Product Documentation
ADC
Current Release 13.1 13.0 12.1
View PDF

Multiple-Firewall Environment

March 29, 2021
Contributed by:
C S

In a multiple-firewall environment, the Citrix ADC appliance is placed between two sets of firewalls, the external set connecting to the public Internet, and the internal set connecting to the internal private network. The external set typically handles the egress traffic. These firewalls mainly implement access control lists to allow or deny access to external resources. The internal set typically handles the ingress traffic. These firewalls implement security to safeguard the intranet from malicious attacks apart from load-balancing the ingress traffic. The multiple-firewall environment allows you to load-balance traffic coming from another firewall. By default, the traffic coming from a firewall is not load balanced on the other firewall across a Citrix ADC appliance. Having firewall load balancing enabled on both the sides of the Citrix ADC appliance improves the traffic flow in both the egress and ingress direction and ensures faster processing of the traffic.

The following figure shows a multiple-firewall load balancing environment

Figure 1. Firewall Load Balancing (multiple-firewall)

Multiple-Firewall Environment

With a configuration like the one shown in Figure 1, you can configure the Citrix ADC to load balance the traffic through an internal firewall even if it is load balanced by an external firewall. For example, with this feature configured, the traffic coming from the external firewalls (firewalls 1, 2, and 3) is load balanced on the internal firewalls (firewalls 4, 5, and 6) and conversely.

Firewall load balancing is supported only for MAC mode LB virtual server.

The service type ANY configures the Citrix ADC to accept all traffic.

To avail benefits related to HTTP and TCP, configure the service and virtual server with type HTTP or TCP. For FTP to work, configure the service with type FTP.

Configuring the Citrix ADC in a Multiple-Firewall Environment

To configure a Citrix ADC appliance in a multiple-firewall environment, you need to;

  1. Enable the load balancing feature.
  2. Configure a virtual server to load balance the egress traffic across the external firewalls.
  3. Configure a virtual server to load balance the ingress traffic across the internal firewalls.
  4. Enable firewall load balancing on the Citrix ADC appliance.

To configure a virtual server to load balance traffic across a firewall in the multiple-firewall environment, you need to:

  1. Configure a wildcard service for each firewall
  2. Configure a monitor for each wildcard service
  3. Configure a wildcard virtual server to load balance the traffic sent to the firewalls
  4. Configure the virtual server in MAC rewrite mode
  5. Bind firewall services to the wildcard virtual server

Enabling the load balancing feature

To configure and implement load balancing entities such as services and virtual servers, you need to enable the load balancing feature on the Citrix ADC device.

To enable load balancing by using the CLI:

在命令提示符下,键入以下命令to enable load balancing and verify the configuration:

enable ns feature  show ns feature

Example:

enable ns feature LoadBalancing Done show ns feature Feature Acronym Status ------- ------- ------ 1) Web Logging WL OFF 2) Surge Protection SP ON 3) Load Balancing LB ON . . . 24) NetScaler Push push OFF Done

To enable load balancing by using the GUI:

  1. In the navigation pane, expandSystem, and then clickSettings.
  2. In the Settings pane, under Modes and Features, click Change basic features.
  3. In the Configure Basic Features dialog box, select theLoad Balancingcheck box, and then clickOK.

Configuring a wildcard service for each firewall

To accept traffic from all the protocols, you need to configure a wildcard service for each firewall by specifying support for all the protocols and ports.

To configure a wildcard service for each firewall by using the CLI:

在命令提示符下,键入以下命令to configure support for all the protocols and ports:

add service @

Example:

add service fw-svc1 10.102.29.5 ANY *

To configure a wildcard service for each firewall by using the GUI:

  1. Navigate toTraffic Management > Load Balancing > Services.

  2. In the details pane, clickAdd.

  3. In the Create Services dialog box, specify values for the following parameters as shown:

    • Service name
    • Server name

    -* A required parameter

  4. In Protocol, selectAnyand in Port, select *.

  5. ClickCreate, and then clickClose. The service you created appears in the Services pane.

Configuring a monitor for each service

萍监视器默认绑定到服务。Configure a transparent monitor to monitor hosts on the trusted side through individual firewalls. You can then bind the transparent monitor to services. The default PING monitor monitors the connectivity only between the Citrix ADC appliance and the upstream device. The transparent monitor monitors all the devices existing in the path from the appliance to the device that owns the destination IP address specified in the monitor. If a transparent monitor is not configured and the status of the firewall is UP but one of the next hop devices from that firewall is down, the appliance includes the firewall while performing load balancing and forwards the packet to the firewall. However, the packet is not delivered to the final destination because one of the next hop devices is down. By binding a transparent monitor, if any of the devices (including the firewall) are down, the service is marked as DOWN and the firewall is not included when the appliance performs firewall load balancing.

Binding a transparent monitor overrides the PING monitor. To configure a PING monitor in addition to a transparent monitor, after you create and bind a transparent monitor, you need to bind a PING monitor to the service.

To configure a transparent monitor by using the CLI:

在命令提示符下,键入以下命令s to configure a transparent monitor and verify the configuration:

add lb monitor   [-destIP ] [-transparent (YES | NO )] bind lb monitor

Example:

add monitor monitor-HTTP-1 HTTP -destip 10.10.10.11 -transparent YES bind monitor monitor-HTTP-1 fw-svc1

The Citrix ADC appliance learns the server L2 parameters from the monitor that is bound to the service. For UDP-ECV monitors, configure a receive string to enable the appliance to learn the L2 parameters of the server. If the receive string is not configured and the server does not respond, then the appliance does not learn the L2 parameters but the service is set to UP. The traffic for this service is blackholed.

To configure a receive string by using the CLI:

在命令提示符下,键入以下命令:

add lb monitor   [-destIP ] [-transparent (YES | NO )] [-send ] [-recv ]

Example:

add lb monitor monitor-udp-1 udp-ecv -destip 10.10.10.11 -transparent YES –send “test message” –recv “site_is_up”

To create and bind a transparent monitor by using the GUI:

  1. Navigate toTraffic Management > Load Balancing > Monitors.

  2. In the details pane, clickAdd.

  3. In the Create Monitor dialog box, specify values for the following parameters as shown:

    • Name*
    • Type*—type
    • Destination IP
    • Transparent

    -* A required parameter

  4. ClickCreate, and then clickClose.

In theMonitorspane, select the monitor that you configured and verify that the settings displayed at the bottom of the screen are correct.

Configuring a virtual server to load balance the traffic sent to the firewalls

To load balance any kind of traffic, you need to configure a wildcard virtual server specifying the protocol and port as any value.

To configure a virtual server to load balance the traffic sent to the firewalls by using the CLI:

在命令提示符下,键入以下命令:

add lb vserver @

Example:

add lb vserver Vserver-LB-1 ANY * *

To configure a virtual server to load balance the traffic sent to the firewalls by using the GUI:

  1. Navigate toTraffic Management > Load Balancing > Virtual Servers.
  2. In the details pane, clickAdd.
  3. In Protocol, selectAny, and in IP Address and Port, select *.
  4. ClickCreate, and then clickClose. The virtual server you created appears in the Load Balancing Virtual Servers pane.

Configuring the virtual server to the MAC rewrite mode

To configure the virtual server to use the MAC address for forwarding the incoming traffic, you need to enable the MAC rewrite mode.

To configure the virtual server in MAC rewrite mode by using the CLI:

在命令提示符下,键入以下命令:

set lb vserver @ -m

Example:

set lb vserver Vserver-LB-1 -m MAC

To configure the virtual server in MAC rewrite mode by using the GUI:

  1. Navigate toTraffic Management > Load Balancing > Virtual Servers.
  2. In the details pane, select the virtual server for which you want to configure the redirection mode (for example, Vserver-LB1), and then clickOpen.
  3. On the Advanced tab, under the Redirection Mode mode, clickOpen.
  4. ClickOK.

Binding firewall services to the virtual server

To access a service on the Citrix ADC appliance, you need to bind it to a wildcard virtual server.

To bind firewall services to the virtual server by using the CLI:

在命令提示符下,键入以下命令:

bind lb vserver @

Example:

bind lb vserver Vserver-LB-1 Service-HTTP-1

To bind firewall services to the virtual server by using the GUI:

  1. Navigate toTraffic Management > Load Balancing > Virtual Servers.
  2. In the details pane, select the virtual server for which you want to configure the redirection mode (for example, Vserver-LB1), and then clickOpen.
  3. In the Configure Virtual Server (Load Balancing) dialog box, on the Services tab, select theActivecheck box next to the service that you want to bind to the virtual server(for example, Service-HTTP-1).
  4. ClickOK.

Configuring the multiple-firewall load balancing on the Citrix ADC appliance

To load balance traffic on both the sides of a Citrix ADC using firewall load balancing, you need to enable multiple firewall load balancing by using the vServerSpecificMac parameter.

To configure multiple-firewall load balancing by using the CLI:

在命令提示符下,键入以下命令:

set lb parameter -vServerSpecificMac

Example:

set lb parameter -vServerSpecificMac ENABLED

To configure multiple-firewall load balancing by using the GUI:

  1. Navigate toTraffic Management > Load Balancing > Virtual Servers.
  2. In the details pane, select the virtual server for which you want to configure the redirection mode (for example, Configure Load Balancing parameters).
  3. In the Set Load Balancing Parameters dialog box, select the Virtual Server Specific MAC check box.
  4. Click OK.

Saving and Verifying the Configuration

当你已经完成了配置任务,sure to save the configuration. You can also check to make sure that the settings are correct.

