ADC

Use a specified source IP for back-end communication

For communication with the physical servers or other peer devices, the Citrix ADC appliance uses an IP address owned by it as the source IP address. The Citrix ADC appliance maintains a pool of its IP addresses, and dynamically selects an IP address while connecting with a server. Depending on the subnet in which the physical server is placed, the appliance decides which IP address to use. This address pool is used for sending traffic and monitor probes.

In many situations, you might want the appliance to use a specific IP address or any IP address from a specific set of IP addresses for back-end communications. The following are a few examples:

  • A server can distinguish monitor probes from traffic if the source IP address used for monitor probes belongs to a specific set.
  • To improve server security, a server might be configured to respond to requests from a specific set of IP addresses or, sometimes, from a single specific IP address. In such a case, the appliance can use only the IP addresses accepted by the server as the source IP address.
  • The appliance can manage its internal connections efficiently if it can distribute its IP addresses into IP sets and use an address from a set only for connecting to a specific service.

To configure the appliance to use a specified source IP address, create net profiles (network profiles) and configure the appliance entities to use the profile. A net profile can be bound to load balancing or content switching virtual servers, Citrix Gateway VPN virtual servers, services, service groups, or monitors. A net profile has Citrix ADC owned IP addresses (SNIPs and VIPs) that can be used as the source IP address. It can be a single IP address or a set of IP addresses, referred to as an IP set. If a net profile has an IP set, the appliance dynamically selects an IP address from the IP set at the time of connection. If a profile has a single IP address, the same IP address is used as the source IP.

If a net profile is bound to a load balancing or content switching virtual server, the profile is used for sending traffic to all the services bound to it. If a net profile is bound to a service group, the appliance uses the profile for all the members of the service group. If a net profile is bound to a monitor, the appliance uses the profile for all the probes sent from the monitor.

Note:

  • When a Citrix ADC appliance uses a VIP address to communicate with a server, it uses session entries to identify whether the traffic destined to the VIP address is a response from a server or a request from a client.

  • You can bind a net profile to Citrix Gateway VPN virtual servers. However, you need to note some points when binding a net profile. For more information, see Points to note when binding a net profile to VPN virtual server.

  • The net profile IPs bound to a service or service group are not only used for sending traffic towards the corresponding back-end servers, but also for the DNS requests that are triggered by any unresolved back-end FQDN.

Usage of a net profile for sending traffic

If the Use Source IP Address (USIP) option is enabled, the appliance uses the IP address of the client and ignores all the net profiles. If the USIP option is not enabled, the appliance selects the source IP in the following manner:

  • If there is no net profile on the virtual server or the service/service group, the appliance uses the default method.
  • If there is a net profile only on the service/service group, the appliance uses that net profile.
  • If there is a net profile only on the virtual server, the appliance uses the net profile.
  • If there is a net profile both on the virtual server and service/service group, the appliance uses the net profile bound to the service/service group.

Usage of a net profile for sending monitor probes:

For monitor probes, the appliance selects the source IP in the following manner:

  • If there is a net profile bound to the monitor, the appliance uses the net profile of the monitor. It ignores the net profiles bound to the virtual server or service/service group.
  • If there is no net profile bound to the monitor,
    • If there is a net profile on the service/service group, the appliance uses the net profile of the service/service group.
    • If there is no net profile even on the service/service group, the appliance uses the default method of selecting a source IP.

Note: If there is no net profile bound to a service, the appliance looks for a net profile on the service group if the service is bound to a service group.

To use a specified source IP address for communication, go through the following steps:

  1. Create IP sets from the pool of SNIPs and VIPs owned by the Citrix ADC appliance. An IP set can consist of both SNIP and VIP addresses. For instructions, see Creating IP Sets.
  2. Create net profiles. For instructions, see Creating a Net Profile.
  3. Bind the net profiles to the appliance entities. For instructions, see Binding a Net Profile to a Citrix ADC Entity.

Note:

  • A net profile can have only the IP addresses specified as SNIP and VIP on the Citrix ADC appliance.

  • Source IP persistence is not honored for Citrix ADC initiated packets.

Manage net profiles

A net profile (or network profile) contains an IP address or an IP set. During communication with physical servers or peers, the Citrix ADC appliance uses the addresses specified in the profile as the source IP address.

Create an IP set

An IP set is a set of IP addresses, which are configured on the Citrix ADC appliance as Subnet IP addresses (SNIPs) or Virtual IP addresses (VIPs). An IP set is identified with a meaningful name that helps in identifying the usage of the IP addresses contained in it. To create an IP set, add an IP set, and bind Citrix ADC owned IP addresses to it. SNIP addresses and VIP addresses can be present in the same IP set.

