Enable data collection for NetScaler Gateway appliances deployed in double-hop mode

The NetScaler Gateway double-hop mode provides extra protection to an organization internal network because an attacker would need to penetrate multiple security zones or Demilitarized zones (DMZ) to reach the servers in the secure network.

As an administrator, using NetScaler ADM, you can analyze:

• The number of hops (NetScaler Gateway appliances) through which the ICA connections pass

• The details about the latency on each TCP connection and how it fairs against the total ICA latency perceived by the client

The following image indicates that the NetScaler ADM and NetScaler Gateway in the first DMZ are deployed in the same subnet.

The NetScaler Gateway in the first DMZ handles user connections and performs the security functions of an SSL VPN. This NetScaler Gateway encrypts user connections, determines how the users are authenticated, and controls access to the servers in the internal network.

The NetScaler Gateway in the second DMZ serves as a NetScaler Gateway proxy device. This NetScaler Gateway enables the ICA traffic to traverse the second DMZ to complete user connections to the server farm.

The NetScaler ADM can be deployed either in the subnet belonging to the NetScaler Gateway appliance in the first DMZ or the subnet belonging to the NetScaler Gateway appliance second DMZ.

In a double-hop mode, NetScaler ADM collects TCP records from one appliance and ICA records from the other appliance. After you add the NetScaler Gateway appliances to the NetScaler ADM inventory and enable data collection, each appliance export the reports by keeping track of the hop count and connection chain ID.

For NetScaler ADM to identify which appliance is exporting records, each appliance is specified with a hop count and each connection is specified with a connection chain ID. Hop count represents the number of NetScaler Gateway appliances through which the traffic flows from a client to the servers. The connection chain ID represents the end- to end connections between the client and server.

NetScaler ADM uses the hop count and connection chain ID to co-relate the data from both the NetScaler Gateway appliances and generates the reports.

To monitor NetScaler Gateway appliances deployed in this mode, you must first add the NetScaler Gateway to NetScaler ADM inventory, enable AppFlow on NetScaler ADM, and then view the reports on the NetScaler ADM dashboard.

Enabling data collection on NetScaler ADM

If you enable NetScaler ADM to start collecting the ICA details from both the appliances, the details collected are redundant. To overcome this situation, you must enable AppFlow for TCP on the first NetScaler Gateway appliance, and then enable AppFlow for ICA on the second appliance. By doing so, one of the appliances exports ICA AppFlow records and the other appliance exports TCP AppFlow records. This also saves the processing time on parsing the ICA traffic.

To enable the AppFlow feature from NetScaler ADM:

1. Navigate toInfrastructure>Instances, and select the NetScaler instance you want to enable analytics.

2. From theSelect Actionlist, selectConfigure Analytics.

3. Select the virtual servers, and clickEnable Analytics.

4. Select WebInsight

5. ClickOK.

Configure NetScaler Gateway appliances to export data

After you install the NetScaler Gateway appliances, you must configure the following settings on the NetScaler gateway appliances to export the reports to NetScaler ADM:

• Configure virtual servers of the NetScaler Gateway appliances in the first and second DMZ to communicate with each other.

• Bind the NetScaler Gateway virtual server in the second DMZ to the NetScaler Gateway virtual server in the first DMZ.

• Enable double hop on the NetScaler Gateway in the second DMZ.

• Disable authentication on the NetScaler Gateway virtual server in the second DMZ.

• Enable one of the NetScaler Gateway appliances to export ICA records

• Enable the other NetScaler Gateway appliance to export TCP records:

• Enable connection chaining on both the NetScaler Gateway appliances.

