Citrix ADC users can deploy inline security devices like intrusion prevention systems (IPS) and next-generation firewalls (NGFW) for enhanced network protection. These security devices inspect the traffic sent by the ADC appliance and prevent vulnerable security exploits on the network.

To add an additional layer of security, a Citrix ADC appliance can be integrated with third-party managed inline devices to perform content inspection more easily for advanced security protection.

The best part of this integration is that the Citrix ADC appliance can not only offload data for content inspection but can also load balance inline devices when there is a heavy volume of traffic for content inspection.

Integrate, Load Balance Multiple Inline Devices Using Dedicated Interfaces

You can integrate inline devices with an ADC appliance in different ways. Let’s consider a scenario where there are multiple inline devices integrated with an ADC appliance through a dedicated interface. All devices are integrated with the appliance at the L2 layer.

The following diagram shows how a Citrix ADC appliance is integrated with one or more third-party inline devices.

When you integrate an ADC appliance with multiple inline devices, the components interact like this:

    1. A client sends a request to the Citrix ADC appliance.
    2. The appliance receives the request and sends it to an inline device based on policy evaluation. (For two or more security devices, the appliance load balances the devices and sends the traffic. If the incoming traffic is encrypted, the appliance decrypts the data and sends it as a plain text to the device for content inspection.)
    3. The security device inspects the data for threats and decides whether to drop, reset, or send the data back to the appliance.
    4. If there are security threats, the device modifies the data and sends it to the appliance.
    5. The Citrix ADC, in turn, re-encrypts the data and forwards the request to the back-end server.
    6. The back-end server sends the response to the Citrix ADC appliance.
    7. The appliance again decrypts the data and sends it to the security device for inspection.
    8. The appliance re-encrypts the data and sends the response to the client.

Now let’s look at a scenario where you can configure the appliance to these inline devices to offload a subset of traffic and load balance the devices for traffic distribution. You’ll see configuration steps for both the command-line interface and the GUI interface. Use the solution based on the configuration method you prefer.

CLI-based Configuration

Enable MBF (MAC-based forwarding) Mode

If you want the Citrix ADC appliance to be integrated to inline devices such as an IPS or firewalls, you must enable this mode. For more information about MBF, see Configure MAC-based Forwarding.

At the command prompt, type:

enable ns mode mbf

Enable Content Inspection

If you want the Citrix ADC appliance to decrypt and then send the content for inspection to the inline devices, you must enable the Content Inspection and load-balancing features.

enable ns feature contentInspection LoadBalancing

Add Content Inspection profile1 for service1

Inline configurations for a Citrix ADC appliance can be specified in an entity called Content Inspection profile. The profile has a collection of device settings. The Content Inspection profile1 is created for inline service 1, and the communication is through 1/2 and 1/3 dedicated interfaces.

At the command prompt, type:

add contentInspection profile <name> -type InlineInspection -egressInterface <interface_name> -ingressInterface <interface_name>[-egressVlan <positive_integer>] [-ingressVlan <positive_integer>]

Example

You can use this example to configure a Content Inspection profile for inline service in your appliance.

add contentInspection profile Inline_profile1 –type InlineInspection –ingressinterface “1/2” –egressInterface “1/3”

Add content inspection profile2 for service2

The Content Inspection profile2 is added for service2 and the inline device communicates with the appliance through 1/4 and 1/5 dedicated interfaces.

At the command prompt, type:

add contentInspection profile <name> -type InlineInspection -egressInterface <interface_name> -ingressInterface <interface_name>[-egressVlan <positive_integer>] [-ingressVlan <positive_integer>]
Example

You can use this example to configure a Content Inspection profile for inline service 2 in your appliance.

add contentInspection profile Inline_profile2 –type InlineInspection –ingressinterface “1/4” –egressInterface “1/5”

Add service 1 for inline device 1

After you enable the Content Inspection feature and add the inline profile, you must add an inline service 1 for inline device 1 to be part of the load-balancing setup. The service that you add provides all the inline configuration details.

At the command prompt, type:

add service <Service_name_1> <Pvt_IP1> TCP * -contentInspectionProfileName <Inline_Profile_1> -healthmonitor OFF –usip ON –useproxyport OFF

Example

You can use the example below to configure the inline service for an inline device integrated with your appliance.

add service Inline_service1 1.1.1.1 TCP 80 –contentInspectionProfileName Inline_profile1 –healthmonitor OFF –usip ON –useproxyport OFF

Note: Ensure the service IP address is not the address owned by the inline devices configured on the ADC appliance.

Add service 2 for inline device 2

After you enable the Content Inspection feature and add the inline profile, you must add an inline service 2 for inline device 2. The service that you add provides all the inline configuration details.

At the command prompt, type:

add service <Service_name_1> <Pvt_IP1> TCP * -contentInspectionProfileName <Inline_Profile_2> -healthmonitor OFF –usip ON –useproxyport OFF

Example

You can use the example that follows to configure the inline service for another inline device integrated with your appliance.

add service Inline_service1 10.29.20.205 TCP 80 –contentInspectionProfileName Inline_profile2 –healthmonitor OFF –usip ON –useproxyport OFF

Add load balancing virtual server

After you have added the inline profile and the services, you must add a load-balancing virtual server for load balancing the services.

At the command prompt, type:

add lb vserver <vserver_name> TCP  <Pvt_IP3> <port>

Example

You can use this example to add a load-balancing virtual server.

add lb vserver lb-Inline_vserver TCP *

Bind service 1 to the load balancing virtual server

After you add the load balancing virtual server, bind the load balancing virtual server to the first inline service.

