Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Netscaler deployment


We are deploying two Netscalers that are going to be sitting in our DMZ. The firewall also has an IPS module in it that inspects all the inbound/outbound traffic. The team deploying the Netscalers want to connect one interface to the DMZ and the other interface to the inside network. Personally, I don't believe this deployment is safe since:

1. The traffic is not completely seen by the firewall since once it hits the device it will go to the internal network (I understand that the device has ACL, Routing, etc capabilities)

2. Traffic won't be seen by the IPS.

3. Netscaler will be in charge of the internal network security once the firewall hands off the traffic to the device.

I don't have a lot of expertise on firewalls and their deployment's best practices so I need some help from the experts.

Thanks in advance. Rafael.

Everyone's tags (1)

Netscaler deployment


All your concerns are valid. Traffic from internet to NetScalar in DMZ will still be inspected. We installed Netscalers in DMZ for citrix form couple of years back and nothing directly connects to Inside. if I remember correct, you can deploy them in One-arm or two-arm deployment scenarios. if you go with one-arm , they do not need to connect 2nd interface. Talk to the deployment team and discuss with them about your security concerns.



Hall of Fame Super Silver

Netscaler deployment

I have seen it done both ways. I have also seen the Netscaler completely in parallel with the firewall - acting in essence as the only security layer for the VIPs it was serving up.

In either the "one-armed" or "two-armed" setup the inbound traffic (and the replies to the remote clients) still come through the ASA and IPS module (assuming you have the inspection policy setup to do so). Two-armed (Netscaler with both DMZ and Inside network interfaces) keeps the ASA from having to handle the incoming traffic twice and also keeps you from having to created DMZ-Inside access-lists for the Netscaler VIPs to distribute traffic to the backend real servers (presumably on the inside network).

Citrix Netscaler is a pretty well-designed box security-wise and even has the option (with Platinum license I believe) of application layer firewall that is more capable than the ASA in that particular sense.

CreatePlease to create content