The following example shows you how to deploy your VM-Series firewall to secure the application or database servers on your network. This scenario is relevant to you if you have two NetScaler VPX instances, where one instance authenticates users and terminates SSL connections and then load balances requests to the DMZ servers and the other VPX instance load balances connections to the corporate servers that host the application and database servers on your network.
Topology Before Adding the VM-Series Firewall
The communication between the servers in the DMZ and the servers in the corporate datacenter is processed by both instances of the NetScaler VPX. For content that resides in the corporate datacenter, a new request in handed off to the other instance of the NetScaler VPX which forwards the request to the appropriate server.
When the VM-Series firewall is deployed (this example uses L3 interfaces), the flow of traffic is as follows:
All incoming requests are authenticated and the SSL connection is terminated on the first instance of the NetScaler VPX. For content that resides in the DMZ, the NetScaler VPX initiates a new connection to the server to fetch the requested content. Note that the north-south traffic destined to the corporate datacenter or to the servers in the DMZ are handled by the edge firewall and not by the VM-Series firewall.
For example, when a user (source IP 1.1.1.1) requests content from a server on the DMZ, the destination IP is 20.5.5.1 (VIP of the NetScaler VPX). The NetScaler VPX then replaces the destination IP address, based on the protocol to the internal server IP address, say 192.168.10.10. The return traffic from the server is sent back to the NetScaler VPX at 20.5.5.1 and sent to the user with IP address 1.1.1.1.
All requests between the DMZ servers and the Corporate datacenter are processed by the VM-Series firewall. For content that resides in the corporate datacenter, the request is transparently processed (if deployed using L2 or virtual wire interfaces) or routed (using Layer3 interfaces) by the VM-Series firewall. It is then handed off to the second instance of the NetScaler VPX. This instance of the NetScaler VPX load balances the request across the servers in the corporate datacenter and services the request. The return traffic uses the same path as the incoming request.
For example, when a server on the DMZ (say 192.168.10.10) needs content from a server in the corporate datacenter (say 172.16.10.20), the destination IP address is 172.168.10.3 (the VIP on the second NetScaler). The request is sent to the VM-Series firewall at 192.168.10.2, where the firewall performs a policy lookup and routes the request to 172.168.10.3. The second NetScaler VPX replaces the destination IP address, based on protocol, to the internal server IP address 172.16.10.20. The return traffic from 172.168.10.20 is then sent to the NetScaler VPX at 172.168.10.3, and the source IP address for the request is set as 172.168.10.3 and is routed to the VM-Series firewall at 172.168.10.2. On the VM-Series firewall, a policy lookup is again performed and the traffic is routed to the server in the DMZ (192.168.10.10).
In order to filter and report on user activity on your network, because all requests are initiated from the NetScaler VPX, you must enable HTTP Header insertion or the TCP Option for IP Insertion on the first instance of the NetScaler VPX.
.
Set up the VM-Series Firewall to Secure East-West Traffic
Install the VM-Series Firewall on the SDX Server If you plan to deploy the VM-Series firewall using virtual wire or L2 interfaces, make sure to enable L2 Mode on each data interface on the SDX server.
Re-cable the interfaces assigned to the NetScaler VPX. Because the NetScaler VPX will reboot when recabled, evaluate whether you would like to perform this task during a maintenance window.
Configure the data interfaces. Select Network > Interfaces and assign the interfaces as type Layer3 (see Step 2, Layer2 (see Step 3) or virtual wire (see Step 3).
Create security policy to allow application traffic between the DMZ and the corporate data center. Zone: DMZ to Corporate Note that the implicit deny rule will deny all inter-zone traffic except what is explicitly allowed by security policy. Click Add in the Policies > Security section. Give the rule a descriptive name in the General tab. In the Source tab, set the Source Zone to DMZ and Source Address to 192.168.10.0/24. In the Destination tab, set the Destination Zone to Corporate and the Destination Address to 172.168.10.0/24 In the Application tab, select the applications that you want to allow. For example, Oracle. Set the Service to application-default In the Actions tab, set the Action Setting to Allow. Leave all the other options at the default values. Click Commit to save your changes.
For securing north-south traffic, see Secure North-South Traffic with the VM-Series Firewall.
For an overview of the deployments, see Supported Deployments—VM Series Firewall on Citrix SDX.

Related Documentation