TransWikia.com

Where to securely deploy Citrix Netscaler?

Server Fault Asked by user54507 on February 4, 2021

We are currently using Citrix Netscaler to provide users with Virtual Desktops.
Netscaler is located in DMZ and has access from whole internet. Unfortunately Netscaler has access to LDAP (to authenticate users) and Citrix Desktop Servers (for Virtual Desktops) that are located in LAN. IMO it is not very secure and in such case DMZ looses its point since no traffic should be normally flowing from DMZ to LAN. If Netscaler will get compromised attacker would easily gain further access to the whole LAN afterwards.

What are your thoughts/opinions?
Is there any other approaches where to better place those components?
Maybe there are some Citrix recommendations about this?

One Answer

You simply cannot deploy a citrix netscaler without access to the LAN behind it... remember, that you want to securely give access to Virtual Desktops to your users, so the netscaler must be able to forward traffic to the hosted servers!

Of course, you could cut off LDAP authentication, and establish some sort of authentication servers (the Netscaler / VPX instance has such options). But in my point of view, this makes no sense, and creates a lot of work afterwards.

The only thing what makes sense is to move netscaler / LDAP server (probably windows domain controller) and Windows Terminal Servers to its own dedicated LAN (VLAN), so that it is separated from the rest of your network. And, you can deploy a firewall between netscaler and your hosted servers, since the ports in use are well known...

[Edit] In response to the comment below:

  • a vpn in front of netscaler gets you nowhere - from the attackers point of view, it doesn't matter if he attacks IP a.b.c.d or IP e.f.g.h ...
  • 2FA is possible and supported by Citrix, this is definitely an option for increased security. Just remember that your users need to enter the 2FA every time they login, so this might create some "annoyance"...
  • In your Virtual Desktop Deployment, you are able to define a Group of users, which are allowed to access the deployment - so you are able to define a group which does not contain any Domain Admin - it is a good idea to disallow Domain Admins the login from outside...
  • Don't forget the firewall! if your netscaler gets compromised, the firewall is your first line of defence!

Answered by Martin on February 4, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP