-
Getting Started with Citrix ADC
-
Deploy a Citrix ADC VPX instance
-
Install a Citrix ADC VPX instance on Microsoft Hyper-V servers
-
Install a Citrix ADC VPX instance on Linux-KVM platform
-
Prerequisites for Installing Citrix ADC VPX Virtual Appliances on Linux-KVM Platform
-
Provisioning the Citrix ADC Virtual Appliance by using OpenStack
-
Provisioning the Citrix ADC Virtual Appliance by using the Virtual Machine Manager
-
Configuring Citrix ADC Virtual Appliances to Use SR-IOV Network Interface
-
Configuring Citrix ADC Virtual Appliances to use PCI Passthrough Network Interface
-
Provisioning the Citrix ADC Virtual Appliance by using the virsh Program
-
Provisioning the Citrix ADC Virtual Appliance with SR-IOV, on OpenStack
-
Configuring a Citrix ADC VPX Instance on KVM to Use OVS DPDK-Based Host Interfaces
-
-
Deploy a Citrix ADC VPX instance on Microsoft Azure
-
Network architecture for Citrix ADC VPX instances on Microsoft Azure
-
Configure multiple IP addresses for a Citrix ADC VPX standalone instance
-
Configure a high-availability setup with multiple IP addresses and NICs
-
Configure a high-availability setup with multiple IP addresses and NICs by using PowerShell commands
-
Configure HA-INC nodes by using the Citrix high availability template with Azure ILB
-
Configure address pools (IIP) for a Citrix Gateway appliance
-
-
Upgrade and downgrade a Citrix ADC appliance
-
Solutions for Telecom Service Providers
-
Load Balance Control-Plane Traffic that is based on Diameter, SIP, and SMPP Protocols
-
Provide Subscriber Load Distribution Using GSLB Across Core-Networks of a Telecom Service Provider
-
Authentication, authorization, and auditing application traffic
-
Configuring authentication, authorization, and auditing policies
-
Configuring Authentication, authorization, and auditing with commonly used protocols
-
Use an on-premises Citrix Gateway as the identity provider for Citrix Cloud
-
Troubleshoot authentication issues in Citrix ADC and Citrix Gateway with aaad.debug module
-
-
-
-
-
-
Persistence and persistent connections
-
Advanced load balancing settings
-
Gradually stepping up the load on a new service with virtual server–level slow start
-
Protect applications on protected servers against traffic surges
-
Retrieve location details from user IP address using geolocation database
-
Use source IP address of the client when connecting to the server
-
Use client source IP address for backend communication in a v4-v6 load balancing configuration
-
Set a limit on number of requests per connection to the server
-
Configure automatic state transition based on percentage health of bound services
-
-
Use case 2: Configure rule based persistence based on a name-value pair in a TCP byte stream
-
Use case 3: Configure load balancing in direct server return mode
-
Use case 6: Configure load balancing in DSR mode for IPv6 networks by using the TOS field
-
Use case 7: Configure load balancing in DSR mode by using IP Over IP
-
Use case 10: Load balancing of intrusion detection system servers
-
Use case 11: Isolating network traffic using listen policies
-
Use case 12: Configure Citrix Virtual Desktops for load balancing
-
Use case 13: Configure Citrix Virtual Apps for load balancing
-
Use case 14: ShareFile wizard for load balancing Citrix ShareFile
-
-
-
-
-
Authentication and authorization
-
-
Configuring a CloudBridge Connector Tunnel between two Datacenters
-
Configuring CloudBridge Connector between Datacenter and AWS Cloud
-
Configuring a CloudBridge Connector Tunnel Between a Citrix ADC Appliance and Virtual Private Gateway on AWS
-
Configuring a CloudBridge Connector Tunnel Between a Datacenter and Azure Cloud
-
Configuring CloudBridge Connector Tunnel between Datacenter and SoftLayer Enterprise Cloud
-
Configuring a CloudBridge Connector Tunnel Between a Citrix ADC Appliance and Cisco IOS Device
-
CloudBridge Connector Tunnel Diagnostics and Troubleshooting
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已经过机器动态翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
Este texto foi traduzido automaticamente. (Aviso legal)
Questo contenuto è stato tradotto dinamicamente con traduzione automatica.(Esclusione di responsabilità))
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.(Aviso legal)
这篇文章已经过机器翻译.放弃
Questo articolo è stato tradotto automaticamente.(Esclusione di responsabilità))
Translation failed!