At the command prompt, type:

bind lb vserver <Vserver_name> <Service_name_1>

Example

You can use the example below to bind the inline service 1 to a load-balancing virtual server.

bind lb vserver lb-Inline_vserver Inline_service1

Bind service 2 to the load balancing virtual server

After you add the load-balancing virtual server, bind the server to the second service.

At the command prompt, type:

bind lb vserver <Vserver_name> <Service_name_1>

Example

You can use the example command to bind the inline service 2 to a load-balancing virtual server.

bind lb vserver lb-Inline_vserver Inline_service2

Add content inspection action for the service

After you enable the Content Inspection feature, you must add the Content Inspection action for handling the inline request information. Based on the action selected, the inline device drops, resets, or blocks after it has examined the given subset of traffic.

At the command prompt, type:

add contentInspection action <name> -type <type> (-serverName <string> | (-serverip <ip_addr|ipv6_addr>  [-serverport <positive_integer>]))   [-icapProfileName <string>] [-ifserverdown <ifserverdown>] [-reqTimeout <positive_integer>] [-reqTimeoutAction <reqTimeoutAction>] add ContentInspection action < action_name >  -type InlineINSPECTION  -serverName Service_name/Vserver_name>

Example

You can use this example to add a Content Inspection action to the service.

add ContentInspection action Inline_action –type InlineINSPECTION –serverName lb-Inline_vserver

Add content inspection policy for inspection

After you create a Content Inspection action, you must add Content Inspection policy to evaluate requests for service. The policy is based on a rule that consists of one or more expressions. The rule is associated to the Content Inspection action that is associated if a request matches the rule.

At the command prompt, type the following:

add contentInspection policy  <policy_name>  –rule <Rule> -action <action_name>

Example

You can use the example below to add Content Inspection policy.

add contentInspection policy Inline_pol1 –rule true –action Inline_action

Add content switching or load balancing virtual server of type HTTP/SSL

Add a content-switching or load-balancing virtual server to accept web traffic. Also you must enable the layer2 connection on the virtual server. For more information about load balancing, read the post on setting up basic load balancing on the Citrix Product Documentation page.

At the command prompt, type:

add lb vserver <name> <vserver name> -l2Conn ON

Example

You can use the example below to add a content-switching or load-balancing virtual server.

add lb vserver http_vserver HTTP 10.102.29.200 8080 –l2Conn ON

Bind Content Inspection policy to load balancing virtual server of type HTTP/SSL

You must bind the content-switching or load-balancing virtual server of type HTTP/SSL to the Content Inspection policy.

At the command prompt, type the following:

bind lb vserver <vserver name> -policyName < policy_name >  -priority <> -type <L7InlineREQUEST | L4Inline-REQUEST>

Example

You can use the following example to bind Content Inspection policy to a load-balancing virtual server.

bind lb vserver http_vserver –policyName Inline_pol1 –priority 100 –type REQUEST

GUI-based Configuration

  1. Navigate to Security > Content Inspection > ContentInspection Profiles.
  2. In the ContentInspection Profile page, click Add.
  3. In the Create ContentInspectionProfile page, set the following parameters.
    1. Profile Name: Name of the content inspection profile
    2. Select the profile types as InlineInspection.
    3. Egress Interface: The interface through which the traffic is sent from Citrix ADC to the Inline device.
    4. Ingress Interface: The interface through which the traffic is received from Inline device to Citrix ADC.
    5. Egress VLAN: The interface VLAN ID through which the traffic is sent to the Inline device
    6. Ingress VLAN: The interface VLAN ID through which the traffic is received from Inline to Citrix ADC (if it is configured).
  4. Click Create.
  5. Navigate to Load BalancingServices and click Add.
  6. In the Services page, enter the content inspection service details. Note: The IP is a dummy address.
  7. In the Advanced Settings section, click Profiles.
  8. Go to the Profiles section and add the Inline content inspection profile.
  9. Click OK.
  10. Navigate to Traffic Management > Load Balancing> Virtual Servers. Add a virtual server of type HTTP or SSL.
  11. After entering the server details, click OK and again OK.
  12. In the Advanced Settings section, click Policies.
  13. Go the Policies section and click the Pencil icon to configure content inspection policy.
  14. On the Choose Policy page, select Content Inspection. Click Continue.
  15. In the Policy Binding section, click “+” to add a Content Inspection policy.
  16. In the Create CI Policy page, enter a name for the Inline content inspection policy.
  17. In the Action field, click the “+” sign to create an Inline content inspection action.
  18. In the Create CI Action page, set the following parameters.
    1. Name of the content inspection Inline policy.
    2. Select the type as InlineInspection.
    3. Server Name. Select the server/service name as Inline devices.
    4. If Server Down. Select an operation if server goes down.
    5. Request Time-out. Select a time-out value. Default values can be used.
    6. Request Time-out Action. Select a time-out action. Default values can be used.
  19. Click Create.
  20. In the Create CI Policy page, enter other details.
  21. Click OK and Close

This feature is available in the Citrix ADC 12.1 build 50.28 version. If you have an older version, install the latest version and try out the configuration.

By integrating ADC with inline devices, the appliance can offload its traffic, resulting in less CPU usage and reduced TLS/SSL processing cost. Give the configuration a try!

For more information about the complete solution, go to https://docs.citrix.com/en-us/netscaler/12-1/security/inline-device-integration-with-citrix-adc.html