ADC

Inline device integration with Citrix ADC

Security devices such as Intrusion Prevention System (IPS) and Next Generation Firewall (NGFW) protect servers from network attacks. These devices are deployed in layer 2 inline mode and their primary function is to protect servers from network attacks and report security threats on the network.

To prevent vulnerable threats and provide advanced security protection, a Citrix ADC appliance is integrated with one or more inline devices. The inline devices can be any security device such as IPS, NGFW.

Following are some of the use cases that benefit in using the inline device integration with the Citrix ADC appliance:

  • Inspecting encrypted traffic. Most IPS and NGFW appliances bypass encrypted traffic, thereby leaving servers vulnerable to attacks. A Citrix ADC appliance can decrypt traffic and send it to inline devices for inspection. It enhances the customer’s network security.
  • Offloading inline devices from TLS/SSL processing. TLS/SSL processing is expensive and the issue can result in high system CPU in IPS or NGFW appliances if they decrypt the traffic. As encrypted traffic is growing at a fast pace, these systems fail to decrypt and inspect encrypted traffic. Citrix ADC helps in offloading inline devices from TLS/SSL processing. It results in the inline device supporting a high volume of traffic inspection.
  • Loading balancing inline devices. The Citrix ADC appliance load balances multiple inline devices when there is a high volume of traffic.
  • Smart selection of traffic. Every packet flowing into the appliance might be content inspected, for example download of text files. User can configure the Citrix ADC appliance to select specific traffic (for example .exe files) for inspection and send the traffic to inline devices for processing the data

How the Citrix ADC is integrated with inline devices

The following diagram shows how a Citrix ADC is integrated with inline security devices. Inline device integration

When you integrate inline devices with the Citrix ADC appliance, the component interacts as per the following:

  1. A client sends a request to Citrix ADC appliance.
  2. The appliance receives the request and sends it to an inline device based on policy evaluation. Note: If there are two or more inline devices, the appliance load balances the devices and sends the traffic. If the incoming traffic is an encrypted one, the appliance decrypts the data and sends it as a plain text to the inline device for content inspection.
  3. The inline device inspects the data for threats and decides whether to drop, reset, or send the data back to the appliance.
  4. If there are security threats, the device modifies the data and sends it to the appliance.
  5. The Citrix ADC in turn re-encrypts the data and forwards the request to the back-end server.
  6. The back-end server sends the response to the Citrix ADC appliance.
  7. The appliance again decrypts the data and sends it to the inline device for inspection.
  8. Appliance re-encrypts the data and sends the response to the client

Software licensing

To deploy the inline device integration, your Citrix ADC appliance must be provisioned with one of the following licenses:

  1. ADC Premium
  2. ADC Advanced
  3. Telco Advanced
  4. Telco Premium
  5. SWG license

Configuring inline device integration

You can configure a Citrix ADC appliance with an inline device in three different ways. The configuration scenarios are as follows.

Scenario 1 for using a single inline device

If you want to integrate a security device (IPS or NGFW) in inline mode, you must begin by first enabling the Content Inspection feature and enabling the Citrix ADC in MBF (MAC-based forwarding) in global mode. Once you have enabled the features, you must add the Content Inspection profile, add the Content Inspection action for inline devices to reset, block, or drop the traffic based on inspection. Then, add the Content Inspection policy for the appliance to decide what subset of traffic to send to the inline devices. Then, configure the load balancing virtual server with layer 2 connection enabled on the server. Finally, bind the content inspection policy to the load balancing virtual server.

Using single inline device

Enable MBF (MAC-based forwarding) mode

If you want the Citrix ADC appliance to be integrated to inline devices such as IPS, or firewalls, you must enable this mode. For more information about MBF, see Configure MAC-based Forwarding topic.

At the command prompt, type:

enable ns mode mbf

Enable Content Inspection

If you want the Citrix ADC appliance to decrypt and then send the content for inspection to the inline devices, you must enable the Content Inspection and load balancing features.

enable ns feature contentInspection LoadBalancing

Add Layer 2 connection method

To handle response generated by inline devices, the appliance uses the VLAN channel as a layer 2 method (L2ConnMethod) of communication with inline devices.

