citrix netscaler best practices...web application firewall l4-7 acl ddos protections rewrite +...

35
Claudio Mascaro Senior Systems Engineer BCD-Sintrag AG Citrix NetScaler Best Practices

Upload: others

Post on 07-Oct-2020

5 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability

Claudio Mascaro

Senior Systems Engineer

BCD-Sintrag AG

Citrix NetScaler Best Practices

Page 2: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability

© 2014 Citrix2

Agenda

• Deployment

• Initial Konfiguration

• Load Balancing

• NS Wizards, Unified GW, AAA Feature

• SSL

Page 3: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability

© 2014 Citrix3

NetScaler

IAAS

VIP

SaaSgateway

S1

S2

S3NetScaler

CG CB

FTP

SQL

HTTPHTTPS

DNS TCPUDP

AD

Es

PwO

A1

A2

A3

NetScaler

Acceleration

TCP Offload

HTTP Compression

Caching (HTTP, SQL)

TCP Optimization

Rate Limiting

SSL Offload

Surge Protection

Web 2.0 Push

Security

Web Application Firewall

L4-7 ACL

DDoS Protections

Rewrite + Responder

SSL VPN

NetScaler Gateway

AAA TM-Auth. & SSO

SAML 2.0 & Kerberos

Availability

Server Loadbalancing (IPv4+6)

Layer 7 Content Switching

Advanced Health Check

GSLB

Traffic Domains & PBR

Dyn. Routing, VLAN, LACP

HTTP Callout

CloudBridge

DataStream

Platforms

VPX

MPX & SDX

XenServer

VMWare

Hyper V

10, 200, 1G, 3G

Editions: Standard, Enterprise and

Platinum, Express, Developer

Management

CLI/GUI/SNMP/Syslog

API XML,NITRO,SOAP,REST

AppFlow

Command Center

Web Logging (NSWL)

Inbox Monitoring/Reporting

Action Analytics

NetScaler Insight Center

Visualizer

ACE Migration Tool

Page 4: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability

Deployment

Page 5: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability

© 2014 Citrix5

NetScaler Deployment

One-Arm Mode Two-Arm Mode

3 IP’s im Minimum (Standalone)

• 1x NetScaler IP (NSIP)

• 1x Subnet IP (SNIP)

• 1x Virtual IP (VIP)

+ 1x NSIP im High Availability Mode

4 IP’s im Minimum (Standalone)

• 1x NetScaler IP (NSIP)

• 2x Subnet IP (SNIP, 1 pro Netz)

• 1x Virtual IP (VIP)

STATIC ROUTES zu Backend Server !!!

+ 1x NSIP im High Availability Mode

Page 6: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability

© 2014 Citrix6

NetScaler High Availability

Beide NetScaler wie Eineiige Zwillinge !

• VPX – VPX or MPX – MPX

• Gleiche MPX Hardware

• Gleiche Platform Lizenz

• Gleiche Firmware Version

• Gleiche Interfaces und gleich gepatched

Arbeiten im Active/Passive Mode

Page 7: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability

Initial Configuration

Page 8: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability

© 2014 Citrix8

Configuration

Page 9: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability

© 2014 Citrix9

Licensing

Lizenz Server Host für:

NetScaler Standard, Enterprise, Platinum, Options License

Lizenz Server Host für:

NetScaler Gateway & Universal License

License Log File bei Troubleshooting:

/var/log/license.log

Page 10: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability

© 2014 Citrix10

System Settings

https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/netscaler-data-sheet.pdf

NetScaler Gateway License

SSLVPN Universal License

NetScaler Standard License

NetScaler Enterprise Lic.

NetScaler Platinum Lic.

Page 11: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability

© 2014 Citrix11

Version

1 Download Firmware

2 Backup

3 HA-Disable

4 Upload Firmware

5 Update

Page 12: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability

© 2014 Citrix12

NetScaler Architektur

2 separate TCP Sessions !

• Client zu Virtual IP

• Subnet IP zu Backend Server

Page 13: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability

Load Balancing

Page 14: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability

© 2014 Citrix14

Loadbalancing und Entities

Page 15: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability

© 2014 Citrix15

Loadbalancing vServer, Services, Servers

1

Steps

2

NS über Firewall

zum Backend ist

offen (SubnetIP)

3

Page 16: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability

© 2014 Citrix16

Loadbalancing vServer

Alle Zugriffe von Netscaler auf Backend

Server, sollten Loadbalanced werden.

• DNS Server

• AD / Radius Server

• Citrix Webinterface

• Citrix Storefront

• Citrix Datacollector

• Citrix Delivery Controller

• Citrix XenMobile

• Citrix ShareFile

• Microsoft Exchange Server

• Etc.

Page 17: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability

© 2014 Citrix17

Loadbalancing Monitors

Auswahl

Page 18: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability

© 2014 Citrix18

HTTP to HTTPS Redirection with Responder Policy

Ist die Verbindung nicht SSL

Redirect Expression zu HTTPS

Page 19: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability

© 2014 Citrix19

Loadbalancing Visualizer

Page 20: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability

© 2014 Citrix20

Zertifikate

Server Zertifikat mit Private Key

Intermediate und Root CA Zertifikate

Cert Links !!

Page 21: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability

NetScaler WizardsUnified GatewayAAA Feature

Page 22: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability

© 2014 Citrix22

NetScaler Wizards

Wizards

Page 23: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability

© 2014 Citrix23

XenMobile Wizard Wizard erstellt:

• 3x LB vServer

• 1x GW vServer

• 3x Session Policies

• Authentication Server

Mobile App Mgmt. (MAM)Interner Zugriff von GW Session Pol.

Mobile Device Mgmt. (MDM)Externer Zugriff

Gateway vServer (MAM)Externer Zugriff

Page 24: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability

© 2014 Citrix24

Unified Gateway

Eine IP für mehrere Zugriffe

• Exchange 2013

• Citrix Insight

• Datanow

• NetScaler Gateway

• Etc.

Page 25: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability

© 2014 Citrix25

1 IP für 4 oder mehr verschiedene Backend LB vServer

Exchange 2013

Datanow Webserver

Insight Webserver

NetScaler GW

Loadbalanced vServer

Page 26: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability

© 2014 Citrix26

Action von Content Switching zeigt auf LB vServer & NS Gateway

Page 27: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability

© 2014 Citrix27

Die Expression definiert wohin…

Outlook Web Access

Outlook Anywhere

NetScaler Gateway

Page 28: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability

© 2014 Citrix28

AAA Feature (z.B. NS als TMG Ersatz für Exch.2013)

Page 29: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability

© 2014 Citrix29

User – NS – CSW – LB – AAA – LB – Exchange Server

AD

Auth

https://Mail.domain.com

Exchange

2013 Backend

Server

7True

6

5

4

3 2

1

8

9Publish Mail Content

AAA vServer

Page 30: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability

SSL

Page 31: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability

© 2014 Citrix31

SSL A-Rating Konfiguration

Page 32: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability

© 2014 Citrix32

SSL Renegotiation

Page 33: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability

© 2014 Citrix33

vServer SSL Settings

NS 11.0 auch bei VPX TLSv11 und TLS12 verfügbar

Page 34: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability

© 2014 Citrix34

SSL Rating A

Page 35: Citrix NetScaler Best Practices...Web Application Firewall L4-7 ACL DDoS Protections Rewrite + Responder SSL VPN NetScaler Gateway AAA TM-Auth. & SSO SAML 2.0 & Kerberos Availability

© 2014 Citrix35

Vielen Dank