SQL server's port number. In the case of ANY, you could set the port to *, however, in this case, you would have to filter traffic on the firewall. That way, the DMZ NetScaler would do nothing but stupid proxying of everything that comes in.

Link to comment
Share on other sites

40 minutes ago, Johannes Norz said:

Hi Manjo,

 

I don't see why this should not work. It would be an SQL load balancer of the correct type (MS-SQL, MY-SQL or Oracle) on the internal NetScaler. On the DMZ NetScaler, it would be a vServer of the same type, pointing to the vServer on the internal NetScaler.

 

I have never seen something like that, as it's rather rare to see an SQL being published on the internet. At least not for a reason (I found several SQL Servers on the internet, mostly MS-SQL servers, all of which had been there by mistake).

 

There is another method you could use, in case this does not work: Create a load balancer of Type TCP or even ANY on the DMZ NetScaler. This will just do a simple, stupid forward of all traffic to the internal NetScaler. The port number would be your SQL server's port number. In the case of ANY, you could set the port to *, however, in this case, you would have to filter traffic on the firewall. That way, the DMZ NetScaler would do nothing but stupid proxying of everything that comes in.

 

Thanks again Johannes. Much appreciated 

 

I am trying the second method as you suggested 

 

This is on the DMZ netscler and on the other Netscaler I am using proper SQL vserver properties.

 

add lb vserver SQL-Test TCP 1.2.3.4 1433 -persistenceType NONE -cltTimeout 9000

add serviceGroup SQL-Test-LBServiceGroup TCP -maxClient 0 -maxReq 0 -cip DISABLED -usip YES -useproxyport YES -cltTimeout 9000 -svrTimeout 9000 -CKA NO -TCPB NO -CMP NO    

 

I have bind the server to service group and service group bind to vserver.

 

However, there's an error message related to a pre-login handshake. 

 

Default time 30 seconds 

image.thumb.png.ed091f2f0c62007e89de4d698f34c227.png

 

No Timout

 

image.thumb.png.42bcb0d914cfc275ea1c878982d52ab7.png

Thanks 

Manoj

 

 

Link to comment
Share on other sites

Manoj, you will probably need persistence. To prove you could shut down all services but one. I am pretty sure, this would do the trick.

 

The problem about persistence: Source IP won't work, as the source IP will always be the SNIP of the DMZ side NetScaler. So you would probably need to change to Source-IP mode, with all the difficulties SIP mode brings (asymmetric routing, ...)

Link to comment
Share on other sites

  • 3 weeks later...
On 1/12/2024 at 10:21 AM, Johannes Norz said:

Manoj, you will probably need persistence. To prove you could shut down all services but one. I am pretty sure, this would do the trick.

 

The problem about persistence: Source IP won't work, as the source IP will always be the SNIP of the DMZ side NetScaler. So you would probably need to change to Source-IP mode, with all the difficulties SIP mode brings (asymmetric routing, ...)

Thanks Joh.

 

Just like to share that after playing with the settings managed to get this working.

 

This is needed to set up in my case and all working.

 

image.png.d0dd247a36eb2d50a1212d6c11a6b71b.png

 

Thanks for your help.

Manoj

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...