- 
                    
                    Getting Started with NetScaler 
- 
                    
                    Solutions for Telecom Service Providers 
- 
                                    Load Balance Control-Plane Traffic that is based on Diameter, SIP, and SMPP Protocols 
- 
                                    Provide Subscriber Load Distribution Using GSLB Across Core-Networks of a Telecom Service Provider 
 
- 
                    
                    Authentication, authorization, and auditing application traffic 
- 
                                    Basic components of authentication, authorization, and auditing configuration 
- 
                                    Web Application Firewall protection for VPN virtual servers and authentication virtual servers 
- 
                                    On-premises NetScaler Gateway as an identity provider to Citrix Cloud™ 
- 
                                    Authentication, authorization, and auditing configuration for commonly used protocols 
- 
                                    Troubleshoot authentication and authorization related issues 
 
- 
                    
                    
                        
- 
                    
                    
                        
- 
                    
                    
                        
- 
                    
                    
                        
- 
                    
                    
                        
- 
                                    Persistence and persistent connections 
- 
                                    Advanced load balancing settings - 
                                                    Gradually stepping up the load on a new service with virtual server–level slow start 
- 
                                                    Protect applications on protected servers against traffic surges 
- 
                                                    Retrieve location details from user IP address using geolocation database 
- 
                                                    Use source IP address of the client when connecting to the server 
- 
                                                    Use client source IP address for backend communication in a v4-v6 load balancing configuration 
- 
                                                    Set a limit on number of requests per connection to the server 
- 
                                                    Configure automatic state transition based on percentage health of bound services 
 
- 
                                                    
- 
                                    Use case 2: Configure rule based persistence based on a name-value pair in a TCP byte stream 
- 
                                    Use case 3: Configure load balancing in direct server return mode 
- 
                                    Use case 6: Configure load balancing in DSR mode for IPv6 networks by using the TOS field 
- 
                                    Use case 7: Configure load balancing in DSR mode by using IP Over IP 
- 
                                    Use case 10: Load balancing of intrusion detection system servers 
- 
                                    Use case 11: Isolating network traffic using listen policies 
- 
                                    Use case 12: Configure Citrix Virtual Desktops for load balancing 
- 
                                    Use case 13: Configure Citrix Virtual Apps and Desktops for load balancing 
- 
                                    Use case 14: ShareFile wizard for load balancing Citrix ShareFile 
- 
                                    Use case 15: Configure layer 4 load balancing on the NetScaler appliance 
 
- 
                    
                    
                        
- 
                    
                    
                        
- 
                    
                    
                        
- 
                                    Authentication and authorization for System Users 
- 
                                    
                                    
- 
                                                    Configuring a CloudBridge Connector Tunnel between two Datacenters 
- 
                                                    Configuring CloudBridge Connector between Datacenter and AWS Cloud 
- 
                                                    Configuring a CloudBridge Connector Tunnel Between a Datacenter and Azure Cloud 
- 
                                                    Configuring CloudBridge Connector Tunnel between Datacenter and SoftLayer Enterprise Cloud 
- 
                                                    Configuring a CloudBridge Connector Tunnel Between a NetScaler Appliance and Cisco IOS Device 
- 
                                                    CloudBridge Connector Tunnel Diagnostics and Troubleshooting 
 
