citrix netscaler best practices...web application firewall l4-7 acl ddos protections rewrite +...
TRANSCRIPT
![Page 1: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability](https://reader033.vdocuments.us/reader033/viewer/2022052020/60347b8faf084f21385b7086/html5/thumbnails/1.jpg)
Claudio Mascaro
Senior Systems Engineer
BCD-Sintrag AG
Citrix NetScaler Best Practices
![Page 2: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability](https://reader033.vdocuments.us/reader033/viewer/2022052020/60347b8faf084f21385b7086/html5/thumbnails/2.jpg)
© 2014 Citrix2
Agenda
• Deployment
• Initial Konfiguration
• Load Balancing
• NS Wizards, Unified GW, AAA Feature
• SSL
![Page 3: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability](https://reader033.vdocuments.us/reader033/viewer/2022052020/60347b8faf084f21385b7086/html5/thumbnails/3.jpg)
© 2014 Citrix3
NetScaler
IAAS
VIP
SaaSgateway
S1
S2
S3NetScaler
CG CB
FTP
SQL
HTTPHTTPS
DNS TCPUDP
AD
Es
PwO
A1
A2
A3
NetScaler
Acceleration
TCP Offload
HTTP Compression
Caching (HTTP, SQL)
TCP Optimization
Rate Limiting
SSL Offload
Surge Protection
Web 2.0 Push
Security
Web Application Firewall
L4-7 ACL
DDoS Protections
Rewrite + Responder
SSL VPN
NetScaler Gateway
AAA TM-Auth. & SSO
SAML 2.0 & Kerberos
Availability
Server Loadbalancing (IPv4+6)
Layer 7 Content Switching
Advanced Health Check
GSLB
Traffic Domains & PBR
Dyn. Routing, VLAN, LACP
HTTP Callout
CloudBridge
DataStream
Platforms
VPX
MPX & SDX
XenServer
VMWare
Hyper V
10, 200, 1G, 3G
Editions: Standard, Enterprise and
Platinum, Express, Developer
Management
CLI/GUI/SNMP/Syslog
API XML,NITRO,SOAP,REST
AppFlow
Command Center
Web Logging (NSWL)
Inbox Monitoring/Reporting
Action Analytics
NetScaler Insight Center
Visualizer
ACE Migration Tool
![Page 4: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability](https://reader033.vdocuments.us/reader033/viewer/2022052020/60347b8faf084f21385b7086/html5/thumbnails/4.jpg)
Deployment
![Page 5: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability](https://reader033.vdocuments.us/reader033/viewer/2022052020/60347b8faf084f21385b7086/html5/thumbnails/5.jpg)
© 2014 Citrix5
NetScaler Deployment
One-Arm Mode Two-Arm Mode
3 IP’s im Minimum (Standalone)
• 1x NetScaler IP (NSIP)
• 1x Subnet IP (SNIP)
• 1x Virtual IP (VIP)
+ 1x NSIP im High Availability Mode
4 IP’s im Minimum (Standalone)
• 1x NetScaler IP (NSIP)
• 2x Subnet IP (SNIP, 1 pro Netz)
• 1x Virtual IP (VIP)
STATIC ROUTES zu Backend Server !!!
+ 1x NSIP im High Availability Mode
![Page 6: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability](https://reader033.vdocuments.us/reader033/viewer/2022052020/60347b8faf084f21385b7086/html5/thumbnails/6.jpg)
© 2014 Citrix6
NetScaler High Availability
Beide NetScaler wie Eineiige Zwillinge !
