-
Getting Started with Citrix ADC
-
Deploy a Citrix ADC VPX instance
-
Optimize Citrix ADC VPX performance on VMware ESX, Linux KVM, and Citrix Hypervisors
-
Apply Citrix ADC VPX configurations at the first boot of the Citrix ADC appliance in cloud
-
Install a Citrix ADC VPX instance on Microsoft Hyper-V servers
-
Install a Citrix ADC VPX instance on Linux-KVM platform
-
Prerequisites for Installing Citrix ADC VPX Virtual Appliances on Linux-KVM Platform
-
Provisioning the Citrix ADC Virtual Appliance by using OpenStack
-
Provisioning the Citrix ADC Virtual Appliance by using the Virtual Machine Manager
-
Configuring Citrix ADC Virtual Appliances to Use SR-IOV Network Interface
-
Configuring Citrix ADC Virtual Appliances to use PCI Passthrough Network Interface
-
Provisioning the Citrix ADC Virtual Appliance by using the virsh Program
-
Provisioning the Citrix ADC Virtual Appliance with SR-IOV, on OpenStack
-
Configuring a Citrix ADC VPX Instance on KVM to Use OVS DPDK-Based Host Interfaces
-
-
Deploy a Citrix ADC VPX instance on AWS
-
Deploy a VPX high-availability pair with elastic IP addresses across different AWS zones
-
Deploy a VPX high-availability pair with private IP addresses across different AWS zones
-
Configure a Citrix ADC VPX instance to use SR-IOV network interface
-
Configure a Citrix ADC VPX instance to use Enhanced Networking with AWS ENA
-
Deploy a Citrix ADC VPX instance on Microsoft Azure
-
Network architecture for Citrix ADC VPX instances on Microsoft Azure
-
Configure multiple IP addresses for a Citrix ADC VPX standalone instance
-
Configure a high-availability setup with multiple IP addresses and NICs
-
Configure a high-availability setup with multiple IP addresses and NICs by using PowerShell commands
-
Configure a Citrix ADC VPX instance to use Azure accelerated networking
-
Configure HA-INC nodes by using the Citrix high availability template with Azure ILB
-
Configure a high-availability setup with Azure external and internal load balancers simultaneously
-
Configure address pools (IIP) for a Citrix Gateway appliance
-
Upgrade and downgrade a Citrix ADC appliance
-
Solutions for Telecom Service Providers
-
Load Balance Control-Plane Traffic that is based on Diameter, SIP, and SMPP Protocols
-
Provide Subscriber Load Distribution Using GSLB Across Core-Networks of a Telecom Service Provider
-
Authentication, authorization, and auditing application traffic
-
Basic components of authentication, authorization, and auditing configuration
-
On-premises Citrix Gateway as an identity provider to Citrix Cloud
-
Authentication, authorization, and auditing configuration for commonly used protocols
-
Troubleshoot authentication and authorization related issues
-
-
-
-
-
-
-
Persistence and persistent connections
-
Advanced load balancing settings
-
Gradually stepping up the load on a new service with virtual server–level slow start
-
Protect applications on protected servers against traffic surges
-
Retrieve location details from user IP address using geolocation database
-
Use source IP address of the client when connecting to the server
-
Use client source IP address for backend communication in a v4-v6 load balancing configuration
-
Set a limit on number of requests per connection to the server
-
Configure automatic state transition based on percentage health of bound services
-
-
Use case 2: Configure rule based persistence based on a name-value pair in a TCP byte stream
-
Use case 3: Configure load balancing in direct server return mode
-
Use case 6: Configure load balancing in DSR mode for IPv6 networks by using the TOS field
-
Use case 7: Configure load balancing in DSR mode by using IP Over IP
-
Use case 10: Load balancing of intrusion detection system servers
-
Use case 11: Isolating network traffic using listen policies
-
Use case 12: Configure Citrix Virtual Desktops for load balancing
-
Use case 13: Configure Citrix Virtual Apps for load balancing
-
Use case 14: ShareFile wizard for load balancing Citrix ShareFile
-
Use case 15: Configure layer 4 load balancing on the Citrix ADC appliance
-
-
-
-
-
Authentication and authorization for System Users
-
-
Configuring a CloudBridge Connector Tunnel between two Datacenters
-
Configuring CloudBridge Connector between Datacenter and AWS Cloud
-
Configuring a CloudBridge Connector Tunnel Between a Datacenter and Azure Cloud
-
Configuring CloudBridge Connector Tunnel between Datacenter and SoftLayer Enterprise Cloud
-
Configuring a CloudBridge Connector Tunnel Between a Citrix ADC Appliance and Cisco IOS Device
-
CloudBridge Connector Tunnel Diagnostics and Troubleshooting
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已经过机器动态翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
Este texto foi traduzido automaticamente. (Aviso legal)
Questo contenuto è stato tradotto dinamicamente con traduzione automatica.(Esclusione di responsabilità))
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.(Aviso legal)
这篇文章已经过机器翻译.放弃
Questo articolo è stato tradotto automaticamente.(Esclusione di responsabilità))
Translation failed!
