Citrix NetScaler Architecture

Citrix NetScaler Architecture

Two-Arm Topologies and Architecture - Configuration Options and Examples:

With current primary focus on two-arm topologies and architecture under this initial section, I will do my best to review as many configuration scenarios as possible (though as can be imagined, there are so many different configurations and designs that are possible and scene in the real world).

Citrix NetScaler topologies consist of and comprise of two separate areas of concern. Both areas are identified and used together in reference to the specific topology being discussed. These two areas are physical and logical configuration.

Physical configuration (in most cases) can be either one-arm or two-arm mode. Logical configuration can be either single-subnet or multiple-subnet. The final terminology for topology used is defined by pulling configured physical and logical setup under the specific scenery.

For example if a network uses a two-arm physical topology and multiple-subnet logical topology, you would refer to this environment setup as a "two-arm, multiple-subnet" environment topology.

  • Physical Networking and Connectivity: (One-Arm and Two-Arm Modes)
    • Configuration and Presentation of a Common Two-Arm Topology (Displayed and Presented Here)
    • Two network interfaces/connections (two-arms) are used for network connectivity (image, not displayed under images in this article)
      • One network interface (arm one) is connected to the client network
      • Second network interface (arm two) is connected to the backend server network.
    • Configuration of this type of network setup may require you to reconnect your hardware and also might result in a momentary network outage/downtime.
      • Needed downtime and level of difficulty will depend on a few different variables.
        • Is the directly attached network switch or appliance a Layer 2 or Layer 3 device?
          • Where does routing take place?
          • How are network traffic paths (source to destination) determined?
        • Are you using two separate and isolated physical network connections or a single logical connection/link using Trunking to a single connection point?
  • Logical Networking and Connectivity Modes: Single-Subnet (transparent mode) and Multi-Subnet
    • Multi-Subnet Configuration and Setup:
      • Most commonly used for remote access services connectivity
        • NetScaler appliance is placed under DMZ network environment (consisting of private or public IP addresses)
        • Backend servers and services are located on the private and internal network
        • NetScaler acts as a reverse proxy appliance for enhanced security and connection brokering.
    • Single Subnet (Transparent Mode):
      • When both the NetScaler appliance and backend Servers/Services reside on the same network.

Citrix NetScaler Two-Arm Multiple-Subnet Topologies:

Blog Article Citrix NetScaler Architecture Image 001

Two-Arm Multi-Subnet Topology (Example #1)

  • Network Example #1 - Two-Arm, Multi-Subnet Topology (shown above):
  • Network diagram example configuration and description
    • Physical
      • Two-Arm Network Topology
    • Logical
      • Multi-Subnet
    • Combined and Official Term Used for this Setup
      • Two-Arm Multi-Subnet Topology
  • Two network interfaces/connections (two-arms) are used for network connectivity (image, not displayed under images in this article)
    • One network interface (arm one) is connected to the client network
    • Second network interface (arm two) is connected to the backend server network.
  • Additional Information
    • Service Network Placement Information
      • VIP service connection point(s) located on (Public or DMZ) network
      • NSIP and SNIP services are both located with backend Servers/Services for connectivity
    • The NetScaler appliance is placed in line between the clients and the servers
      • With a front end VIP (virtual server connection point and IP) configured to handle the client requests.
        • Front end connection point
    • This topology and configuration is used when the clients and servers reside on different subnets.
      • In most cases, the clients and servers reside on public and private networks (subnets)
        • External to Internal connectivity (Remote access connectivity to private/internal organization resources)
  • Other Interesting Items to Note (Thinking Points)
    • No firewalls or routers are represented in the above network diagram
    • If the SNIP is placed on/in the same network as the backend servers, network connectivity does NOT have to pass through another firewall appliance/instance.
      • Impact on overall security? Pros and cons between the two? Recommended configuration and setup?
        • My thoughts would be to have the SNIP on the DMZ network and NOT on the internal private network???
Blog Article Citrix NetScaler Architecture Image 003

Two-Arm Multi-Subnet Topology (Example #2)

Citrix NetScaler Two-Arm Single-Subnet Topologies:

Blog Article Citrix NetScaler Architecture Image 002

Two-Arm Single-Subnet Topology (Example #3)

  • Network Example #3 - Two-Arm, Single-Subnet (Transparent) Mode Topology (shown above)
  • Network diagram example configuration and description
    • Physical
      • Two-Arm Network Topology
    • Logical
      • Single-Subnet (Transparent)
    • Combined and Official Term Used for this Setup
      • Two-Arm, Single Subnet (Transparent) Mode Topology
  • Two network interfaces/connections (two-arms) are used for network connectivity (image, not displayed under images in this article)
    • One network interface (arm one) is connected to the client network
    • Second network interface (arm two) is connected to the backend server network.
  • Additional Information
    • Service Network Placement Information
      • Everything place on the same/single flat network space
        • Client, NetScaler, and backend Servers/Services
    • In this topology configuration, the NetScaler simply acts as a Layer 2 Bridging device. Bridging traffic from source to destination, where both sides of the connection are addressed and located on the same network segment.
  • Key reasons, examples and use cases for configuring this network topology setup
    • Transparent mode should be used if clients need to access the servers directly, with no intervention from a NetScaler virtual server.
      • Notice that in the above network diagram, you do NOT see a configured and depicted VIP front end connection point.
    • The backend server/services IP addresses must be located on the same network as connecting source client devices.
      • All devices placed on the same network (using public or private IP addresses on single/same network)
    • The topology uses two-arm configuration as there is only a single path that sourced network traffic is allowed to traverse the network in order to reach destination device (backend servers/services).
  • Other Interesting Items to Note (Thinking Points)
    • No firewalls or routers are depicted in the above network diagram
    • Notice that in the above network diagram, you do NOT see a configured and depicted VIP front end connection point.
    • NetScaler appliance needs to be placed under Layer 2 Bridging Mode. Layer 2 mode needing to be enabled on NetScaler appliance.
      • (No routing and Layer 3 services provided by the NetScaler appliance)