To save and verify the configuration by using the CLI:

在命令提示符下,键入以下命令s to configure a transparent monitor and verify the configuration:

- save ns config - show vserver

Example:

save config show lb vserver FWLBVIP2 FWLBVIP2 (*:*) - ANY Type: ADDRESS State: UP Last state change was at Mon Jun 14 07:22:54 2010 Time since last state change: 0 days, 00:00:32.760 Effective State: UP Client Idle Timeout: 120 sec Down state flush: ENABLED Disable Primary Vserver On Down : DISABLED No. of Bound Services : 2 (Total) 2 (Active) Configured Method: LEASTCONNECTION Current Method: Round Robin, Reason: A new service is bound Mode: MAC Persistence: NONE Connection Failover: DISABLED 1) fw-int-svc1 (10.102.29.5: *) - ANY State: UP Weight: 1 2) fw-int-svc2 (10.102.29.9: *) - ANY State: UP Weight: 1 Done show service fw-int-svc1 fw-int-svc1 (10.102.29.5:*) - ANY State: DOWN Last state change was at Thu Jul 8 14:44:51 2010 Time since last state change: 0 days, 00:01:50.240 Server Name: 10.102.29.5 Server ID : 0 Monitor Threshold : 0 Max Conn: 0 Max Req: 0 Max Bandwidth: 0 kbits Use Source IP: NO Client Keepalive(CKA): NO Access Down Service: NO TCP Buffering(TCPB): NO HTTP Compression(CMP): NO Idle timeout: Client: 120 sec Server: 120 sec Client IP: DISABLED Cacheable: NO SC: OFF SP: OFF Down state flush: ENABLED 1) Monitor Name: monitor-HTTP-1 State: DOWN Weight: 1 Probes: 9 Failed [Total: 9 Current: 9] Last response: Failure - Time out during TCP connection establishment stage Response Time: 2000.0 millisec 2) Monitor Name: ping State: UP Weight: 1 Probes: 3 Failed [Total: 0 Current: 0] Last response: Success - ICMP echo reply received. Response Time: 1.275 millisec Done

To save and verify the configuration by using the GUI:

  1. In the details pane, clickSave.
  2. In the Save Config dialog box, clickYes.
  3. Navigate toTraffic Management > Load Balancing > Virtual Servers.
  4. In the details pane, select the virtual server that you created in step 5, verify that the settings displayed in the Details pane are correct.
  5. Navigate toTraffic Management > Load Balancing > Services.
  6. In the details pane, select the service that you created in step 5, verify that the settings displayed in the Details pane are correct.

Monitoring a Firewall Load Balancing Setup in a Multiple-Firewall Environment

After the configuration is up and running, you can view the statistics for each service and virtual server to check for possible problems.

Viewing the Statistics of a Virtual Server

To evaluate the performance of virtual servers or to troubleshoot problems, you can display details of the virtual servers configured on the Citrix ADC appliance. You can display a summary of statistics for all the virtual servers, or you can specify the name of a virtual server to display the statistics only for that virtual server. You can display the following details:

  • Name
  • IP address
  • Port
  • Protocol
  • State of the virtual server
  • Rate of requests received
  • Rate of hits

显示通过使用虚拟服务器统计数据command line interface

To display a summary of the statistics for all the virtual servers currently configured on the Citrix ADC appliance, or for a single virtual server, at the command prompt, type:

stat lb vserver [-detail] []

Example:

>统计磅vserver细节虚拟服务器(s)总结vsvrIP port Protocol State Req/s Hits/s One * 80 HTTP UP 5/s 0/s Two * 0 TCP DOWN 0/s 0/s Three * 2598 TCP DOWN 0/s 0/s dnsVirtualNS 10.102.29.90 53 DNS DOWN 0/s 0/s BRVSERV 10.10.1.1 80 HTTP DOWN 0/s 0/s LBVIP 10.102.29.66 80 HTTP UP 0/s 0/s Done

显示通过使用虚拟服务器统计数据GUI:

  1. Navigate toTraffic Management > Load Balancing > Virtual Servers > Statistics.
  2. If you want to display the statistics for only one virtual server, in the details pane, select the virtual server, and clickStatistics.

Viewing the Statistics of a Service

You can view the rate of requests, responses, request bytes, response bytes, current client connections, requests in the surge queue, current server connections, and so forth using the service statistics.

To view the statistics of a service by using the CLI:

At the command prompt, type:

stat service

Example:

stat service Service-HTTP-1

To view the statistics of a service by using the GUI:

  1. Navigate toTraffic Management > Load Balancing > Services > Statistics.
  2. If you want to display the statistics for only one service, select the service, and clickStatistics.
Multiple-Firewall Environment
March 29, 2021
Contributed by:
C S
March 29, 2021
Contributed by:
C S

In this article

Site feedback | Privacy and legal terms | Cookie preferences | Consent settings | docs.cloud.com
© 1999-Cloud Software Group, Inc. All rights reserved.