Specifications

ManualsBrandsCDA ManualsDomestic Appliancesvm200

44 VM-Series Deployment Guide

Secure East-West Traffic with the VM-Series Firewall Set Up a VM-Series Firewall on the Citrix SDX Server

based on protocol, to the internal server IP address 172.16.10.20. The return traffic from 172.168.10.20 is

then sent to the NetScaler VPX at 172.168.10.3, and the source IP address for the request is set as

172.168.10.3 and is routed to the VM-Series firewall at 172.168.10.2. On the VM-Series firewall, a policy

lookup is again performed and the traffic is routed to the server in the DMZ (192.168.10.10).

For securing north-south traffic, see Secure North-South Traffic with the VM-Series Firewall.

For an overview of the deployments, see Supported Deployments—VM Series Firewall on Citrix SDX.

In order to filter and report on user activity on your network, because all requests are initiated from

the NetScaler VPX, you must enable HTTP

Header insertion or the TCP Option for IP Insertion

on the first instance of the NetScaler VPX.

Set up the VM-Series Firewall to Secure East-West Traffic

Step 1 Install the VM-Series Firewall on the

SDX Server

If you plan to deploy the VM-Series firewall using virtual wire or L2

interfaces, make sure to enable L2 Mode on each data interface on

the SDX server.

Step 2 Re-cable the interfaces assigned to the

NetScaler VPX.

Because the NetScaler VPX will reboot

when recabled, evaluate whether you

would like to perform this task during a

maintenance window.

Step 3 Configure the data interfaces. 1. Select

Network > Interfaces and assign the interfaces as type

Layer3 (see Step 2, Layer2 (see Step 3) or virtual wire (see

Step 3).

Step 4 Create security policy to allow application

traffic between the DMZ and the

corporate data center.

Zone: DMZ to Corporate

Note that the implicit deny rule will deny

all inter-zone traffic except what is

explicitly allowed by security policy.

1. Click

Add in the Policies > Security section.

2. Give the rule a descriptive name in the

General tab.

3. In the

Source tab, set the Source Zone to DMZ and Source

Address

to 192.168.10.0/24.

4. In the

Destination tab, set the Destination Zone to Corporate

and the

Destination Address to 172.168.10.0/24

5. In the

Application tab, select the applications that you want to

allow. For example, Oracle.

6. Set the

Service to application-default

7. In the Actions tab, set the Action Setting to Allow.

8. Leave all the other options at the default values.

9. Click

Commit to save your changes.