Manualshelf

Specifications

ManualsBrandsCDA ManualsDomestic Appliancesvm200
51525354555657585960
VM-Series Deployment Guide 43
Set Up a VM-Series Firewall on the Citrix SDX Server Secure East-West Traffic with the VM-Series Firewall
When the VM-Series firewall is deployed (this example uses L3 interfaces), the flow of traffic is as follows:
All incoming requests are authenticated and the SSL connection is terminated on the first instance of the
NetScaler VPX. For content that resides in the DMZ, the NetScaler VPX initiates a new connection to the
server to fetch the requested content. Note that the north-south traffic destined to the corporate datacenter
or to the servers in the DMZ are handled by the edge firewall and not by the VM-Series firewall.
For example, when a user (source IP 1.1.1.1) requests content from a server on the DMZ, the destination
IP is 20.5.5.1 (VIP of the NetScaler VPX). The NetScaler VPX then replaces the destination IP address,
based on the protocol to the internal server IP address, say 192.168.10.10. The return traffic from the server
is sent back to the NetScaler VPX at 20.5.5.1 and sent to the user with IP address 1.1.1.1.
All requests between the DMZ servers and the Corporate datacenter are processed by the VM-Series
firewall. For content that resides in the corporate datacenter, the request is transparently processed (if
deployed using L2 or virtual wire interfaces) or routed (using Layer3 interfaces) by the VM-Series firewall.
It is then handed off to the second instance of the NetScaler VPX. This instance of the NetScaler VPX load
balances the request across the servers in the corporate datacenter and services the request. The return
traffic uses the same path as the incoming request.
For example, when a server on the DMZ (say 192.168.10.10) needs content from a server in the corporate
datacenter (say 172.16.10.20), the destination IP address is 172.168.10.3 (the VIP on the second NetScaler).
The request is sent to the VM-Series firewall at 192.168.10.2, where the firewall performs a policy lookup
and routes the request to 172.168.10.3. The second NetScaler VPX replaces the destination IP address,
Topology After Adding the VM-Series Firewall