• VPX – VPX or MPX – MPX
• Gleiche MPX Hardware
• Gleiche Platform Lizenz
• Gleiche Firmware Version
• Gleiche Interfaces und gleich gepatched
Arbeiten im Active/Passive Mode
![Page 7: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability](https://reader033.vdocuments.us/reader033/viewer/2022052020/60347b8faf084f21385b7086/html5/thumbnails/7.jpg)
Initial Configuration
![Page 8: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability](https://reader033.vdocuments.us/reader033/viewer/2022052020/60347b8faf084f21385b7086/html5/thumbnails/8.jpg)
© 2014 Citrix8
Configuration
![Page 9: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability](https://reader033.vdocuments.us/reader033/viewer/2022052020/60347b8faf084f21385b7086/html5/thumbnails/9.jpg)
© 2014 Citrix9
Licensing
Lizenz Server Host für:
NetScaler Standard, Enterprise, Platinum, Options License
Lizenz Server Host für:
NetScaler Gateway & Universal License
License Log File bei Troubleshooting:
/var/log/license.log
![Page 10: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability](https://reader033.vdocuments.us/reader033/viewer/2022052020/60347b8faf084f21385b7086/html5/thumbnails/10.jpg)
© 2014 Citrix10
System Settings
https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/netscaler-data-sheet.pdf
NetScaler Gateway License
SSLVPN Universal License
NetScaler Standard License
NetScaler Enterprise Lic.
NetScaler Platinum Lic.
![Page 11: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability](https://reader033.vdocuments.us/reader033/viewer/2022052020/60347b8faf084f21385b7086/html5/thumbnails/11.jpg)
© 2014 Citrix11
Version
1 Download Firmware
2 Backup
3 HA-Disable
4 Upload Firmware
5 Update
![Page 12: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability](https://reader033.vdocuments.us/reader033/viewer/2022052020/60347b8faf084f21385b7086/html5/thumbnails/12.jpg)
© 2014 Citrix12
NetScaler Architektur
2 separate TCP Sessions !
• Client zu Virtual IP
• Subnet IP zu Backend Server
![Page 13: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability](https://reader033.vdocuments.us/reader033/viewer/2022052020/60347b8faf084f21385b7086/html5/thumbnails/13.jpg)
Load Balancing
![Page 14: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability](https://reader033.vdocuments.us/reader033/viewer/2022052020/60347b8faf084f21385b7086/html5/thumbnails/14.jpg)
© 2014 Citrix14
Loadbalancing und Entities
![Page 15: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability](https://reader033.vdocuments.us/reader033/viewer/2022052020/60347b8faf084f21385b7086/html5/thumbnails/15.jpg)
© 2014 Citrix15
Loadbalancing vServer, Services, Servers
1
Steps
2
NS über Firewall
zum Backend ist
offen (SubnetIP)
3
![Page 16: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability](https://reader033.vdocuments.us/reader033/viewer/2022052020/60347b8faf084f21385b7086/html5/thumbnails/16.jpg)
© 2014 Citrix16
Loadbalancing vServer
Alle Zugriffe von Netscaler auf Backend
Server, sollten Loadbalanced werden.
• DNS Server
• AD / Radius Server
• Citrix Webinterface
• Citrix Storefront
• Citrix Datacollector
• Citrix Delivery Controller
• Citrix XenMobile
• Citrix ShareFile
• Microsoft Exchange Server
• Etc.
![Page 17: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability](https://reader033.vdocuments.us/reader033/viewer/2022052020/60347b8faf084f21385b7086/html5/thumbnails/17.jpg)
© 2014 Citrix17
Loadbalancing Monitors
Auswahl
![Page 18: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability](https://reader033.vdocuments.us/reader033/viewer/2022052020/60347b8faf084f21385b7086/html5/thumbnails/18.jpg)
© 2014 Citrix18
HTTP to HTTPS Redirection with Responder Policy
Ist die Verbindung nicht SSL
Redirect Expression zu HTTPS
![Page 19: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability](https://reader033.vdocuments.us/reader033/viewer/2022052020/60347b8faf084f21385b7086/html5/thumbnails/19.jpg)
© 2014 Citrix19
Loadbalancing Visualizer
![Page 20: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability](https://reader033.vdocuments.us/reader033/viewer/2022052020/60347b8faf084f21385b7086/html5/thumbnails/20.jpg)
© 2014 Citrix20
Zertifikate
Server Zertifikat mit Private Key
Intermediate und Root CA Zertifikate
Cert Links !!