At the command prompt, type:

set l4param -l2ConnMethod <l2ConnMethod>

Example set l4param –l2ConnMethod VlanChannel

Add Content Inspection profile for service

Inline device configuration for a Citrix ADC appliance can be specified in an entity called the Content Inspection profile. The profile has a collection of settings that explains how to integrate with an inline device.

At the command prompt, type:

add contentInspection profile <name> -type InlineInspection -egressInterface <interface_name> -ingressInterface <interface_name>[-egressVlan <positive_integer>] [-ingressVlan <positive_integer>]

Example:

add contentInspection profile Inline_profile1 -type InlineInspection -ingressinterface “1/2” -egressInterface “1/3”

Add IPS-TCP monitor

If you want to configure monitors, you add a user defined monitor. Note: If you want to configure monitors, you must use a custom monitor. When adding a monitor, you must enable the transparent parameter.

At the command prompt, type:

add lb monitor <monitorName> <type> [-destIP <ip_addr|ipv6_addr>] [-destPort <port>] [-transparent ( YES | NO )]

Example:

add lb monitor ips_tcp TCP -destIP 192.168.10.2 -destPort 80 -transparent YES

Add a service

Add a service. Specify a dummy IP address that is not owned by any of the devices, including the inline devices. Set use source IP address (USIP) to YES. Set useproxyport to NO. By default, health monitoring is ON, bind the service to a health monitor, and also set the TRANSPARENT option in the monitor ON. At the command prompt, type:

add service <Service_name> <IP> TCP * - contentinspectionProfileName <Name> -healthMonitor YES -usip ON –useproxyport OFF

Example:

add service ips_service 192.168.10.2 TCP * -healthMonitor YES -usip YES -useproxyport NO -contentInspectionProfileName ipsprof

Add a health monitor

By default the health monitor is turned on and you also have the option to disable it, if necessary. At the command prompt, type:

add lb monitor <name> TCP -destIP <ip address> -destPort 80 -transparent <YES, NO>

Example:

add lb monitor ips_tcp TCP -destIP 192.168.10.2 -destPort 80 -transparent YES

Bind the service to the health monitor

After configuring the health monitor, you must bind the service to the health monitor. At the command prompt, type:

bind service <name> -monitorName <name>

Example:

bind service ips_svc -monitorName ips_tcp

Add content inspection action for service

After you enable the Content Inspection feature and then after you add the inline profile and service, you must add the Content Inspection action for handling the request. Based on the content inspection action, the inline device can drop, reset, or block action after it has inspected the data.

If the Inline server or service is down, you can configure the ifserverdown parameter in the appliance to perform any one of the following actions.

CONTINUE: If the User wants to bypass the content inspection when the remote server is down, you can choose the “CONTINUE” action, as default. RESET (default): This action responds to the client by closing the connection with RST. DROP: This action silently drops the packets without sending a response to the user.

At the command prompt, type:

add contentInspection action <name> -type <type> (-serverName <string> [-ifserverdown <ifserverdown>] [-reqTimeout <positive_integer>] [-reqTimeoutAction <reqTimeoutAction>]

add ContentInspection action <action_name> -type InlineINSPECTION -serverName Service_name/Vserver_name>

Example:

add ContentInspection action <Inline_action> -type InlineSPECTION –serverName Inline_service1

Add content inspection policy for inspection

After you create a Content Inspection action, you must add Content Inspection policies to evaluate requests for inspection. The policy is based on a rule which consists of one or more expressions. The policy evaluates and selects the traffic for inspection based on the rule.

At the command prompt, type the following:

add contentInspection policy <policy_name> –rule <Rule> -action <action_name>

Example add contentInspection policy Inline_pol1 –rule true –action Inline_action

Add content switching or load balancing virtual server of type HTTP/SSL

To receive the web traffic, you must add a load balancing virtual server. Also you must enable the layer2 connection on the virtual server.