Configuring a CloudBridge Connector tunnel between a Citrix ADC appliance and virtual private gateway on AWS
To connect a datacenter to Amazon Web Services (AWS), you can configure a CloudBridge Connector tunnel between a Citrix ADC appliance in the datacenter and a virtual private gateway on AWS. The Citrix ADC appliance and the virtual private gateway form the endpoints of the CloudBridge Connector tunnel and are called peers.
Note:
You can also set up a CloudBridge Connector tunnel between a Citrix ADC appliance in a datacenter and a Citrix ADC VPX instance (instead of a virtual private gateway) on AWS. For more information, see Configuring CloudBridge Connector between Datacenter and AWS Cloud.
Virtual private gateways on AWS support the following IPSec settings for a CloudBridge Connector tunnel. Therefore, you must specify the same IPSec settings when you configure the Citrix ADC appliance for the CloudBridge Connector tunnel.
IPSec Properties | Setting |
IPSec mode | Tunnel mode |
IKE version | Version 1 |
IKE Authentication method | Pre-Shared Key |
Encryption algorithm | AES |
Hash algorithm | HMAC SHA1 |
Example of CloudBridge Connector tunnel configuration and data flow
As an illustration of the traffic flow in a CloudBridge Connector tunnel, consider an example in which a CloudBridge Connector tunnel is set up between Citrix ADC appliance NS_Appliance-1 in a datacenter and virtual private gateway gateway AWS-Virtual-Private-Gateway-1 on AWS cloud.
NS_Appliance-1 also functions as an L3 router, which enables a private network in the datacenter to reach a private network in the AWS cloud through the CloudBridge Connector tunnel. As a router, NS_Appliance-1 enables communication between client CL1 in the datacenter and server S1 in the AWS cloud through the CloudBridge Connector tunnel. Client CL1 and server S1 are on different private networks.
On NS_Appliance-1, the CloudBridge Connector tunnel configuration includes an IPSec profile entity named NS_AWS_IPSec_Profile, a CloudBridge Connector tunnel entity named NS_AWS_Tunnel, and a policy based routing (PBR) entity named NS_AWS_Pbr.
The IPSec profile entity NS_AWS_IPSec_Profile specifies the IPSec protocol parameters, such as IKE version, encryption algorithm, and hash algorithm, to be used by the IPSec protocol in the CloudBridge Connector tunnel. NS_AWS_IPSec_Profile is bound to IP tunnel entity NS_AWS_Tunnel.
CloudBridge Connector tunnel entity NS_AWS_Tunnel specifies the local IP address (a public IP—SNIP—address configured on the Citrix ADC appliance), the remote IP address (the IP address of the AWS-Virtual-Private-Gateway-1), and the protocol (IPSec) used to set up the CloudBridge Connector tunnel. NS_AWS_Tunnel is bound to policy based routing (PBR) entity NS_AWS_Pbr.
The PBR entity NS_AWS_Pbr specifies a set of conditions and a CloudBridge Connector tunnel entity (NS_AWS_Tunnel). The source IP address range and the destination IP address range are the conditions for NS_AWS_Pbr. The source IP address range and the destination IP address range are specified as a subnet in the datacenter and a subnet in the AWS cloud, respectively. Any request packet originating from a client in the subnet in the datacenter and destined to a server in the subnet on the AWS cloud matches the conditions in NS_AWS_Pbr. This packet is then considered for CloudBridge Connector processing and is sent across the CloudBridge Connector tunnel (NS_AWS_Tunnel) bound to the PBR entity.
