Information
This article provides examples of different port configurations with the NetScaler Gateway.
| Secure Gateway Single DMZ | A NetScaler Gateway configuration that involves a Single DMZ accessing Web Interface, the Secure Ticketing Authority (STA) and Presentation Server over ports 1494 and 2598 using Common Gateway Protocol (CGP). |
| Secure Gateway Double Hop DMZ Deployment 1 | Portal Page Authentication OFF Single NetScaler Gateway in each DMZ |
| Secure Gateway Double Hop DMZ Deployment 2 | Portal Page Authentication ON; Single NetScaler Gateway in each DMZ |
| Secure Gateway Double Hop DMZ Deployment 3 | Portal Page Authentication OFF; Multiple NetScaler Gateways in second DMZ |
| Secure Gateway Double Hop DMZ Deployment 4 | Portal Page Authentication ON; Multiple NetScaler Gateways in Second DMZ |
NetScaler Gateway: Secure Gateway Single DMZ
The preceding diagram shows an example of a NetScaler Gateway configuration that involves a Single DMZ accessing Web Interface, the Secure Ticketing Authority (STA) and Presentation Server over ports 1494 and 2598 using Common Gateway Protocol (CGP).
Notes:
Firewall 1 DMZ (port 443) - Internet user through NetScaler Gateway
Firewall 2 Internal Network (ports 80, 443, 1494, and 2598) - Web Interface, STA XML Service, and Presentation Server
Port 1494 for ICA, port 2598 for CGP
Back to top
The following list explains the flow of the diagram:
The user points the browser to https://
. NetScaler Gateway retrieves the Web Interface logon page.
NetScaler Gateway returns the Web Interface logon page to the user.
The user enters credentials into the Web Interface authentication form and clicks log in.
NetScaler Gateway forwards the HTTP-POST credentials to Web Interface.
Web Interface takes the credentials and negotiates with the XML Service.
The XML Service returns the list of applications to the Web Interface page.
Web Interface constructs the appropriate page and responds to NetScaler Gateway.
NetScaler Gateway returns the resultant page to the user.
用户单击应用程序,并启动Presentation Server Client.
NetScaler Gateway receives an STA ticket from the Presentation Server Client to validate.
NetScaler Gateway presents the STA ticket to the STA server.
The STA server responds to the request.
If the STA authorizes the ticket, NetScaler Gateway consults the ICA Access Control List (ACL) to validate whether the incoming ICA connection conforms with the listed ACLs.
NetScaler Gateway: Secure Gateway Double Hop DMZ Deployment 1 – Portal Page Authentication OFF Single NetScaler Gateway in each DMZ
Notes:
Firewall 1 DMZ1
Firewall 2 DMZ2
Firewall 3 Internal Network
NetScaler Gateway 1 can access Web Interface and NetScaler Gateway 2 directly. NetScaler Gateway 2 can access the STA and Presentation Server directly.
Port 1080 for SOCKS protocol
Back to top
The following list explains the flow of the diagram:
The user points the browser at https://
. NetScaler Gateway 1 retrieves the Web Interface logon page.
NetScaler Gateway 1 returns the Web Interface logon page to the user.
The user enters credentials into the Web Interface authentication form and clicks log in.
NetScaler Gateway 1 forwards the HTTP-POST credentials to Web Interface.
Web Interface takes the credentials and negotiates with the XML Service.
The XML Service returns the list of applications to Web Interface.
Web Interface constructs the appropriate page and responds to NetScaler Gateway 1.
NetScaler Gateway 1 returns the resultant page to the user.
The user clicks an application, then launches the Presentation Server Client.
NetScaler Gateway 1 receives an STA ticket from the Presentation Server Client to validate.
NetScaler Gateway 1 proxies through NetScaler Gateway2 to reach the STA server.
The STA server responds to the request.
NetScaler Gateway 2 forwards the response to NetScaler Gateway 1.
If the STA authorizes the request, NetScaler Gateway 1 consults the ICA ACL list to validate whether the incoming ICA connection conforms with the listed ACLs.
