Citrix NetScaler Gateway, the basics!
September, 2014 by Bas van Kaam
I don ' t want to spend to more than talking about the different kinds of editions and or licenses available, if you are want to Know about those I suggest you check out one of my previous articles here, or just give citrix.com a visit. Throughout this article I ' d like to briefly focus on some of the basic terminology and traffic flow that comes with the Ne Tscaler Gateway Edition providing our users with secure remote access. This (the Gateway edition) is probably one of the most popular NetScaler implementations-today, although, and as you might Know, the Netscalers ADC Edition also has the Gateway functionality build-in and can provide us with a bunch of additiona L features as. Let ' s have a look shall we?!
NetScaler ADC and Gateway
Before we continue, a short word on the two NetScaler editions available today. Most of the confusion starts with the terms; Citrix NetScaler and Citrix NetScaler Gateway, although they sound very, and similar do they a have, overlap there som e distinct differences Depending on the licenses used.
Citrix NetScaler refers to their application Delivery Controller, or ADC, line of products, while the NetScaler Gateway, F Ormerly know as the Citrix access Gateway, or CAG, is primarily used for secure remote Access. You are basically buy a ' normal ' netscaler but with limited functionality due to the NetScaler Gateway License your upload. NetScaler ADC ' s are capable of doing much more than ' just ' remote access, they can is used for load balancing and HA, cont ENT switching, application (SSL) offloading, application firewalling, cloud connectivity, hybrid cloud, solutions and (a lo T) more.
General use
As mentioned, the NetScaler Gateway is used and configured to provide we users with secure remote access in our secure Corporate network. As such it is physically placed within we DMZ, or demilitarized Zone in full, where it sits in between the Internet and O Your secure corporate LAN fronted by on least one or two firewalls as shown in the overview below (got this from citrix.com) .
Some Terminology
Before I show you how traffic flows and what actually happens when a external user connects up to the NetScaler Gateway, I The want to spend a few minutes explaining some of the terminology for need to know and understand we before.
The NetScaler uses Vservers (virtual servers) to deliver different for services, in this case the kinds would be con Figured as a gateway server. Just Remember that's you can configure multiple independent vservers on the same netscaler serving different purposes A load balancing or SSL offload vSERVER for example.
The NSIP address, NetScaler IP address, is the IP address which are used by the Administrator to manage and configure the N Etscaler. It is mandatory to setting up and configuring to the NetScaler for the "I", there can one NSIP address, it C An is removed and when it's changed you'll have to reboot the NetScaler.
A Snip (Subnet IP address) is used the for server side connections, meaning so this address'll be used to route traffic fr Om, or through, the NetScaler to a subnet directly connected to the NetScaler. The NetScaler has a mode named Usnip (use snip), which are enabled by default, this causes the ' snip ' to ' be used as T Sending packets from the NetScaler to the internal network. When a snip address is configured, a corresponding route are added to the Netscalers routing table, which are used to determ Ine the optimal route from the NetScaler to the internal network. If it detects the snip address to is part of the route it'll use it to pass-through the network traffic using the snip a Ddress as its source. A snip address isn't mandatory. In a multiple subnet scenario would have to configure a snip (or MIP, I ' ll discuss the this in a minute) Ubnet separately. Also, when multiple snip addresses are configured on the same subnet, they'll be used In a Round Robin fashion.
A MIP (mapped IP address) are similar to the snip address mentioned above. MIP addresses are used when a snip address isn ' t isn't available or when Usnip (use snip) is disabled. In which case it'll also be used as the source IP address. The configured MIP address is the the subnet it (the NetScaler) would add a route entry to its routing T Able.
A VIP address (Virtual IP address) are the IP address of a vserver so the end users would connect to, and through which th EY would eventually be authenticated etc. For now just remember this VIP address are never used as the source IP and thus isn ' t involved in Back-end server Commu Nication, instead this would always be handled by a snip and or MIP address, where, more often than, snip addresses Used over MIP ' s, but they can is mixed and used to connect to the same IP subnet even, again, Round Robin'll than be us Ed to determine the most optimal route.
Traffic Flow
Now, we know what terminology are involved let's have a look and I-traffic and communications flow actually GH the NetScaler and how users get authenticated. Hopefully the overview below would help in clarifying some to the concepts mentioned throughout this article. I didn ' t had Visio at hand I decided to take another, I route you can hope me (free) appreciate drawing, I skills HT It is kind of cool to is honest:-)
Up close and personal
Ok, so what happens? Lets take it step by step. Due Note this I ' m primarily focussing on the NetScaler interaction here, as such I left out both the application Enumerati On process (XML querying, XML and STA file generation, etc.) as the application launch sequence (which system can p Rovide the resource, least load,. ICA file generation etc.) For now. Near the "End I" ll provide you with a excellent recourse where you'll find some more (detailed) information on the steps Left out.
An external user'll contacts the NetScaler Gateway over port or 443 (preferred). It'll connect up to the externally accessible virtual IP (VIP) address of the Netscalers (Gateway) vserver. This is indicated as the VIP followed by the 1 vserver. Once A connection is established your have a few options, for example, using a snip address the (unauthenticated) user Coul D is connected to the storefront server residing on the corporate (internal) network where authentication needs to take PL Ace (not displayed). A valid option but not as secure as we are would like it is right? Instead, we would like user authentication to take place on the NetScaler within our DMZ.
Let ' s assume authentication takes place on the NetScaler. The users credentials are forwarded using the Netscalers IP address, or NSIP, indicated as 2 Nsip, to your internal Tication Services, Active Directory in most cases, where they'll is validated (or not). But wait, let's do one better. Once validated, and still part of Step 2 nsip, we throw in something called two factor authentication, using SMS passcode Tokens for example. This way every user would have to fill with his or her username and password plus an additional auto generated token code WHI Ch'll expire every few minutes (configurable), extremely secure.
Once the user is authenticated, the authentication services would pass through the user credentials to the storefront serve R. In step 3 snip, the already authenticated user'll connect up to our internal storefront server where it'll enumerat E The users applications and or desktops.
Next, this information would travel the NetScaler and through the Gateway vserver the Users screen. As indicated in step 4 vserver.
Finally, when the user starts a application, I left this part out as a, the storefront server would eventually generate A so called. ICA file which are send back to the users device and are used to connect the user directly to the requested in one Of the Xendesktop/xenapp application servers. During the last phase of setting up this connection the Gateway server'll check up on the earlier generated STA file to Validate the session, after which the application or Desktop would be launched as indicated in step 5 app launch.
Wrap up.
That's about it from a birds eye view so to speak, if your would like to read more on some of the details involved H regards to application enumeration process, XML and STA file generation/etc. have a look here. It ' s written by Ingmar Verheij, one of the Citrix ' s Senior engineers. It ' s a bit outdated but still (very) relevant! Note Some of the "port numbers and protocols used in the" process, keep these in mind to a firewall and security perspecti Ve. Also, where port is possible, use 443 instead:-)
Reference materials used:Citrix.com and the E-docs website.