 
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已经过机器动态翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
Este texto foi traduzido automaticamente. (Aviso legal)
Questo contenuto è stato tradotto dinamicamente con traduzione automatica.(Esclusione di responsabilità))
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.(Aviso legal)
这篇文章已经过机器翻译.放弃
Questo articolo è stato tradotto automaticamente.(Esclusione di responsabilità))
Translation failed!
Use case 11: Isolating network traffic using listen policies
Note
The traffic isolation solution using shadow virtual servers to simulate multitenant isolation is no more recommended. Alternatively, Citrix recommends you to use the NetScaler Admin Partitioning feature for such deployments. For more information, see Admin Partitioning.
A common security requirement in a data center is to maintain network path isolation between the traffic of various applications or tenants. One application or tenant’s traffic must be isolated from the traffic of other applications or tenants. For example, a financial services company would want to keep the traffic of its insurance department’s applications separate from that of its financial services applications. In the past, this was easily achieved through physical separation of network service devices such as firewalls, load balancers, and IdP, and network monitoring and logical separation in the switching fabric.
As data center architectures evolve toward multitenant virtualized data centers, networking services in the aggregation layer of a data center are getting consolidated. This development has made network path isolation a critical component for network service devices and is driving the requirement for ADCs to be able to isolate traffic at the L4 to L7 levels. Furthermore, all the traffic of a particular tenant must go through a firewall before reaching the service layer.
To address the requirement of isolating the network paths, a NetScaler appliance identifies the network domains and controls the traffic across the domains. The NetScaler solution has two main components: listen policies and shadow virtual servers.
Each network path to be isolated is assigned a virtual server on which a listen policy is defined so that the virtual server listens to traffic only from a specified network domain.
To isolate the traffic, listen policies can be based on several client parameters or their combinations, and the policies can be assigned priorities. The following table lists the parameters that can be used in listen policies for identifying the traffic.
| Category | Parameters | 
|---|---|
| Ethernet protocol | Source MAC address, destination MAC address | 
| Network interface | Network ID, receiving throughput, sending throughput, transmission throughput | 
| IP protocol | Source IP address, destination IP address | 
| IPv6 protocol | Source IPv6 address, destination IPv6 address | 
| TCP protocol | Source port, destination port, maximum segment size, payload, and other options | 
| UDP protocol | Source port, destination port | 
| VLAN | ID | 
Table 1. Client Parameters Used to Define Listen Policies
On the NetScaler appliance, a virtual server is configured for each domain, with a listen policy specifying that the virtual server is to listen only to traffic for that domain. Also configured for each domain is a shadow load balancing virtual server, which listens to traffic destined for any domain. Each of the shadow load balancing virtual servers has a wildcard (*) IP address and port, and its service type is set to ANY.
In each domain, a firewall for the domain is bound as a service to the shadow load balancing virtual server, which forwards all traffic through the firewall. Local traffic is forwarded to its destination, and traffic destined for another domain is forwarded to the firewall for that domain. The shadow load balancing virtual servers are configured for MAC mode redirection.
How network paths are isolated
The following figure shows a typical traffic flow across domains. Consider the traffic flow within Network Domain 1, and between Network Domain 1 and Network Domain 2.
Figure 1. Isolating Network Path

Traffic within network domain 1
Network Domain 1 has three VLANs: VLAN 11, VLAN110, and VLAN120. The following steps describe the traffic flow.
- A client from VLAN 11 sends a request for a service available from the service pool in VLAN 120.
- The load balancing virtual server LB-VIP1, which is configured to listen to traffic from VLAN 11, receives the request and forwards the request to VLAN 110. The virtual server in VLAN 110 forwards the request to shadow load balancing virtual server FW-VIP-1.
- FW-VIP-1, which is configured to listen to traffic from VLAN 110, receives the request and forwards it to VLAN 120.
- The load balancing virtual server in VLAN 120 load balances the request to one of the physical servers, App11, App12, or App13.
- The response sent by the physical server returns by the same path to the client in VLAN 11.
This configuration ensures that traffic is always segregated inside the NetScaler for all the traffic that originates from a client.
Traffic between network domain 1 and network domain 2
Network Domain 1 has three VLANs: VLAN 11, VLAN 110, and VLAN 120. Network Domain 2 also has three VLANS: VLAN 22, VLAN 210, and VLAN 220. The following steps describe the traffic flow from VALN 11 to VLAN 22.
- A client from VLAN 11, which belongs to Network Domain 1, sends a request for a service available from the service pool in VLAN 220, which belongs to the Network Domain 2.
- In Network Domain 1, the load balancing virtual server LB-VIP1, which is configured to listen to traffic from VLAN 11, receives the request and forwards the request to VLAN 110.
- Shadow load balancing virtual server FW-VIP-1, which is configured to listen to VLAN 110 traffic destined to any other domain, receives the request and forwards it to firewall virtual server FW-VIP-2 because the request is destined to a physical server in Network Domain 2.
- In Network Domain 2, FW-VIP-2 forwards the request to VLAN 220.
- The load balancing virtual server in VLAN 220 load balances the request to one of the physical servers, App21, App22, or App23.
- The response sent by the physical server returns by the same path through the firewall in Network Domain 2 and then to Network Domain 1 to reach the client in VLAN 11.
Configuration Steps
To configure network path isolation by using listen policies, do the following:
- Add listen policy expressions. Each expression specifies a domain to which traffic is destined. You can use the VLAN ID or other parameters to identify the traffic.
- For each network domain, configure two virtual servers as follows:
    - 
        Create a load balancing virtual server for which you specify a listen policy that identifies the traffic destined for this domain. You can specify the name of an expression created earlier, or you can create an expression while creating the virtual server. 
- 
        Create another load balancing virtual server, referred to as shadow virtual server, for which you specify a listen policy expression that applies to traffic destined for any domain. On this virtual server, set the service type to ANY and the IP address and port to an asterisk (*). Enable MAC-based forwarding on this virtual server. 
- 
        Enable the L2 Connection option on both the virtual servers. Generally, to identify a connection, the NetScaler appliance uses the 4-tuple of client IP address, client port, destination IP address, and destination port. When you enable the L2 Connection option, the Layer 2 parameters of the connection (channel number, MAC address, and VLAN ID) are used in addition to the normal 4-tuple. 
 