- Firewall 1: Open port 443 (SSL port) for the end user browser and Presentation Server Client to communicate with NetScaler Gateway 1.
- Firewall 2:打开端口80或443取决于Web Interface is listening for insecure traffic or secure traffic. Open port 1080 or 443 depending on whether the communication channel between NetScaler Gateway 1 and NetScaler Gateway 2 is SOCKS or SOCKS over SSL.
- Firewall 3: Open port 80 or 443 depending on whether the XML Service is listening for insecure or secure traffic. Open port 1494 or 2598 or both for ICA/CGP traffic between NetScaler Gateway 2 and the Presentation Server.
Note: Ports are always configurable. The preceding are based on the default protocol port numbers.
NetScaler Gateway: Secure Gateway Double Hop DMZ Deployment 2 – Portal Page Authentication ON; Single NetScaler Gateway in each DMZ
Notes:
NetScaler Gateway 1 can access Web Interface, the Authentication, Authorization, and Accounting (AAA) server and NetScaler Gateway 2 directly. NetScaler Gateway 2 can access the STA and Presentation Server directly.
The user is authenticated by the AAA server and then redirected to Web Interface. Web Interface might ask for logon authentication again.
Back to top
The following list explains the flow of the diagram:
The user points the browser to https://
. NetScaler Gateway 1 gathers credentials from the user and validates them against the authentication server.
If the authentication is acceptable, NetScaler Gateway 1 logs the user on to Web Interface using Single Sign-on (SSO).
Web Interface takes the credentials and negotiates with the XML Service.
The XML Service returns a list of applications to Web Interface.
Web Interface constructs the appropriate page and responds to NetScaler Gateway 1.
NetScaler Gateway 1 returns the resultant page to the user.
The user clicks an application, then launches the Presentation Server Client.
NetScaler Gateway 1 receives an STA ticket from the Presentation Server Client to validate.
NetScaler Gateway 1 proxies through NetScaler Gateway 2 to reach the STA server.
The STA server responds.
NetScaler Gateway 2 forwards the response to NetScaler Gateway 1.
If the STA authorizes the request, NetScaler Gateway 1 consults its ICA ACL list to validate whether the incoming ICA connection conforms to the listed ACLs.
- Firewall 1: Open port 443 (SSL port) for the end user browser and Presentation Server Client to communicate with NetScaler Gateway 1.
- Firewall 2:打开端口80或443取决于Web Interface is listening for insecure traffic or secure traffic. Open port 1080 or 443 depending on whether the communication channel between NetScaler Gateway 1 and NetScaler Gateway 2 is SOCKS or SOCKS over SSL. Open port used for portal page authentication (for example,1812 for RADIUS).
- Firewall 3: Open port 80 or 443 depending on whether the XML Service is listening for insecure or secure traffic. Open port 1494 or 2598 or both for ICA/CGP traffic between NetScaler Gateway 2 and the Presentation Server.
Note: Ports are always configurable. The preceding are based on the default protocol port numbers.
NetScaler Gateway: Secure Gateway Double Hop DMZ Deployment 3 – Portal Page Authentication OFF; Multiple NetScaler Gateways in second DMZ
Notes:
- NetScaler Gateway 1 can access Web Interface and NetScaler Gateway 2 directly. NetScaler Gateway 2 can access STA and Presentation Server directly.
- Configure a Load Balancing virtual server in NetScaler Gateway 1 and point the next hop to this Load Balancing virtual server. SOCKS handshake occurs inside NetScaler Gateway 1.
The following list explains the flow of the diagram:
The user points the browser at https://
. NetScaler Gateway 1 retrieves the Web Interface logon page.
NetScaler Gateway 1 returns the Web Interface logon page to the user.
The user enters credentials into the Web Interface authentication form and clicks Log in.
NetScaler Gateway 1 forwards the HTTP-POST credentials to Web Interface.
