Академический Документы
Профессиональный Документы
Культура Документы
Web Filter
Deployment Guide
A Step-by-Step Technical Guide
Deployment Guide
Notice:
THIS PUBLICATION IS PROVIDED “AS IS” WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE OR NONINFRINGEMENT. CITRIX SYSTEMS, INC. (“CITRIX”), SHALL NOT BE LIABLE FOR
TECHNICAL OR EDITORIAL ERRORS OR OMISSIONS CONTAINED HEREIN, NOR FOR DIRECT,
INCIDENTAL, CONSEQUENTIAL OR ANY OTHER DAMAGES RESULTING FROM THE FURNISHING,
PERFORMANCE, OR USE OF THIS PUBLICATION, EVEN IF CITRIX HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES IN ADVANCE.
This publication contains information protected by copyright. Except for internal distribution, no part
of this publication may be photocopied or reproduced in any form without prior written consent from
Citrix.
The exclusive warranty for Citrix products, if any, is stated in the product documentation accompanying
such products. Citrix does not warrant products other than its own.
Product names mentioned herein may be trademarks and/or registered trademarks of their respective
companies.
Copyright © 2008 Citrix Systems, Inc., 851 West Cypress Creek Road, Ft. Lauderdale, Florida 33309-
2009 U.S.A. All rights reserved.
Table of Contents
Introduction...........................................................................................................................................4
Solution Requirements...........................................................................................................................5
Prerequisites..........................................................................................................................................5
Network Diagram..................................................................................................................................6
First time connectivity............................................................................................................................8
Serial Connection.............................................................................................................................8
Ethernet Connection.........................................................................................................................8
NetScaler Configuration.........................................................................................................................9
Deployment Model: Netscaler Two-Arm Mode, Server Load Balancing, RNAT..................................9
Licensing........................................................................................................................................10
Basic Features................................................................................................................................11
IP Addresses, Interfaces and VLANs...............................................................................................12
RNAT Configuration.............................................................................................................................15
About RNAT...................................................................................................................................15
Load Balancing Configuration..............................................................................................................16
About Server Load Balancing.........................................................................................................16
Create Server Objects.....................................................................................................................16
Create Service Groups....................................................................................................................17
Create LB Virtual Server Objects (VIPs)...........................................................................................18
Load Balancing Methods & Persistence..........................................................................................19
St.Bernard Web Filter..........................................................................................................................20
Outbound Web Filter.......................................................................................................................20
Outbound Web Filter for XenApp....................................................................................................24
Appendix A - NetScaler Application Switch Configuration....................................................................26
Headquarters NetScaler.................................................................................................................26
Introduction
Citrix® NetScaler® optimizes the delivery of web applications — increasing security and improving
performance and Web server capacity. This approach ensures the best total cost of ownership
(TCO), security, availability, and performance for Web applications. The Citrix NetScaler solution is a
comprehensive network system that combines high-speed load balancing and content switching with
state-of-the-art application acceleration, layer 4-7 traffic management, data compression, dynamic
content caching, SSL acceleration, network optimization, and robust application security into a single,
tightly integrated solution.
Citrix XenApp™, a member of the Citrix Delivery Center product family, is an end-to-end Windows
application delivery system that offers both client-side and server-side application virtualization, for
optimal application performance and flexible delivery options.
St. Bernard products are used in enterprises of all sizes across most commercial markets including
healthcare, manufacturing, finance, insurance, real estate, and public administration, as well as
educational institutions and state/local governments.
St. Bernard offers a full suite of secure content management solutions that integrate on-premise appliances
with on-demand services to protect corporate networks from online threats, manage bandwidth use and
enforce acceptable use policies. This industry-leading hybrid solution platform offers the security and
control of an on-premises appliance with the scalability of an on-demand service.
St. Bernard is the first and only company to support a true Hybrid Product Line, combining the security
and control of h-Series appliances with the unlimited scalability of iPrism Managed Services. Hybrid
solutions provide only the best functions from both an appliance and managed services approach
to deliver filtering solutions at the best location within the IT infrastructure to maximize efficiency and
value.
The Award-winning iPrism Web Filter secures organizations from Internet-based threats such as malware,
spyware, IM, P2P, and inappropriate content, at the perimeter, while it helps enforce acceptable use and
security policies. The new iPrism h-Series appliances also offer unmatched power, value and performance.
With dual quad-core processors and hot-swappable SATA hard drives and power supplies, there isn’t an
appliance on the market that equals the new iPrism h-Series.
When integrated with Citrix NetScaler and Application Firewall, the St.Bernard offers the extra level of
protection that organizations are often looking for to filter outbound traffic.
When integrated with Citrix XenApp, the St.Bernard provides an added layer of security by filtering
individual client sessions that connect to the internet from the Application Virtualization platform -
XenApp.
This deployment guide was created as the result of validation testing with The Citrix NetScaler, Application
Firewall, Citrix XenApp and St.Bernard iPrism h-Series Web Filter. This deployment guide walks through
the step-by-step configuration details of how to configure the Citrix NetScaler application switch, and
the St.Bernard iPrism Web Filter.
Solution Requirements
• Application Switch - Citrix NetScaler NAT (Reverse NAT)
• Application Firewall - Citrix Application Firewall
• Application Virtualization - Citrix XenApp
• Web Filter - St.Bernard iPrism Web Filter, IM/P2P, Antivirus
Prerequisites
• Citrix NetScaler L4/7 Application Switch, running version 8.0+ (Quantity x 2 for Headquarters &
Remote sites).
• Citrix Application Firewall
• Citrix XenApp (Citrix Presentation Server)
• St.Bernard iPrism h-Series Web Filter
• Client laptop/workstation running Internet Explorer 6.0+, Ethernet port
• 9-pin serial cable -or- USB-to-serial cable
Network Diagram
The following is the Network that was used to develop this deployment guide, and is representative of a solution implemented at a customer site.
Shown here with NetScaler in two-arm mode and St.Bernard in one-arm mode along with Citrix XenApp.
VLAN 65:
Interface 1/8, Untagged
SNIP: 65.89.216.1 / 24
VIP: 65.89.216.151 / 24
VLAN 172:
Interface 1/7, Untagged
SNIP: 172.16.104.1 / 24
Application Server
Internet
Mac
Outside Inside
67.97.253.0/24 172.16.104.0/24
vlan 65 vlan 172
Windows
Default IP Address:
Serial: 9600, n, 8, 1
192.168.100.1
NetScaler Configuration
Deployment Model: Netscaler Two-Arm Mode, Server Load Balancing,
RNAT.
The NetScaler in this example will be used in two-arm mode. The NetScaler in Two-Arm mode uses
different interfaces for the segmentation of VLAN traffic, providing an additional physical layer of
separation. This deployment can easily have been implemented using a Trunk port on the Netscaler and
Layer 2 switch. For incoming connections to the Application server, we will configure a Load Balancing
VIP on the Internet facing subnet.
Licensing
The availability of a feature is controlled by a license key. When using the system for the first time, you
need to load the license key and then enable the feature.
Note:
Licenses are tied to the hostname of the switch and must match. The hostname can be found under
NetScaler System. Make sure the license file is in the correct location. With release 8.0 all license
files must be in the /nsconfig/license directory in order to be recognized.
Also, check the “hosts” files in /nsconfig and in /etc, and make sure both include lines for localhost
and for the NetScaler hostname as defined in the configuration and /nsconfig/rc.conf.
A properly configured hosts file should look similar to the following (using nshost as the example
hostname defined for this NetScaler).
127.0.0.1 localhost
127.0.0.1 nshost
10
Basic Features
Load Balancing is enabled in Basic Features.
11
Important NetScaler IP Addresses
Acronym Description Usage
Note: NSIP is Mandatory and requires a reboot.
NSIP NetScaler IP Address The NetScaler IP (NSIP) is the management IP address for the
appliance, and is used for all management related access to the
appliance. There can only be one NSIP.
SNIP Subnet IP Address The Subnet IP address (SNIP) allows the user to access
an Application Switch from an external host that is residing
on another subnet. When a subnet IP address is added, a
corresponding route entry is made in the route table. The
Application Switch uses the SNIP as the source IP Address for
outgoing packets, when the “USNIP” mode is enabled. USNIP
is enabled by default. (With USNIP enabled, configuration of
MIP is unnecessary). The SNIP can also be used as the Tagged
VLAN IP, and for RNAT.
MIP Mapped IP Address The mapped IP address (MIP) is becoming outdated. It has
traditionally been used by the Application Switch to represent
the client when communicating with the backend managed
server. Mapped IP addresses (MIP) were used for server-side
connections and can be used for Reverse NAT. Think of this as
the client’s source address on the server-side of the Application
Switch, assuming a two-arm proxy deployment. When using
the USNIP mode above, MIP’s are unnecessary.
VIP Virtual IP Address The Virtual Server IP address (VIP) is used by the Application
Switch to represent the public facing ip address of the managed
services. ARP and ICMP attributes on this IP address allow
users to host the same vserver on multiple Application Switches
residing on the same broadcast domain.
DFG Default Gateway IP Address of the router that forwards traffic outside of the
subnet where the appliance is installed.
Note:
USNIP mode is enabled by default. If both USIP mode and USNIP mode are enabled, USIP mode
takes precedence over USNIP mode.
By default, all the interfaces on the system are in a single port-based VLAN as untagged interfaces.
This VLAN is the default VLAN with a VID equal to 1.
When an interface is added to a new VLAN as an untagged member, the interface is automatically
removed from the default VLAN and placed in the new VLAN. This becomes a convenient feature,
such that when we plug the Netscaler into a Switch that is using VLANs with tagging, we only need to
check the box, to turn on tagging. VLANs are typically used to separate subnet traffic.
If Trunking is turned On, you will see an interface as a member of more than one VLAN.
12
Add the remaining IP Addresses
IP Addresses (SNIPs) that are used for routing between VLANs and RNAT are added separately according
to the table in the network diagram. Note that VIP addresses are created later during Load Balancing
configuration, not at this time. The following screen shots are for the NetScaler.
13
Create VLANs and Assign
Subnet IP Addresses to
them.
NetScaler Network
VLANs Add.
NetScaler Network
VLANs, to add VLAN and
Interface assignments on
the Application Switch. Be
sure to bind the ip address
to each VLAN, and enable
dynamic routing.
14
RNAT Configuration From the GUI, navigate to
NetScaler Network
Routing Configure RNAT
Create.
About RNAT
With this configuration
The NetScaler system supports Reverse Network Address Translation (RNAT) or NAT for outbound all internal private ip
connections. When the system performs RNAT, it replaces the source IP addresses of packets generated addresses that originate in
by the back-end servers with a NAT IP address. The NAT IP address is a public IP address. By default, the 10.217.104.0 network
the NAT IP address is a MIP. However, you can configure the system to use a Subnet IP address as the will be translated (NAT’d) to
NAT IP addresses, which we do in this deployment guide. 65.89.216.2 as they reach
the public internet.
15
Load Balancing Configuration
About Server Load Balancing
Server Load Balancing is used for incoming connections to Application servers. Load balancing
allows you to distribute requests sent to a particular virtual server (vserver or VIP) evenly across
several physical servers. A client sends a request to the virtual server, which selects a physical server
in the server farm and directs the request to the selected physical server. Load balancing allows the
Application Switch to choose the physical server with the lowest load and greatest available resources.
1-2-3:
Configuring Load Balancing is a simple 1-2-3 process performed by creating objects within the Citrix
Application Switch. We create the objects in logical formation from the backend servers to the
forward facing internet IP Address:
1) Create Servers
2) Create Services
3) Create Load Balancing VIPs w/Persistence
16
Create Service Groups
Service Groups are containers for managing load balancing and SSL services to several instances of the
same service (port number) on the same or different servers (ip address).
Select an availability monitor to keep in contact with the server/service. If the service goes down, load
balancing will mark it down and send traffic to the other available servers/services.
17
To get the most performance, select the Advanced tab and turn on Compression and TCP Buffering. The
compression computation is an off-loaded task for both http and https from the Application servers.
Select OK.
In this example:
Our public facing IP Address
for the Application server is
65.89.216.151 on port 80.
18
Load Balancing Methods & Persistence Select the ‘Methods and
Persistence’ tab. Select
The Citrix Application Switch is capable of several Load Balancing Methods. In order to direct traffic the LB Method Round
correctly to the Application servers, the Citrix Application Switch can also be configured to persist Robin.
traffic.
By default the Citrix Application Switch uses the ‘Least Connections’ load balancing algorithm, but can
be changed to Round Robin. Several persistence methods are available.
19
St.Bernard Web Filter
Outbound Web Filter
The St.Bernard Web Filter intercepts traffic bound for the internet and either blocks or logs it. It is very
simple to use. We plugged the "Int" interface into VLAN 172, and allowed the St.Bernard Appliance
Manager to find the appliance automatically. We then assigned an ip address to it.
20
Once in contact, select the
Manage Selected Appliance
System Configuration.
21
To configure the iPrism
policies for blocking and
monitoring content, select
Access Profiles. Add
the profile name. Select
which content to block, and
which
22
To apply the iPrism policies
for to the internal subnet
Users Network. Select
Add, add the IP Subnet start
and end, select the Web
Profile. Click ‘Ok’.
23
Outbound Web Filter for XenApp
The St.Bernard Web Filter can be configured to work with Citrix XenApp. Because the St.Bernard uses
'Session Authentication' with every user against Active Directory, every individual user that is logged into
XenApp via a thin client is captured in the St.Bernard logs and reports by individual username.
24
25
Appendix A - NetScaler Application Switch
Configuration
Headquarters NetScaler
nshq1> #NS9.0 Build 47.008
enable ns feature WL SP LB
set interface 1/1 -speed AUTO -duplex AUTO -autoneg ENABLED -haMonitor ON -trunk OFF -lacpMode DISABLED -throughput 0 -
bandwidthHigh 0 -bandwidthNormal 0
set interface 1/2 -speed AUTO -duplex AUTO -autoneg ENABLED -haMonitor OFF -trunk OFF -lacpMode DISABLED -throughput 0 -
bandwidthHigh 0 -bandwidthNormal 0
set interface 1/3 -speed AUTO -duplex AUTO -autoneg ENABLED -haMonitor OFF -trunk
OFF -lacpMode DISABLED -throughput 0 -bandwidthHigh 0 -bandwidthNormal 0
set interface 1/4 -speed AUTO -duplex AUTO -autoneg ENABLED -haMonitor OFF -trunk OFF -lacpMode DISABLED -throughput 0 -
bandwidthHigh 0 -bandwidthNormal 0
set interface 1/5 -speed AUTO -duplex AUTO -autoneg ENABLED -haMonitor OFF -trunk OFF -lacpMode DISABLED -throughput 0 -
bandwidthHigh 0 -bandwidthNormal 0
set interface 1/6 -speed AUTO -duplex AUTO -autoneg ENABLED -haMonitor OFF -trunk OFF -lacpMode DISABLED -throughput 0 -
bandwidthHigh 0 -bandwidthNormal 0
set interface 1/7 -speed AUTO -duplex AUTO -flowControl RXTX -autoneg ENABLED -haMonitor OFF -trunk OFF -lacpMode DISABLED -
throughput 0 -bandwidthHigh 0 -bandwidthNormal 0
set interface 1/8 -speed AUTO -duplex AUTO -flowControl RXTX -autoneg ENABLED -haMonitor OFF -trunk OFF -lacpMode DISABLED -
throughput 0 -bandwidthHigh 0 -bandwidthNormal 0
add ns ip 10.217.104.73 255.255.255.0 -vServer DISABLED
26
bind vlan 66 -IPAddress 66.91.171.1 255.255.255.0
add serviceGroup ServerGroup151 HTTP -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -cltTimeout 180 -svrTimeout 360 -CKA NO
-TCPB YES -CMP YES
add lb vserver VIP151 HTTP 65.89.216.151 80 -persistenceType NONE -lbMethod ROUNDROBIN -cltTimeout 180
27
Citrix Worldwide
Worldwide headquarters
Regional headquarters
Americas
Citrix Silicon Valley
4988 Great America Parkway
Santa Clara, CA 95054
USA
T +1 408 790 8000
Europe
Citrix Systems International GmbH
Rheinweg 9
8200 Schaffhausen
Switzerland
T +41 52 635 7700
Asia Pacific
Citrix Systems Hong Kong Ltd.
Suite 3201, 32nd Floor
One International Finance Centre
1 Harbour View Street
Central
Hong Kong
T +852 2100 5000
www.citrix.com
About Citrix
Citrix Systems, Inc. (Nasdaq:CTXS) is the global leader and the most trusted name in application delivery infrastructure. More than
200,000 organizations worldwide rely on Citrix to deliver any application to users anywhere with the best performance, highest
security and lowest cost. Citrix customers include 100% of the Fortune 100 companies and 98% of the Fortune Global 500, as well
as hundreds of thousands of small businesses and prosumers. Citrix has approximately 6,200 channel and alliance partners in more
than 100 countries. Annual revenue in 2006 was $1.1 billion.
Citrix®, NetScaler®, GoToMyPC®, GoToMeeting®, GoToAssist®, Citrix Presentation Server™, Citrix Password Manager™, Citrix Access Gateway™, Citrix Access
Essentials™, Citrix Access Suite™, Citrix SmoothRoaming™ and Citrix Subscription Advantage™ and are trademarks of Citrix Systems, Inc. and/or one or more of its
subsidiaries, and may be registered in the U.S. Patent and Trademark Office and in other countries. UNIX® is a registered trademark of The Open Group in the U.S. and
other countries. Microsoft®, Windows® and Windows Server® are registered trademarks of Microsoft Corporation in the U.S. and/or other countries. All other trademarks
and registered trademarks are property of their respective owners.
www.citrix.com