Other Common Scenarios and Best Implementation Method/Approach:

Network Environment Assessment, Questions, and Main Points of Consideration:

  • How is the network setup/configured for and allowing connectivity between End-Users and Back-end Services/Servers?
  • What kind of network security (technologies and policies) are currently in place?
  • Is the business organization using NAT or any other kind of firewall that requires configuration to successfully allow network traffic and connectivity from source to destination and back again?
    • NAT Rules, Firewall Rules
    • Configuration, allowing inter-connectivity across network security zones
      • (Most common to see Outside/Internet, DMZ, and Intranet network/zone configuration)
  • What services and/or applications are going to be published for access/connectivity?

Example and Scenario #1:

  • Organization wishes to provide access to a specific web service and application to external users on the public Internet.
    • In this example, the organization has both an internal DMZ, and also Intranet security zones configured.
    • The companies Network team decides to have the NetScaler appliance integrated using the following approach and Topology.
      • Place on interface in the DMZ and another interface in the intranet zone (using a two-arm setup and approach)
      • Two-Arm topology configurations can be implemented in two separate methods of approach.
        • 1 - Using two separate physical network interfaces. One connecting to DMZ and the other connecting to Intranet.
        • 2 - Using a single physical Interface or Channel. Setup under trunk mode and allowing multiple VLANs to propagate across the single physical link.
        • Two-Arm topology really means and asks the following question. - Does the NetScaler appliance house IP addresses from a single VLAN/Network or more than one. - If more than one, the NetScaler appliance is running in a two-arm configuration.
      • Main Advantages of this Configuration/Topology
        • One of the Interfaces is assigned to and placed on the Internal Network.
          • Prevents the network traffic from SNIP to back-end destination Servers/Services to have to constantly traverse the Firewall placed between DMZ and Intranet networks.
          • One of the two Interfaces directly placed on the Internal network and assigned to the SNIP for use and connectivity to back-end servers.
          • Additional overhead and resource consumption needed and utilized on organizations Firewall appliance (typically not an issue unless using older, legacy hardware). May also introduce network latency when passing traffic through firewall appliance with additional overhead of processing, reading firewall rules, and making appropriate decisions based on currently implemented rules.
          • Easier configuration and approach, but...
          • (-) Not as secure when using firewall to segment source to destination network connectivity.

Example and Scenario #2:

  • NetScaler appliance deployed and only housing/residing on/to a single Network/VLAN. This implementation is a one-arm topology.
    • In this example, the NetScaler appliance is placed in the DMZ network.
    • Routing tables and firewall rules are in place to allow the NetScaler to access the back-end services/servers.
    • (+) This method and type of topology emphasized security.
      • NetScaler SNIP placed along with everything in/on the DMZ network.
      • All network traffic from the SNIP to the Internal network having to pass through a network firewall appliance, which is segmenting the DMZ and Intranet zones/networks.

2 Responses

  1. Hey, great article on the deployment modes for NetScaler. At the moment, I seem to be struggling to get the correct config for my DMZ VPX using the Two-Arm Multi-Subnet (Example #2) Topology. I essentially have the same setup as the topology: Public IP NATS to a VIP in the DMZ. In the DMZ, the VIP, NSIP, SNIP and default gateway are all in the same DMZ subnet (192.168.200.x). I have a 2nd NIC available on the VPX which sits in the 192.168.20.x LAN subnet. I've created a SNIP in the 192.168.20.x subnet (192.168.20.100) and given it the gateway of 192.168.20.1. Just by using the default routes the NetScaler created after enabling the 2nd LAN SNIP, my 'Authentication' pane shows that the LDAP servers I have in 192.168.20.x are up and available. However, the LDAP servers I also have in 192.168.10.x are not. What I'm struggling to grasp is getting to the rest of my servers, which sit in different subnets: 192.168.10.x, 20.x, 30.x etc etc. Do I need a SNIP in each of those subnets? Thanks
    • In response to Stan: Hi Stan, I achieved this by creating a route on the netscaler and letting the network do the work. i.e. create a route for your Netscaler for the internal 192.168.10.X subnet with a gateway of 192.168.20.1 (your 2nd leg gateway). As long as your LAN network is able to reach all of the other subnets, then point a route for each one to the same gateway (192.168.20.1). Worked for me. Regards Gary

Leave a comment