VM-Series
Deployment
Guide
41
Set Up a VM-Series Firewall on the Citrix SDX Server
Secure East-West Traffic with the VM-Series Firewall
Secure East-West Traffic with the VM-Series Firewall
The following example shows you how to deploy your VM-Series firewall to secure the application or database
servers on your network. This scenario is relevant to you if you have two NetScaler VPX instances, where one
instance authenticates users and terminates SSL connections and then load balances requests to the DMZ
servers and the other VPX instance load balances connections to the corporate servers that host the application
and database servers on your network.
Topology Before Adding the VM-Series Firewall
The communication between the servers in the DMZ and the servers in the corporate datacenter is processed
by both instances of the NetScaler VPX. For content that resides in the corporate datacenter, a new request in
handed off to the other instance of the NetScaler VPX which forwards the request to the appropriate server.
When the VM-Series firewall is deployed (this example uses L3 interfaces), the flow of traffic is as follows:
All incoming requests are authenticated and the SSL connection is terminated on the first instance of the
NetScaler VPX. For content that resides in the DMZ, the NetScaler VPX initiates a new connection to the
server to fetch the requested content. Note that the north-south traffic destined to the corporate datacenter
or to the servers in the DMZ are handled by the edge firewall and not by the VM-Series firewall.
For example, when a user (source IP 1.1.1.1) requests content from a server on the DMZ, the destination
IP is 20.5.5.1 (VIP of the NetScaler VPX). The NetScaler VPX then replaces the destination IP address,
based on the protocol to the internal server IP address, say 192.168.10.10. The return traffic from the server
is sent back to the NetScaler VPX at 20.5.5.1 and sent to the user with IP address 1.1.1.1.
All requests between the DMZ servers and the Corporate datacenter are processed by the VM-Series
firewall. For content that resides in the corporate datacenter, the request is transparently processed (if
deployed using L2 or virtual wire interfaces) or routed (using Layer3 interfaces) by the VM-Series firewall.