At the command prompt, type:

add lb vserver <name> <vserver name> -l2Conn ON

Example:

add lb vserver HTTP_vserver HTTP 10.102.29.200 8080 –l2Conn ON

Bind Content Inspection policy to content switching virtual server or load balancing virtual server of type HTTP/SSL

You bind the load balancing virtual server or content switching virtual server of type HTTP/SSL to the Content Inspection policy. At the command prompt, type the following:

bind lb vserver <vserver name> -policyName < policy_name > -priority < priority > -type <REQUEST>

Example:

bind lb vserver HTTP_vserver -policyName Inline_pol1 -priority 100 -type REQUEST

Scenario 2: Load balancing multiple inline devices using dedicated interfaces

If you are using two or more inline devices, you must load balance the devices using different content inspection services in a dedicated VLAN setup. In this case, the Citrix ADC appliance load balances the devices on top of sending a subset of traffic to each device through a dedicated interface. For basic configuration steps, refer to scenario 1.

Inline device integration using dedicated VLAN

Add content inspection profile1 for service1

Inline configurations for a Citrix ADC appliance can be specified in an entity called the Content Inspection profile. The profile has a collection of device settings. The Content Inspection profile1 is created for inline service 1 and the communication is through 1/2 and 1/3 dedicated interfaces.

At the command prompt, type:

add contentInspection profile <name> -type InlineInspection -egressInterface <interface_name> -ingressInterface <interface_name>[-egressVlan <positive_integer>] [-ingressVlan <positive_integer>]

Example:

add contentInspection profile Inline_profile1 -type InlineInspection -ingressinterface “1/2” -egressInterface “1/3”

Add content inspection profile2 for service2

The Content Inspection profile2 is added for service2 and the inline device communicates with the appliance through 1/4 and 1/5 dedicated interfaces. At the command prompt, type:

add contentInspection profile <name> -type InlineInspection -egressInterface <interface_name> -ingressInterface <interface_name>[-egressVlan <positive_integer>] [-ingressVlan <positive_integer>]

Example:

add contentInspection profile Inline_profile2 -type InlineInspection -ingressinterface “1/4” -egressInterface “1/5”

Add service 1 for inline device 1

After you enable the Content Inspection feature and add the inline profile, you must add an inline service 1 for inline device 1 to be part of the load balancing setup. The service that you add, provides all the inline configuration details.

At the command prompt, type:

add service <Service_name_1> <Pvt_IP1> TCP * -contentInspectionProfileName <Inline_Profile_1> -healthmonitor OFF –usip ON –useproxyport OFF

Example:

add service Inline_service1 10.102.29.200 TCP 80 -contentInspectionProfileName Inline_profile1 -healthmonitor OFF -usip ON -useproxyport OFF

Add service 2 for inline device 2

After you enable the Content Inspection feature and add the inline profile, you must add an inline service 2 for inline device 2. The service that you add, provides all the inline configuration details.

At the command prompt, type:

add service <Service_name_1> <Pvt_IP1> TCP * -contentInspectionProfileName <Inline_Profile_2> -healthmonitor OFF –usip ON –useproxyport OFF

Example:

add service Inline_service1 10.29.20.205 TCP 80 -contentInspectionProfileName Inline_profile2 -healthmonitor OFF -usip ON -useproxyport OFF

Add load balancing virtual server

After you have added the inline profile and the services, you must add a load balancing virtual server for load balancing the services.

At the command prompt, type:

add lb vserver <vserver_name> TCP <Pvt_IP3> <port>

Example:

add lb vserver lb-Inline_vserver TCP *

Bind service 1 to the load balancing virtual server

After you add the load balancing virtual server, now bind the load balancing virtual server to the first service.

At the command prompt, type:

bind lb vserver <Vserver_name> <Service_name_1>

Example:

bind lb vserver lb-Inline_vserver Inline_service1

Bind service 2 to the load balancing virtual server

After you add the load balancing virtual server, now bind the server to the second service.