Integrating Citrix ADC layer 3 with passive security devices (Intrusion Detection System)
A Citrix ADC appliance is now integrated with passive security devices such as the Intrusion Detection System (IDS). In this setup, the appliance sends a copy of the original traffic securely to remote IDS devices. These passive devices store logs and trigger alerts when it detects a bad or non-compliant traffic. It also generates reports for the compliance purpose. If a Citrix ADC appliance is integrated with two or more IDS devices and when there is a high volume of traffic, the appliance can load balance the devices by cloning traffic at the virtual server level.
For advanced security protection, a Citrix ADC appliance is integrated with passive security devices such as IDS deployed in detection-only mode. These devices store log and trigger alerts when it sees a bad or non-compliant traffic. It also generates reports for the compliance purpose. Following are some of the benefits of integrating the Citrix ADC with an IDS device.
- Inspecting encrypted traffic. Most security devices bypass encrypted traffic, thereby leaving servers vulnerable to attacks. A Citrix ADC appliance can decrypt traffic and send it to IDS devices for enhancing the customer’s network security.
- Offloading inline devices from TLS/SSL processing. TLS/SSL processing is expensive and it results in high system CPU in intrusion detection devices if they decrypt the traffic. As encrypted traffic is growing at a fast pace, these systems fail to decrypt and inspect encrypted traffic. Citrix ADC helps in offloading traffic to IDS devices from TLS/SSL processing. This way of offloading data results in an IDS device supporting a high volume of traffic inspection.
- Loading balancing IDS devices. The Citrix ADC appliance load balances multiple IDS devices when there is a high volume of traffic by cloning traffic at the virtual server level.
- Replicating traffic to passive devices. The traffic flowing into the appliance can be replicated to other passive devices for generating compliance reports. For example, few government agencies mandate every transaction to be logged in some passive devices.
- Fanning traffic to multiple passive devices. Some customers prefer to fan out or replicate incoming traffic into multiple passive devices.
- Smart selection of traffic. Every packet flowing into the appliance might not be must be content inspected, for example download of text files. User can configure the Citrix ADC appliance to select specific traffic (for example .exe files) for inspection and send the traffic to IDS devices for processing data.
How Citrix ADC is integrated with IDS device with L3 connectivity
The following diagram shows how the IDS is integrated with a Citrix ADC appliance.
The component interaction is given as follows:
- A client sends an HTTP/HTTPS request to the Citrix ADC appliance.
- The appliance intercepts the traffic and sends the data to remote IDS devices across different data centers or even in a cloud. This integration is done through IP tunneled layer 3. For more information about IP tunneling in a Citrix ADC appliance, see IP tunnels topic.
- If the traffic is an encrypted one, the appliance decrypts the data and sends it as a plain text.
- Based on policy evaluation, the appliance applies a “MIRROR” type content inspection action.