- 
        
- Add services representing the server pools in the domain, and bind them to the virtual server.
- Configure the firewall for each domain as a service, and bind all the firewall services to the shadow virtual server.
To isolate network traffic by using the command line interface
At the command prompt, type the following commands:
add policy expression <expressionName> <listenPolicyExpression>
add lb vserver <name> <serviceType> <ip> <port> -l2conn ON -listenPolicy <expressionName>
<!--NeedCopy-->
Add a load balancing virtual server for each domain. This virtual server is for traffic of the same domain.
add lb vserver <name> ANY * * -l2conn ON -m MAC -listenPolicy <expressionName>
<!--NeedCopy-->
Add a shadow load balancing virtual server for each domain. This virtual server is for traffic of other domains.
Example:
add policy expression e110 client.vlan.id==110
add policy expression e210 client.vlan.id==210
add policy expression e310 client.vlan.id==310
add policy expression e11 client.vlan.id==11
add policy expression e22 client.vlan.id==22
add policy expression e33 client.vlan.id==33
add lb vserver LB-VIP1 HTTP 10.1.1.254 80 -persistenceType NONE -listenPolicy e11
-cltTimeout 180 -l2Conn ON
add lb vserver LB-VIP2 HTTP 10.2.2.254 80 -persistenceType NONE - listenPolicy e22
-cltTimeout 180 -l2Conn ON
add lb vserver LB-VIP3 HTTP 10.3.3.254 80 -persistenceType NONE - listenPolicy e33
-cltTimeout 180 -l2Conn ON
add lb vserver FW-VIP-1 ANY * * -persistenceType NONE -lbMethod ROUNDROBIN - listenPolicy e110 -Listenpriority 1 -m MAC -cltTimeout 120
add lb vserver FW-VIP-2 ANY * * -persistenceType NONE -lbMethod ROUNDROBIN - listenPolicy e210 -Listenpriority 2 -m MAC -cltTimeout 120
add lb vserver FW-VIP-3 ANY * * -persistenceType NONE -lbMethod ROUNDROBIN - listenPolicy e310 -Listenpriority 3 -m MAC -cltTimeout 120
add service RD-1 10.1.1.1 ANY * -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED
-usip NO -useproxyport NO -sp ON -cltTimeout 120 -svrTimeout 120 -CKA NO -TCPB NO -CMP NO
add service RD-2 10.2.2.1 ANY * -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED
-usip NO -useproxyport NO -sp ON -cltTimeout 120 -svrTimeout 120 -CKA NO -TCPB NO -CMP NO
add service RD-3 10.3.3.1 ANY * -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED
-usip NO -useproxyport NO -sp ON -cltTimeout 120 -svrTimeout 120 -CKA NO -TCPB NO -CMP NO
bind lb vserver FW-VIP-1 RD-1
bind lb vserver FW-VIP-2 RD-2
bind lb vserver FW-VIP-3 RD-3
<!--NeedCopy-->
To isolate network traffic by using the configuration utility
- Add services representing the servers, as described in Creating a Service.
- Add each firewall as a service:
    - Navigate to Traffic Management > Load Balancing > Services.
- Create a service, specifying the protocol as ANY, server as firewall’s IP address, and port as 80.
 
- Configure a load balancing virtual server.
- Configure the shadow load balancing virtual server.
- For each network domain, repeat steps 3 and 4.
- From the Load Balancing Virtual Servers pane, open the virtual servers that you created and verify the settings.
Share
Share
This Preview product documentation is Cloud Software Group Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Cloud Software Group Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Cloud Software Group product purchase decisions.
If you do not agree, select I DO NOT AGREE to exit.