To create an IP set by using the CLI

At the command prompt, type the following commands:

add ipset <name>

bind ipset <name> <IPAddress>
<!--NeedCopy-->

Or

bind ipset <name> <IPAddress>

show ipset [<name>]
<!--NeedCopy-->

The preceding command shows the names of all the IP sets on the appliance if you do not pass any name. It shows the IP addresses bound to the specified IP set if you pass a name.

Examples

1.
> add ipset skpnwipset
 Done
> bind ipset skpnwipset 21.21.20.1
 Done

2.
 > add ipset testnwipset
 Done
> bind ipset testnwipset 21.21.21.[21-25]
 IPAddress "21.21.21.21" bound
 IPAddress "21.21.21.22" bound
 IPAddress "21.21.21.23" bound
 IPAddress "21.21.21.24" bound
 IPAddress "21.21.21.25" bound
 Done

3.
 > bind ipset skpipset 11.11.11.101
 ERROR: Invalid IP address
[This IP address could not be added because this is not an IP address owned by the Citrix ADC appliance]
 > add ns ip 11.11.11.101 255.255.255.0 -type SNIP
 ip "11.11.11.101" added
 Done
 > bind ipset skpipset 11.11.11.101
 IPAddress "11.11.11.101" bound
 Done
4.
> sh ipset
1) Name: ipset-1
2) Name: ipset-2
3) Name: ipset-3
4) Name: skpnewipset
 Done

5.
> sh ipset skpnewipset
IP:21.21.21.21
IP:21.21.21.22
IP:21.21.21.23
IP:21.21.21.24
IP:21.21.21.25
 Done
<!--NeedCopy-->

To create an IP set by using the GUI

Navigate to System > Network > IP Sets, and create an IP set.

Create a net profile

A net profile (network profile) consists of one or more SNIP or VIP addresses of the Citrix ADC appliance.

To create a net profile by using the CLI

At the command prompt, type:

add netprofile <name> [-srcIp <srcIpVal>]
<!--NeedCopy-->

If the srcIpVal is not provided in this command, it can be provided later by using the set netprofile command.

Examples

add netprofile skpnetprofile1 -srcIp 21.21.20.1
Done

add netprofile baksnp -srcIp bakipset
Done

set netprofile yahnp -srcIp 12.12.23.1
Done

set netprofile citkbnp -srcIp citkbipset
Done
<!--NeedCopy-->

Bind a net profile to a Citrix ADC entity

A net profile can be bound to a load balancing virtual server, service, service group, or a monitor.

Note: You can bind a net profile at the time of creating a Citrix ADC entity or bind it to an existing entity.

To bind a net profile to a server by using the command line interface

You can bind a net profile to load balancing virtual servers and content switching virtual servers. Specify the appropriate virtual server.

At the command prompt, type:

set lb vserver <name> -netProfile <net_profile_name>
<!--NeedCopy-->

Or

set cs vserver <name> -netProfile <net_profile_name>
<!--NeedCopy-->

Examples

set lb vserver skpnwvs1 -netProfile gntnp
 Done
set cs vserver mmdcsv -netProfile mmdnp
 Done
<!--NeedCopy-->

To bind a net profile to a virtual server by using the GUI

  1. Navigate to Traffic Management > Load Balancing > Virtual Servers, and open the virtual server.
  2. In Advanced Settings, click Profiles, and set a net profile.

To bind a net profile to a service by using the CLI

At the command prompt, type:

set service <name> -netProfile <net_profile_name>
<!--NeedCopy-->

Example

set service brnssvc1 -netProfile brnsnp
 Done
<!--NeedCopy-->

To bind a net profile to a service by using the GUI

  1. Navigate to Traffic Management > Load Balancing > Services, and open a service.
  2. In Advanced Settings, click Profiles, and set a net profile.

To bind a net profile to a service group by using the CLI

At the command prompt, type:

set servicegroup <serviceGroupName> -netProfile <net_profile_name>
<!--NeedCopy-->

Example

set servicegroup ndhsvcgrp -netProfile ndhnp
 Done
<!--NeedCopy-->

To bind a net profile to a service group by using the GUI

  1. Navigate to Traffic Management > Load Balancing > Service Groups, and open a service group.
  2. In Advanced Settings, click Profiles, and set a net profile.

To bind a net profile to a monitor by using the CLI

At the command prompt, type:

set monitor <monitor_name> -netProfile <net_profile_name>

Example

set monitor brnsecvmon1 -netProfile brnsmonnp
 Done
<!--NeedCopy-->

To bind a net profile to a monitor by using the GUI

  1. Navigate to Traffic Management > Load Balancing > Monitors.
  2. Open a monitor, and set the net profile.
Use a specified source IP for back-end communication