At the command prompt, type:

bind lb vserver <Vserver_name> <Service_name_1>

Example:

bind lb vserver lb-Inline_vserver Inline_service2

Add content inspection action for the service

After you enable the Content Inspection feature, you must add the Content Inspection action for handling the inline request information. Based on the action selected, the inline device drops, resets, or blocks after it has examined the given subset of traffic.

At the command prompt, type:

add contentInspection action <name> -type <type> (-serverName <string> [-ifserverdown <ifserverdown>] [-reqTimeout <positive_integer>] [-reqTimeoutAction <reqTimeoutAction>]

add ContentInspection action < action_name > -type InlineINSPECTION -serverName Service_name/Vserver_name>

Example:

add ContentInspection action Inline_action -type InlineINSPECTION –serverName lb-Inline_vserver

Add content inspection policy for inspection

After you create a Content Inspection action, you must add the Content Inspection policy to evaluate requests for service. The policy is based on a rule which consists of one or more expressions. The rule is associated to the Content Inspection action that is associated if a request matches the rule.

At the command prompt, type the following:

add contentInspection policy <policy_name> –rule <Rule> -action <action_name>

Example:

add contentInspection policy Inline_pol1 –rule true –action Inline_action

Add content switching or load balancing virtual server of type HTTP/SSL

Add a content switching or load balancing virtual server to accept web traffic. Also you must enable the layer2 connection on the virtual server. For more information about load balancing, see How load balancing works topic.

At the command prompt, type:

add lb vserver <name> <vserver name> -l2Conn ON

Example:

add lb vserver http_vserver HTTP 10.102.29.200 8080 –l2Conn ON

Bind Content Inspection policy to load balancing virtual server of type HTTP/SSL

You must bind the content switching or load balancing virtual server of type HTTP/SSL to the Content Inspection policy.

At the command prompt, type the following:

bind lb vserver <vserver name> -policyName < policy_name > -priority <> -type <L7InlineREQUEST | L4Inline-REQUEST>

Example:

bind lb vserver http_vserver -policyName Inline_pol1 -priority 100 -type REQUEST

Scenario 3: Load balancing multiple inline devices using shared interfaces

You can refer to this configuration, if you are using multiple inline devices and if you want to load balance the devices using different services in a shared VLAN interface. This configuration using shared VLAN interfaces is similar to use case 2. For basic configuration, refer to scenario 2.

Load balancing multiple inline devices using shared VLAN

Bind VLAN A with sharing option enabled

At the command prompt, type the following:

bind vlan <id> -ifnum <interface> -tagged

Example:

bind vlan 100 –ifnum 1/2 tagged

Bind VLAN B with sharing option enabled

At the command prompt, type the following:

bind vlan <id> -ifnum <interface> -tagged

Example:

bind vlan 200 –ifnum 1/3 tagged

Bind VLAN C with sharing option enabled

At the command prompt, type the following:

bind vlan <id> -ifnum <interface> -tagged

Example:

bind vlan 300 –ifnum 1/2 tagged

Bind VLAN D with sharing option enabled

At the command prompt, type the following:

bind vlan <id> -ifnum <interface> -tagged

Example:

bind vlan 400 –ifnum 1/3 tagged

Add content inspection profile1 for service1

Inline configurations for a Citrix ADC appliance can be specified in an entity called the Content Inspection profile. The profile has a collection of device settings. The Content Inspection profile is created for inline service 1 and the communication is through 1/2 and 1/3 dedicated interfaces.

At the command prompt, type:

add contentInspection profile <name> -type InlineInspection -egressInterface <interface_name> -ingressInterface <interface_name>[-egressVlan <positive_integer>] [-ingressVlan <positive_integer>]

Example:

add contentInspection profile Inline_profile1 -type InlineInspection -ingressinterface “1/2” -egressInterface “1/3” –egressVlan 100 -ingressVlan 300

Add content inspection profile2 for service2

The Content Inspection profile2 is added for service2 and the inline device communicates with the appliance through 1/2 and 1/3 dedicated interfaces.

