Micro-segmentation is the cornerstone of the network virtualization paradigm. It provides inter-datacenter security by isolating workloads from each other. Citrix XenDesktop and NetScaler are platform agnostic and integrate with both Cisco ACI and VMware NSX to offer network isolation for workloads.
In this blog, I am going to focus on XenDesktop, NetScaler and NSX interoperability. I will discuss a field use case, see how to implement that in VMware NSX for XenDesktop and then look at a few micro-segmentation deployment scenarios, to showcase how XenDesktop and NetScaler in conjunction with NSX provides a compelling deployment model.
I recently had an opportunity to learn about how a large airline customer is using XenDesktop, NetScaler and NSX together for micro-segmentation. The customer was made up of a parent airline and a number of smaller airlines that it acquired over time. A big project was to consolidate airlines’ backend systems and co-locate them in the same datacenters to gain compute efficiencies and save cost. The admins wanted to ensure that the customer data that belongs to each of the airlines is not accessed by any of the other airlines. The customer used NSX to isolate all traffic from the each of the airline customer databases from the rest of the network, except the corresponding airlines’ application servers that need to access them. They also isolated and segmented traffic for XenApp or XenDesktop and used NetScalers to load balance the traffic by creating services in NSX. Here is how you can achieve similar network isolation if you are using NSX and have a XenApp and XenDesktop environment.
How to implement micro-segmentation in your XenDesktop and NSX environment.
The feature set exposed by NSX for micro-segmentation can be universally applied to any services that require specific ports to be used. The first step is to create a service in NSX. In the case of XenApp and XenDesktop the ports 1494 and 2598 on TCP/UDP or 443 on HTTPS, (depending on whether StoreFront is using HTTP or HTTPS) would constitute each of the services.
These services could also be put together to create a service group, so the admin can apply changes to them together, when creating the firewall rules that are needed. You can optionally add traffic from Provisioning service and other Citrix services.
The services and service groups are pairs of ports and layer three services that would then be controlled using specific firewall rules mapped to XenApp or XenDesktop users via Security groups.
Once this mapping has been done, we would then implement the following deployment scenarios.
Let’s first consider the standard deployment scenario without VDI where a number of different departments in the same company have a requirement to isolate their network traffic from other departments. This can be achieved as shown in the diagram below.
Now consider the same use case with VDI, all the VMs created are from the same base disk and are identical. The IT policy requires a network separation between the Finance desktops and IT Admins desktops. Citrix admins can dynamically implement this using NSX and XenDesktop allowing Finance department employees access to their desktops on the Finance vxLAN. Now consider after a while admins setup a back office team, that needs access to the contents of the desktops in the Finance and Users delivery group. Citrix admins can work with NSX admins to simply add firewall rules that allow their security group to have access to the Finance and Users vxLAN, resulting in the required segmentation.
Extending the same principle to the example we talked about in the beginning of the blog, where we have a multi-tenant deployment for a large airline. We can isolate each tenant (with each of their Active Directories) to their own respective vxLANs.
Adding NetScaler in this deployment would simplify the set up and allow the users of all the airlines (or tenants) access the same landing URL and still have complete isolation from each other’s data and resources.
Only with Citrix XenDesktop and NetScaler can a service provider aggregate the set of tenants, manage the same storage subsystem and deliver the resources via a single portal and still have data isolation as needed.
Reach out to me on Twitter @techmayank
If you haven’t done it yet, Try XenDesktop.