The following table lists the settings used in this example.
IP address of the CloudBridge Connector tunnel end point (NS_Appliance-1) in the datacenter side | 66.165.176.15 |
---|---|
IP address of the CloudBridge Connector tunnel end point (AWS-Virtual-Private-Gateway-1) in the AWS | 168.63.252.133 |
Datacenter Subnet, the traffic of which is to traverse the CloudBridge Connector tunnel | 10.102.147.0/24 |
AWS Subnet, the traffic of which is to traverse the CloudBridge Connector tunnel | 10.20.20.0/24 |
Settings on Amazon AWS
Customer Gateway | AWS-Customer-Gateway-1 | Routing = Static, IP Address = Internet-routable CloudBridge Connector tunnel endpoint IP address on the Citrix ADC side = 66.165.176.15 |
---|---|---|
Virtual Private Gateway | AWS-Virtual-Private-Gateway-1 | Associated VPC = AWS-VPC-1 |
VPN Connection | AWS-VPN-Connection-1 | Customer Gateway = AWS-Customer-Gateway-1, Virtual Private Gateway= Virtual-Private-Gateway-1, Routing Options: Type = Static, Static IP Prefixes = Subnets on the Citrix ADC side = 10.102.147.0/24 |
Settings on Citrix ADC appliance NS_Appliance-1 in Datacenter-1:
|Appliance|Settings| |–|–| SNIP1(for reference purposes only)|66.165.176.15| |IPSec profile|NS_AWS_IPSec_Profile|IKE version = v1 Encryption algorithm = AES Hash algorithm = HMAC SHA1| |CloudBridge Connector tunnel|NS_AWS_Tunnel|Remote IP = 168.63.252.133 Local IP= 66.165.176.15 Tunnel protocol = IPSec IPSec profile= NS_AWS_IPSec_Profile| |Policy based route|NS_AWS_Pbr|Source IP range = Subnet in the datacenter =10.102.147.0-10.102.147.255 Destination IP range =Subnet in AWS =10.20.20.0-10.20.20.255 IP Tunnel = NS_AWS_Tunnel|
Points to consider for a CloudBridge Connector tunnel configuration
Before configuring a CloudBridge Connector tunnel between a Citrix ADC appliance and AWS gateway, consider the following points:
1. AWS supports the following IPSec settings for a CloudBridge Connector tunnel. Therefore, you must specify the same IPSec settings when you configure the Citrix ADC appliance for the CloudBridge Connector tunnel.
- IKE version = v1
- Encryption algorithm = AES
- Hash algorithm = HMAC SHA1
2. You must configure the firewall at the Citrix ADC end to allow the following.
- Any UDP packets for port 500
- Any UDP packets for port 4500
- Any ESP (IP protocol number 50) packets
3. You must configure Amazon AWS before specifying the tunnel configuration on the Citrix ADC, because the public IP address of the AWS end (gateway) of the tunnel and the PSK are automatically generated when you set up the tunnel configuration in AWS. You need this information for specifying the tunnel configuration on the Citrix ADC appliance.
4. AWS gateway supports static routes and the BGP protocol for route updates. The Citrix ADC appliance does not support the BGP protocol in a CloudBridge Connector tunnel to AWS gateway. Therefore, appropriate static routes must be used on both sides of the CloudBridge Connector tunnel for proper routing of traffic through the tunnel.
Configuring Amazon AWS for the CloudBridge Connector tunnel
To create a CloudBridge Connector tunnel configuration on Amazon AWS, use the Amazon AWS Management Console, which is a web based graphical interface for creating and managing resources on Amazon AWS.
Before you begin the CloudBridge Connector tunnel configuration on AWS cloud, make sure that:
- You have a user account for Amazon AWS cloud.