- The action has an IDS service or load balancing service (for multiple IDS device integrations) configured in it.
- The IDS device is configured as content inspection service type “Any” on the appliance. The content inspection service is then associated to the content inspection profile of type “MIRROR” and the tunnel parameter which specifies the IP tunneled layer 3 interface through which the data is forwarded to the IDS device.
Note:
Optionally, you can also configure a VLAN tag in the content inspection profile.
- Similarly, when the back-end server sends a response to the Citrix ADC, the appliance replicates the data and forwards it to the IDS device.
- If your appliance is integrated to one or more IDS devices and if you prefer to load balance the devices, then you can use the load balancing virtual server.
Software licensing
To deploy the IDS integration, your Citrix ADC appliance must be provisioned with one of the following licenses:
- ADC Premium
- ADC Advanced
Configuring intrusion detection system integration
You can integrate IDS device with a Citrix ADC in two different ways.
Scenario 1: Integration with a single IDS device
Following are the steps you must configure using the command line interface.
- Enable content inspection
- Add content inspection profile of type MIRROR for service representing IDS device.
- Add IDS service of type “ANY”
- Add content inspection action of type “MIRROR”
- Add content inspection policy for IDS inspection
- Bind content inspection policy to content switching or load balancing virtual service of type HTTP/SSL
Enable Content Inspection
If you want the Citrix ADC appliance to send the content for inspection to the IDS devices, you must enable the Content Inspection and load balancing features irrespective of performing decryption.
At the command prompt, type:
enable ns feature contentInspection LoadBalancing
Add Content Inspection profile of type “MIRROR”
The Content Inspection profile of type “MIRROR” explains how you can connect to the IDS device. At the command prompt, type.
Note:
The IP tunnel parameter must be used only for layer 3 IDS topology. Otherwise, you must use the egress interface with the egress VLAN option. GRE/IPIP tunnel types are supported with the layer 3 IDS topology.
add contentInspection profile <name> -type MIRROR -ipTunnel <iptunnel_name>
Example:
add contentInspection profile IDS_profile1 -type MIRROR –ipTunnel ipsect-tunnel1
Add IDS service
You must configure a service of type “ANY” for each IDS device that is integrated with the appliance. The service has the IDS device configuration details. The service represents the IDS device.
At the command prompt, type:
add service <Service_name> <IP> ANY <Port> - contentinspectionProfileName <Name> -healthMonitor OFF -usip ON –useproxyport OFF
Example:
add service IDS_service 1.1.1.1 ANY 8080 -contentInspectionProfileName IDS_profile1 -healthMonitor OFF
Add content inspection action of type MIRROR for IDS service
After you enable the Content Inspection feature and then add the IDS profile and service, you must add the Content Inspection action for handling the request. Based on the content inspection action, the appliance can drop, reset, block, or send data to the IDS device.
At the command prompt, type:
add ContentInspection action < action_name > -type MIRROR -serverName Service_name/Vserver_name>
Example:
add ContentInspection action IDS_action -type MIRROR –serverName IDS_service
Add content inspection policy for IDS inspection
After you create a Content Inspection action, you must add Content Inspection policies to evaluate requests for inspection. The policy is based on a rule which consists of one or more expressions. The policy evaluates and selects the traffic for inspection based on the rule.
At the command prompt, type the following:
add contentInspection policy < policy_name > –rule <Rule> -action <action_name>
Example:
add contentInspection policy IDS_pol1 –rule true –action IDS_action
Bind content inspection policy to content switching or load balancing virtual service of type HTTP/SSL
To receive the web traffic, you must add a load balancing virtual server. At the command prompt, type:
add lb vserver <name> <vserver name>
Example:
add lb vserver HTTP_vserver HTTP 1.1.1.3 8080
Bind Content Inspection policy to content switching virtual server or load balancing virtual server of type HTTP/SSL
You must bind the load balancing virtual server or content switching virtual server of type HTTP/SSL to the Content Inspection policy.
