Securing applications in a U.S. Department of Defense (DoD) or any government agency in a cloud environment is a tall order. Our DoD customers must adhere to Secure Cloud Computing Architecture (SCCA) guidelines, which dictate the requirements for protecting the Defense Information System Network (DISN) and the commercial cloud services they use, while striking the right balance among performance, security, and cost.

Citrix ADC, VPX edition, is a component of a Microsoft solution called Secure Azure Computing Architecture (SACA) that supports the SCCA guidelines. This architecture plays a critical role in providing security features like SSL termination and web application firewall (WAF) that guard against attacks such as application-layer and zero-day threats.

Architecture Overview

The diagram below illustrates the reference architecture for deploying the services and appliances outlined in the solution. The three main components to the SCCA — the Boundary Cloud Access Point (BCAP), Virtual Datacenter Security Stack (VDSS), and Virtual Datacenter Services (VDMS) — are depicted under Boundary VNet. Click the image to view it larger.

Citrix ADC Deployment Made Simple

In the past, deploying Citrix ADC within SCCA guidelines was a complex and time-consuming process. We have developed an Azure Resource Manager (ARM) solution template to simplify configuration of secure virtual networks, security tools, and services to meet Azure-specific SCCA requirements. The new template automates the deployment of VDSS, BCAP, and VDMS components, which includes Citrix ADC in active-passive mode for redundancy on both external and internal subnets as seen in the above diagram.

With the ARM template, the entire deployment process takes just 15 minutes. It takes care of the deployment of VNET, various subnets, jump boxes, and user-defined routes (UDRs), which would take hours or days to do manually.

And the template is customizable to fit the needs and environments of different customers. For example, we’ve used a Linux box as an IPS that can be replaced by a customer-specific solution.

Protect Applications from a Wide Range of Attack Vectors

To reach a web resource on the DISN after the deployment is complete, user or client traffic first hits the external primary Citrix ADC. There, the SSL connections are terminated and decrypted. ICAP packets are sent through to the IPS for inspection. Azure UDRs send application traffic through Citrix ADCs with the original Client IP intact, helping admins identify the origins of heavy use and/or malicious activity.

Citrix ADC provides application security, ranging from WAF capabilities that protect applications from common attack vectors like SQL injection, CSRF, and XSS vulnerabilities, to DOS defense, DDOS defense, bot management, as well as more advanced attacks that are extremely sophisticated and difficult to detect.

The traffic flow using the SACA architecture is shown below. Click the image to view it a separate window.

Check out how to enable WAF on Citrix ADC and deploy Citrix ADC using our ARM template.

And that’s not all. We also recommend you use Citrix Application Delivery Management (ADM) as a single pane of glass to manage all your Citrix ADC resources, to scale in and scale out Citrix ADCs, move licenses from on-premise to the cloud using a flexible pooled-capacity license model, and for analytics and orchestration.

Learn more about Citrix ADC on Azure, Citrix ADM, and pooled-capacity licensing.