- You have a virtual private cloud whose networks you want to connect to the networks at the Citrix ADC side through the CloudBridge Connector tunnel.
- You are familiar with the Amazon AWS Management Console.
Note:
The procedures for configuring Amazon AWS for a CloudBridge Connector tunnel might change over time, depending on the Amazon AWS release cycle. Citrix recommends you refer Amazon AWS documentation for the latest procedures.
To configure a CloudBridge connector tunnel between a Citrix ADC and AWS gateway perform the following tasks on the AWS Management Console:
- Create a Customer Gateway. A customer gateway is an AWS entity that represents a CloudBridge Connector tunnel endpoint. For a CloudBridge Connector tunnel between a Citrix ADC appliance and AWS gateway, the customer gateway represents the Citrix ADC appliance on AWS. The customer gateway specifies a name, the type of routing (static or BGP) used in the tunnel, and the CloudBridge Connector tunnel endpoint IP address on the Citrix ADC side. The IP address can be an Internet-routable Citrix ADC owned subnet IP (SNIP) address or, if the Citrix ADC appliance is behind a NAT device, an Internet-routable NAT IP address that represents the SNIP address.
- Create a Virtual Private Gateway and attach it to a VPC. A virtual private gateway is a CloudBridge Connector tunnel endpoint at the AWS side. When you create a virtual private gateway, you assigned it a name or allow AWS to assign the name. You then associate the virtual private gateway with a VPC. This association enables the subnets of the VPC to connect to the subnets at the Citrix ADC side through the CloudBridge Connector tunnel.
- Create a VPN Connection. A VPN connection specifies a customer gateway and a virtual private gateway between which a CloudBridge Connector tunnel is to be created. It also specifies an IP prefix for the networks at the Citrix ADC side. Only IP prefixes that are known to the virtual private gateway (through static route entry) can receive traffic from the VPC through the tunnel. Also, the virtual private gateway does not route any traffic not destined to the specified IP prefixes through the tunnel. After configuring a VPN connection, you might have to wait few minutes for it to be created.
-
Configure Routing Options. For the VPC’s network to reach the networks at the Citrix ADC side through the CloudBridge Connector tunnel, you must configure the VPC’s routing table to include routes for the networks at the Citrix ADC side and point those routes to the virtual private gateway. You can include routes in a VPC’s routing table in one of the following ways:
- Enable Route Propagation. You can enable route propagation for your routing table, so that routes are automatically propagated to the table. The static IP prefixes that you specify for VPN configuration are propagated to the routing table after you’ve created the VPN connection.
- Enter Static Routes Manually. If you do not enable route propagation, you must manually enter the static routes for the networks at the Citrix ADC side.
- Download Configuration. After the CloudBridge Connector tunnel (VPN connection) configuration is created on AWS, download the configuration file of the VPN connection to your local system. You might need the information in the configuration file for configuring the CloudBridge Connector tunnel on the Citrix ADC appliance.
To create a customer gateway
- Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
- Navigate to VPN Connections > Customer Gateways and click on Create Customer Gateway.
- In the Create Customer Gateway dialog box, set the following parameters and then click Yes, Create:
- Name tag. A name for the customer gateway.
- Routing list. Type of routing between Citrix ADC appliance and AWS virtual private gateway for advertising routes to each other through the CloudBridge Connector tunnel. Select Static Routing from the Routing list. Note: The Citrix ADC appliance does not support the BGP protocol in a CloudBridge Connector tunnel to AWS gateway. Therefore, appropriate static routes must be used on both sides of the CloudBridge Connector tunnel for proper routing of traffic through the tunnel.
- IP Address. Internet-routable CloudBridge Connector tunnel endpoint IP address on the Citrix ADC side. The IP address can be an Internet-routable Citrix ADC owned subnet IP (SNIP) address or, if the Citrix ADC appliance is behind a NAT device, an Internet-routable NAT IP address that represents the SNIP address.
