Jump to content


Photo

MPX for DMZ and LAN - traffic isolation

Started by Stefan Wendrich , 16 March 2017 - 12:01 PM
1 reply to this topic

Stefan Wendrich Members

Stefan Wendrich
  • 250 posts

Posted 16 March 2017 - 12:01 PM

Hello,

 

we want to use a netscaler mpx 8005 for both dmz and lan traffic. But its important, that no traffic from dmz to lan flows directly through the netscaler. So all traffic which comes from DMZ and wants to reach backend services in lan, should go through his routing table and flows through the firewall.

 

Traffic which comes directly from lan, should not reach vserver in dmz. 

 

Whats the best to archive this? traffic domains ? Any configuration guides for this scenario ?



Johannes Norz Members

Johannes Norz
  • 566 posts

Posted 16 March 2017 - 12:26 PM

Use an admin partition. Admin partitions look and feel like separate NetScalers. Every admin partition got its own config file, its own users, its own certificates (stores in /flash/nsconfig/partitions/<partition name>)

 

Remember, many features are missing from admin partitions, features like WAF and VPN, so you will place this NetScaler into DMZ and the admin partition into LAN.

 

There is a strict isolation of traffic, however this is only true as long as the NetScaler OS is not compromised.

 

Best

 

Johannes

https://blog.norz.at