At the command prompt, type the following:
bind lb vserver <vserver name> -policyName < policy_name > -priority < priority > -type <REQUEST>
Example:
bind lb vserver HTTP_vserver -policyName IDS_pol1 -priority 100 -type REQUEST
Scenario 2: Load balancing multiple IDS devices
If you are using two or more IDS devices, you must load balance the IDS devices using different content inspection services. In this case, the Citrix ADC appliance load balances the devices on top of sending a subset of traffic to each device. For basic configuration steps, refer to scenario 1.
Following are the steps you must configure using the command line interface.
- Add content inspection profile 1 of type MIRROR for IDS service 1
- Add content inspection profile 2 of type MIRROR for IDS service 2
- Add IDS service 1 of type ANY for IDS device 1
- Add IDS service 2 of type ANY for IDS device 2
- Add load balancing virtual server of type ANY
- Bind IDS service 1 to load balancing virtual server
- Bind IDS service 2 to load balancing virtual server
- Add content inspection action for the load balancing of IDS devices.
- Add content inspection policy for inspection
- Add content switching or load balancing virtual server of type HTTP/SSL
- Bind content inspection policy to load balancing virtual server of type HTTP/SSL
Add content inspection profile1 of type MIRROR for IDS service 1
IDS configuration can be specified in an entity called the Content Inspection profile. The profile has a collection of device settings. The Content Inspection profile1 is created for IDS service 1.
Note: IP tunnel parameter must be used only for layer 3 IDS topology. Otherwise, you must use the egress interface with the egress VLAN option.
At the command prompt, type:
add contentInspection profile <name> -type ANY – ipTunnel <iptunnel_name>
Example:
add contentInspection profile IDS_profile1 -type MIRROR - ipTunnel ipsect_tunnel1
Add content inspection profile 2 for type MIRROR for IDS service 2
The Content Inspection profile 2 is added for service 2 and the inline device communicates with the appliance through the egress 1/1 interface.
At the command prompt, type:
add contentInspection profile <name> -type ANY – ipTunnel <iptunnel_name>
Example:
add contentInspection profile IDS_profile2 -type ANY – ipTunnel ipsect_tunnel2
Add IDS service 1 of type ANY for IDS device 1
After you enable the Content Inspection feature and add the inline profile, you must add an inline service 1 for inline device 1 to be part of the load balancing setup. The service that you add, provides all the inline configuration details.
At the command prompt, type:
add service <Service_name_1> <Pvt_IP1> ANY <Port> -contentInspectionProfileName <IDS_Profile_1> –usip ON –useproxyport OFF
Example:
add service IDS_service1 1.1.1.1 ANY 80 -contentInspectionProfileName IDS_profile1 -usip ON -useproxyport OFF
Note:
The IP address mentioned in the example is a dummy one.
Add IDS service 2 of type ANY for IDS device 2
After you enable the Content Inspection feature and add the inline profile, you must add an inline service 2 for inline device 2. The service that you add, provides all the inline configuration details.
At the command prompt, type:
add service <Service_name_1> <Pvt_IP1> ANY -contentInspectionProfileName <Inline_Profile_2> -healthmonitor OFF –usip ON –useproxyport OFF
Example:
add service IDS_service 1 1.1.2 ANY 80 -contentInspectionProfileName IDS_profile2
Note:
The IP address mentioned in the example is a dummy one.
Add load balancing virtual server
After you have added the inline profile and the services, you must add a load balancing virtual server for load balancing the services.
At the command prompt, type:
add lb vserver <vserver_name> ANY <Pvt_IP3> <port>
Example:
add lb vserver lb-IDS_vserver ANY 1.1.1.2
Bind IDS service 1 to load balancing virtual server
After you add the load balancing virtual server, now bind the load balancing virtual server to the first service.
At the command prompt, type:
bind lb vserver <Vserver_name> <Service_name_1>
Example:
bind lb vserver lb-IDS_vserver IDS_service1
Bind IDS service 2 to load balancing virtual server
After you add the load balancing virtual server, now bind the server to the second service.