To create a virtual private gateway and attach it to a VPC
- Navigate to VPN Connections > Virtual Private Gateways, and then click Create Virtual Private Gateway.
- Enter a name for the virtual private gateway, and then click Yes, Create.
- Select the virtual private gateway that you created, and then click Attach to VPC.
- In the Attach to VPC dialog box, select your VPC from the list, and then choose Yes, Attach.
To create a VPN connection:
- Navigate to VPN Connections > VPN Connections and then click Create VPN Connection.
- In the Create VPN Connection dialog box set the following parameters and then choose Yes, Create:
- Name tag. A name for the VPN connection.
- Virtual Private Gateway. Select the virtual private gateway that you created earlier.
- Customer Gateway. Select Existing. Then, from the drop down list, select the customer gateway that you created earlier.
- Routing Options. Type of routing between the virtual private gateway and customer gateway (Citrix ADC appliance). Select Static. In the Static IP Prefixes field, specify the IP prefixes for the subnet on the Citrix ADC side, separated by commas.
To enable route propagation:
- Navigate to Route Tables and select the routing table that’s associated with the subnet whose traffic is to traverse the CloudBridge Connector tunnel.
Note
By default, this is the main routing table for the VPC.
- On the Route Propagation tab in the details pane, choose Edit, select the virtual private gateway, and then choose Save.
To manually enter static routes:
- Navigate to Route Tables and select your routing table.
- On the Routes tab, click Edit.
- In the Destination field, enter the static route used by your CloudBridge Connector tunnel (VPN connection).
- Select the virtual private gateway ID from the Target list, and then click Save.
To download the configuration file:
- Navigate to VPN Connection, select a VPN connection, and then click Download Configuration.
- In the Download Configuration dialog box, set the following parameters, and then click Yes, Download.
- Vendor. Select Generic.
- Platform. Select Generic.
- Software. Select Vendor Agnostic.
Configuring the Citrix ADC appliance for the CloudBridge Connector tunnel
To configure a CloudBridge Connector tunnel between a Citrix ADC appliance and a virtual private gateway on AWS cloud, perform the following tasks on the Citrix ADC appliance. You can use either the Citrix ADC command line or the GUI.
-
Create an IPSec profile. An IPSec profile entity specifies the IPSec protocol parameters, such as IKE version, encryption algorithm, hash algorithm and PSK to be used by the IPSec protocol in the CloudBridge Connector tunnel.
- Create an IP tunnel that uses IPSec protocol and associate the IPSec profile with it. An IP tunnel specifies the local IP address (a SNIP address configured on the Citrix ADC appliance), remote IP address (the public IP address of the virtual private gateway in AWS), protocol (IPSec) used to set up the CloudBridge Connector tunnel, and an IPSec profile entity. The created IP tunnel entity is also called the CloudBridge Connector tunnel entity.
- Create a PBR rule and associate it with the IP tunnel. A PBR entity specifies a set of rules and an IP tunnel (CloudBridge Connector tunnel) entity. The source IP address range and the destination IP address range are the conditions for the PBR entity. Set the source IP address range to specify the Citrix ADC-side subnet whose traffic is to traverse the tunnel, and set the destination IP address range to specify the AWS VPC subnet whose traffic is to traverse the CloudBridge Connector tunnel. Any request packet that originates from a client in the subnet on the Citrix ADC side and is destined to a server in the AWS cloud subnet, and matches the source and destination IP range of the PBR entity, is sent across the CloudBridge Connector tunnel associated with the PBR entity.