At the command prompt, type:

add contentInspection profile <name> -type InlineInspection -egressInterface <interface_name> -ingressInterface <interface_name>[-egressVlan <positive_integer>] [-ingressVlan <positive_integer>]

Example:

add contentInspection profile Inline_profile2 -type InlineInspection -ingressinterface “1/2” -egressInterface “1/3” –egressVlan 200 -ingressVlan 400

Configure inline service integration using the Citrix ADC GUI

  1. Log on to the Citrix ADC appliance and navigate to Configuration tab page.
  2. Navigate to System > Settings > Configure Modes.
  3. In the Configure Modes page, select Mac Based Forwarding.
  4. Click OK and Close.
  5. Navigate to System > Settings > Configure Advanced Features.
  6. In the Configure Advanced Feature page, select Content Inspection.
  7. Click OK and Close.
  8. Navigate to Security > Content Inspection > ContentInspection Profiles.
  9. In the ContentInspection Profiles page, click Add.
  10. In the Create ContentInspection Profiles page, set the following parameters.
    1. Profile Name. Name of the content inspection profile.
    2. Type. Select the profile type as inlineInspection.
    3. Egress Interface. Interface through which the appliance sends traffic from the Citrix ADC to the Inline device.
    4. Ingress Interface. Interface through which the appliance receives traffic from the Inline device to the Citrix ADC.
    5. Egress VLAN. Interface VLAN ID through which the traffic is sent to the Inline device.
    6. Ingress VLAN. Interface VLAN ID through which the appliance receives traffic from Inline to Citrix ADC (if it is configured).
  11. Click Create and Close.
  12. Navigate to Traffic Management > Load Balancing > Services and click Add.
  13. In the Services page, set the following parameters:

    1. Service name. Name of the load balancing service.
    2. IP address. Use a dummy IP address. Note: No device must own the IP address.
    3. Protocol. Select protocol type as TCP.
    4. Port. Enter *
    5. Health Monitoring. Clear this option and enable it only if you want to bind the service to the TCP type monitor. If you want to bind a monitor to service then the TRANSPARENT option in the monitor must be ON. See step 14 on how to add monitor and how to bind it to service.
    6. Click OK.
  14. In the Settings section, edit the following and click OK.

    1. Use Proxy Port: Turn it OFF
    2. Use Source IP Address: Turn it ON
  15. In the Advanced Settings section, click Profiles.
  16. Go to Profiles section, and add the inline content inspection profile and click OK.
  17. Go to Monitors section, Add Bindings > Select Monitor > Add.

    1. Name: Name of monitor
    2. Type: Select TCP type
    3. Destination IP, PORT: Destination IP address and Port.
    4. Transparent: Turn ON

    Note: Monitor packets must flow through the inline device to monitor inline device status.

  18. Click Create.
  19. Click Done.
  20. Navigate to Traffic Management > Load Balancing > Virtual Servers. Add a virtual server of type HTTP or SSL.
  21. After entering the server details, click OK and again OK.
  22. In the Traffic Settings section of Load Balancing Virtual Server, turn Layer 2 Parameters ON.
  23. In the Advanced Settings section, click Policies.
  24. Go the Policies section and click the “+” icon to configure the content inspection policy.
  25. On the Choose Policy page, select Content Inspection. Click Continue.
  26. In the Policy Binding section, click Add to add a Content Inspection policy.
  27. In the Create ContentInspection Policy page, enter a name for the Inline content inspection policy.
  28. In the Action field, click Add to create an Inline content inspection action.
  29. In the Create CI Action page, set the following parameters:

    1. Name. Name of the content inspection Inline policy.
    2. Type. Select the type as inlineInspection.
    3. Server. Select the server/service as Inline devices.
    4. If Server Down. Select an operation if the server goes down.
    5. Request Time-out. Select a time-out value. You can use default values.
    6. Request Time-out Action. Select a time-out action. You can use default values.
  30. Click Create.
  31. In the Create CI Policy page, enter other details:
  32. Click OK and Close.
Inline device integration with Citrix ADC