![Page 21: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability](https://reader033.vdocuments.us/reader033/viewer/2022052020/60347b8faf084f21385b7086/html5/thumbnails/21.jpg)
NetScaler WizardsUnified GatewayAAA Feature
![Page 22: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability](https://reader033.vdocuments.us/reader033/viewer/2022052020/60347b8faf084f21385b7086/html5/thumbnails/22.jpg)
© 2014 Citrix22
NetScaler Wizards
Wizards
![Page 23: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability](https://reader033.vdocuments.us/reader033/viewer/2022052020/60347b8faf084f21385b7086/html5/thumbnails/23.jpg)
© 2014 Citrix23
XenMobile Wizard Wizard erstellt:
• 3x LB vServer
• 1x GW vServer
• 3x Session Policies
• Authentication Server
Mobile App Mgmt. (MAM)Interner Zugriff von GW Session Pol.
Mobile Device Mgmt. (MDM)Externer Zugriff
Gateway vServer (MAM)Externer Zugriff
![Page 24: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability](https://reader033.vdocuments.us/reader033/viewer/2022052020/60347b8faf084f21385b7086/html5/thumbnails/24.jpg)
© 2014 Citrix24
Unified Gateway
Eine IP für mehrere Zugriffe
• Exchange 2013
• Citrix Insight
• Datanow
• NetScaler Gateway
• Etc.
![Page 25: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability](https://reader033.vdocuments.us/reader033/viewer/2022052020/60347b8faf084f21385b7086/html5/thumbnails/25.jpg)
© 2014 Citrix25
1 IP für 4 oder mehr verschiedene Backend LB vServer
Exchange 2013
Datanow Webserver
Insight Webserver
NetScaler GW
Loadbalanced vServer
![Page 26: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability](https://reader033.vdocuments.us/reader033/viewer/2022052020/60347b8faf084f21385b7086/html5/thumbnails/26.jpg)
© 2014 Citrix26
Action von Content Switching zeigt auf LB vServer & NS Gateway
![Page 27: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability](https://reader033.vdocuments.us/reader033/viewer/2022052020/60347b8faf084f21385b7086/html5/thumbnails/27.jpg)
© 2014 Citrix27
Die Expression definiert wohin…
Outlook Web Access
Outlook Anywhere
NetScaler Gateway
![Page 28: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability](https://reader033.vdocuments.us/reader033/viewer/2022052020/60347b8faf084f21385b7086/html5/thumbnails/28.jpg)
© 2014 Citrix28
AAA Feature (z.B. NS als TMG Ersatz für Exch.2013)
![Page 29: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability](https://reader033.vdocuments.us/reader033/viewer/2022052020/60347b8faf084f21385b7086/html5/thumbnails/29.jpg)
© 2014 Citrix29
User – NS – CSW – LB – AAA – LB – Exchange Server
AD
Auth
https://Mail.domain.com
Exchange
2013 Backend
Server
7True
6
5
4
3 2
1
8
9Publish Mail Content
AAA vServer
![Page 30: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability](https://reader033.vdocuments.us/reader033/viewer/2022052020/60347b8faf084f21385b7086/html5/thumbnails/30.jpg)
SSL
![Page 31: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability](https://reader033.vdocuments.us/reader033/viewer/2022052020/60347b8faf084f21385b7086/html5/thumbnails/31.jpg)
© 2014 Citrix31
SSL A-Rating Konfiguration
![Page 32: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability](https://reader033.vdocuments.us/reader033/viewer/2022052020/60347b8faf084f21385b7086/html5/thumbnails/32.jpg)
© 2014 Citrix32
SSL Renegotiation
![Page 33: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability](https://reader033.vdocuments.us/reader033/viewer/2022052020/60347b8faf084f21385b7086/html5/thumbnails/33.jpg)
© 2014 Citrix33
vServer SSL Settings
NS 11.0 auch bei VPX TLSv11 und TLS12 verfügbar
![Page 34: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability](https://reader033.vdocuments.us/reader033/viewer/2022052020/60347b8faf084f21385b7086/html5/thumbnails/34.jpg)
© 2014 Citrix34
SSL Rating A
![Page 35: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability](https://reader033.vdocuments.us/reader033/viewer/2022052020/60347b8faf084f21385b7086/html5/thumbnails/35.jpg)
© 2014 Citrix35
Vielen Dank