To create an IPSEC profile by using the Citrix ADC command line
At the Command prompt, type:
add ipsec profile <name> -psk <string> -**ikeVersion** v1
show ipsec profile** <name>
To create an IPSEC tunnel and bind the IPSEC profile to it by using the Citrix ADC command line
At the Command prompt, type:
add ipTunnel <name> <remote> <remoteSubnetMask> <local> -protocol IPSEC –ipsecProfileName <string>
show ipTunnel <name>
To create a PBR rule and bind the IPSEC tunnel to it by using the Citrix ADC command line
At the Command prompt, type:
add pbr <pbrName> ALLOW –srcIP <subnet-range> -destIP** <subnet-range> -*ipTunnel <tunnelName>
apply pbrs
show pbr <pbrName>
The following commands create all settings of Citrix ADC appliance NS_Appliance-1 used in “Example of CloudBridge Connector Configuration and Data Flow.”
> add ipsec profile NS_AWS_IPSec_Profile -psk DkiMgMdcbqvYREEuIvxsbKkW0Foyabcd -ikeVersion v1 –lifetime 31536000
Done
> add iptunnel NS_AWS_Tunnel 168.63.252.133 255.255.255.255 66.165.176.15 –protocol IPSEC –ipsecProfileName NS_AWS_IPSec_Profile
Done
> add pbr NS_AWS_Pbr -srcIP 10.102.147.0-10.102.147.255 –destIP 10.20.0.0-10.20.255.255 –ipTunnel NS_AWS_Tunnel
Done
> apply pbrs
Done
<!--NeedCopy-->
To create an IPSEC profile by using the GUI
1. Navigate to System > CloudBridge Connector > IPSec Profile. 2. In the details pane, click Add. 3. In the Add IPSec Profile dialog box, set the following parameters:
- Name
- Encryption Algorithm
- Hash Algorithm
- IKE Protocol Version (select V1)
4. Select the Pre-shared Key Authentication method and set the Pre-Shared Key Exists parameter. 5. Click Create, and then click Close.
To create an IP tunnel and bind the IPSEC profile to it by using the GUI
1. Navigate to System > CloudBridge Connector > IP Tunnels. 2. On the IPv4 Tunnels tab, click Add. 3. In the Add IP Tunnel dialog box, set the following parameters:
- Name
- Remote IP
- Remote Mask
- Local IP Type (In the Local IP Type drop down list, select Subnet IP).
- Local IP (All the configured IPs of the selected IP type are in the Local IP drop down list. Select the desired IP from the list.)
- Protocol
- IPSec Profile
4. Click Create, and then click Close.
To create a PBR rule and bind the IPSEC tunnel to it by using the GUI
1. Navigate to System > Network > PBR.
2. On the PBR tab, click Add.
3. In the Create PBR dialog box, set the following parameters:
- Name
- Action
- Next Hop Type (Select IP Tunnel)
- IP Tunnel Name
- Source IP Low
- Source IP High
- Destination IP Low
- Destination IP High
4. Click Create, and then click Close.
The corresponding new CloudBridge Connector tunnel configuration on the Citrix ADC appliance appears in the GUI.
The current status of the CloudBridge connector tunnel is shown in the Configured CloudBridge Connector pane. A green dot indicates that the tunnel is up. A red dot indicates that the tunnel is down.
Monitoring the CloudBridge Connector tunnel
You can monitor the performance of CloudBridge Connector tunnels on a Citrix ADC appliance by using CloudBridge Connector tunnel statistical counters. For more information about displaying CloudBridge Connector tunnel statistics on a Citrix ADC appliance, see Monitoring CloudBridge Connector Tunnels.
Share
Share
In this article
- Example of CloudBridge Connector tunnel configuration and data flow
- Points to consider for a CloudBridge Connector tunnel configuration
- Configuring Amazon AWS for the CloudBridge Connector tunnel
- Configuring the Citrix ADC appliance for the CloudBridge Connector tunnel
- Monitoring the CloudBridge Connector tunnel
This Preview product documentation is Cloud Software Group Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Cloud Software Group Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Cloud Software Group product purchase decisions.
If you do not agree, select I DO NOT AGREE to exit.