At the command prompt, type:
bind lb vserver <Vserver_name> <Service_name_1>
Example:
bind lb vserver lb-IDS_vserver IDS_service2
Add content inspection action for the IDS service
After you enable the Content Inspection feature, you must add the Content Inspection action for handling the inline request information. Based on the action selected, the appliance drops, resets, blocks, or sends traffic to the IDS device.
At the command prompt, type:
add contentInspection action <name> -type <type> (-serverName <string> [-ifserverdown <ifserverdown>]
Example:
add ContentInspection action IDS_action -type MIRROR –serverName lb-IDS_vserver
Add content inspection policy for inspection
After you create a Content Inspection action, you must add the Content Inspection policy to evaluate requests for service.
At the command prompt, type the following:
add contentInspection policy <policy_name> –rule <Rule> -action <action_name>
Example:
add contentInspection policy IDS_pol1 –rule true –action IDS_action
Add content switching or load balancing virtual server of type HTTP/SSL
Add a content switching or load balancing virtual server to accept web traffic. Also you must enable the layer2 connection on the virtual server.
For more information about load balancing, refer to How load balancing works topic.
At the command prompt, type:
add lb vserver <name> <vserver name>
Example:
add lb vserver http_vserver HTTP 1.1.1.1 8080
Bind Content Inspection policy to load balancing virtual server of type HTTP/SSL
You must bind the content switching or load balancing virtual server of type HTTP/SSL to the Content Inspection policy.
At the command prompt, type the following:
bind lb vserver <vserver name> -policyName < policy_name > -priority <> -type <REQUEST>
Example:
bind lb vserver http_vserver -policyName IDS_pol1 -priority 100 -type REQUEST
Configure inline service integration using the Citrix ADC GUI
- Navigate to Security > Content Inspection > ContentInspection Profiles.
- In the ContentInspection Profile page, click Add.
- In the Create ContentInspectionProfile page, set the following parameters.
- Profile Name. Name of the content inspection profile for IDS.
- Type. Select the profile types as MIRROR.
- Connectivity. Layer 2 or Layer 3 interface.
- IP Tunnel. Select the network communication channel between the two networks.
- Click Create.
- Navigate to Traffic Management > Load Balancing > Services and click Add.
- In the Load Balancing Service page, enter the content inspection service details.
- In the Advanced Settings section, click Profiles.
- Go to the Profiles section and click the Pencil icon to add the content inspection profile.
- Click OK.
- Navigate to Load Balancing > Servers. Add a virtual server of type HTTP or SSL.
- After entering the server details, click OK and again OK.
- In the Advanced Settings section, click Policies.
- Go the Policies section and click the Pencil icon to configure the content inspection policy.
- On the Choose Policy page, select Content Inspection. Click Continue.
- In the Policy Binding section, click “+” to add a Content Inspection policy.
- In the Create CI Policy page, enter a name for the Inline content inspection policy.
- In the Action field, click the “+” sign to create an IDS content inspection action of type MIRROR.
- In the Create CI Action page, set the following parameters.
- Name. Name of the content inspection Inline policy.
- Type. Select the type as MIRROR.
- Server Name. Select the server/service name as Inline devices.
- If Server Down. Select an operation if the server goes down.
- Request Time-out. Select a time-out value. Default values can be used.
- Request Time-out Action. Select a time-out action. Default values can be used.
- Click Create.
- In the Create CI Policy page, enter other details.
- Click OK and Close.
For information about the Citrix ADC GUI configuration for load balancing and replicating the traffic to IDS devices, see Load Balancing.
For information about the Citrix ADC GUI configuration for load balancing and forwarding the traffic to the back-end origin server after content transformation, see Load Balancing.
Share
Share
This Preview product documentation is Cloud Software Group Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Cloud Software Group Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Cloud Software Group product purchase decisions.
If you do not agree, select I DO NOT AGREE to exit.