Web Interface takes the credentials and negotiates with the XML Service.
The XML Service returns the list of applications to Web Interface.
Web Interface constructs the appropriate page and responds to NetScaler Gateway 1.
NetScaler Gateway 1 returns the resultant page to the user.
The user clicks an application, then launches the Presentation Server Client.
NetScaler Gateway 1 receives an STA ticket from the Presentation Server Client to validate.
NetScaler Gateway 1 decides (based on round-robin algorithm) which NetScaler Gateway Proxy it will use and proxies through that appliance to reach the STA server.
The STA server responds.
The appropriate NetScaler Gateway Proxy forwards the response to NetScaler Gateway 1.
If the STA authorizes the request, NetScaler Gateway 1 consults its ICA ACL list to validate whether the incoming ICA connection conforms to the listed ACLs
- Firewall 1: Open port 443 (SSL port) for the end user browser and the Presentation Server Client to communicate with NetScaler Gateway 1.
- Firewall 2:打开端口80或443取决于Web Interface is listening for insecure traffic or secure traffic. Open port 1080 or 443 depending on whether the communication channel between NetScaler Gateway 1 and the NetScaler Gateway proxies is SOCKS or SOCKS over SSL.
- Firewall 3: Open port 80 or 443 depending on whether the XML Service is listening for insecure or secure traffic. Open port 1494 or 2598 or both for ICA/CGP traffic between the NetScaler Gateway proxies and the server running Presentation Server.
Note: Ports are always configurable. The above is based on the default protocol port numbers.
NetScaler Gateway: Secure Gateway Double Hop DMZ Deployment 4 – Portal Page Authentication ON; Multiple NetScaler Gateways in Second DMZ
Notes:
NetScaler Gateway 1 can access Web Interface, the AAA server, and NetScaler Gateway 2 directly. NetScaler Gateway 2 can access the STA and Presentation Server directly.
The user is authenticated by the AAA server and then redirected to Web Interface. Web Interface might ask for logon authentication again.
Back to top
The following list explains the flow of the diagram:
The user points the browser at https://
. NetScaler Gateway 1 gathers credentials from the user and validates them against the authentication server.
If authentication is acceptable, NetScaler Gateway 1 signs the user on to Web Interface using SSO.
Web Interface takes the credentials and negotiates with the XML Service.
The XML Service returns a list of applications to Web Interface.
Web Interface constructs the appropriate page and responds to NetScaler Gateway 1.
NetScaler Gateway 1 returns the resultant page to the user.
The user clicks an application, then launches the Presentation Server Client.
NetScaler Gateway 1 receives an STA ticket from the Presentation Server Client to validate.
NetScaler Gateway 1 decides (based on round-robin algorithm) which NetScaler Gateway Proxy it will use and proxies through that appliance to reach the STA server.
The STA server responds.
The appropriate NetScaler Gateway Proxy forwards the response to NetScaler Gateway 1.
If the STA authorizes the request, NetScaler Gateway 1 consults its ICA ACL list to validate whether the incoming ICA connection conforms to the listed ACLs.
- Firewall 1: Open port 443 (SSL port) for the end user browser and Presentation Server Client to communicate with NetScaler Gateway 1.
- Firewall 2:打开端口80或443取决于Web Interface is listening for insecure traffic or secure traffic. Open port 1080 or 443 depending on whether the communication channel between NetScaler Gateway 1 and the NetScaler Gateway proxies is SOCKS or SOCKS over SSL. Open the port used for portal page authentication (for example,1812 for RADIUS).
- Firewall 3: Open port 80 or 443 depending on whether the XML Service is listening for insecure or secure traffic. Open port 1494 or 2598 or both for ICA/CGP traffic between the NetScaler Gateway proxies and the server running Presentation Server.
Note: Ports are always configurable. The preceding are based on the default protocol port numbers.
Additional Resources
CTX114355 -NetScaler Gateway Configuration of Ports on Firewall
Citrix Documentation -How NetScaler Gateway Uses IP Addresses