配置NetScaler网关使用命令行interface:

1. Configure the NetScaler Gateway virtual server in the first DMZ to communicate with the NetScaler Gateway virtual server in the second DMZ.

   add vpn nextHopServer [-secure(ON

   OFF)] [-imgGifToPng] …

   添加vpn nextHopServer nh1 10.102.2.33 8443 –secure ON 

2. Bind the NetScaler Gateway virtual server in the second DMZ to the NetScaler Gateway virtual server in the first DMZ. Run the following command on the NetScaler Gateway in the first DMZ:

   bind vpn vserver-nextHopServer

   bind vpn vserver vs1 -nextHopServer nh1 

3. Enable double hop and AppFlow on the NetScaler Gateway in the second DMZ.

   set vpn vserver [- doubleHop( ENABLED

   DISABLED )] [- appflowLog( ENABLED

   DISABLED )]

   set vpn vserver vpnhop2 –doubleHop ENABLED –appFlowLog ENABLED 

4. Disable authentication on the NetScaler Gateway virtual server in the second DMZ.

   set vpn vserver [-authentication(ON

   OFF)]

   set vpn vserver vs -authentication OFF 

5. Enable one of the NetScaler Gateway appliances to export TCP records.

   bind vpn vserver [-policy-priority] [-type]

   bind vpn vserver vpn1 -policy appflowpol1 -priority 101 –type OTHERTCP\_REQUEST 

6. Enable the other NetScaler Gateway appliance to export ICA records:

   bind vpn vserver [-policy-priority] [-type]

   bind vpn vserver vpn2 -policy appflowpol1 -priority 101 -type ICA\_REQUEST 

7. Enable connection chaining on both the NetScaler Gateway appliances:

   set appFlow param[-connectionChaining(ENABLED

   DISABLED)]

   set appflow param -connectionChaining ENABLED 

Configuring NetScaler Gateway using configuration utility:

1. Configure the NetScaler Gateway in the first DMZ to communicate with the NetScaler Gateway in the second DMZ and bind the NetScaler Gateway in the second DMZ to the NetScaler Gateway in the first DMZ.

   1. On theConfigurationtab expandNetScaler Gatewayand clickVirtual Servers.

   2. In the right pane, double-click the virtual server, and in the Advanced group, expandPublished Applications.

   3. ClickNext Hop Serverand bind a next hop server to the second NetScaler Gateway appliance.

2. Enable double hop on the NetScaler Gateway in the second DMZ.

   1. On theConfigurationtab expandNetScaler Gatewayand clickVirtual Servers.

   2. In the right pane, double-click the virtual server, and in theBasic Settingsgroup, click the edit icon.

   3. ExpandMore, selectDouble Hopand clickOK.

3. Disable authentication on the virtual server on the NetScaler Gateway in the second DMZ.

   1. On theConfigurationtab expandNetScaler Gatewayand clickVirtual Servers.

   2. In the right pane, double-click the virtual server, and in theBasic Settingsgroup, click the edit icon.

   3. ExpandMore, and clearEnable Authentication.

4. Enable one of the NetScaler Gateway appliances to export TCP records.

   1. On theConfigurationtab expandNetScaler Gatewayand clickVirtual Servers.

   2. In the right pane, double-click the virtual server, and in the Advanced group, expand Policies.

   3. Click the + icon and from theChoose Policylist, selectAppFlowand from theChoose Typelist, selectOther TCP Request.

   4. ClickContinue.

   5. Add a policy binding, and clickClose.

5. Enable the other NetScaler Gateway appliance to export ICA records:

   1. On theConfigurationtab expandNetScaler Gatewayand clickVirtual Servers.

   2. In the right pane, double-click the virtual server, and in theAdvancedgroup, expandPolicies.

   3. Click the + icon and from theChoose Policylist, selectAppFlowand from theChoose Typelist, selectOther TCP Request.

   4. ClickContinue.

   5. Add a policy binding, and clickClose.

6. Enable connection chaining on both the NetScaler Gateway appliances.

   1. On theConfigurationtab, navigate toSystem>Appflow.

   2. In the right Pane, in theSettingsgroup, clickChange Appflow Settings.

   3. SelectConnection Chainingand ClickOK.