- Configuring the NetScaler IP Address (NSIP)
- Configuring and Managing Virtual IP (VIP) Addresses
- Configuring ARP response Suppression for Virtual IP addresses (VIPs)
- Configuring Subnet IP Addresses (SNIPs)
- Configuring Mapped IP Addresses (MIPs)
- Configuring GSLB Site IP Addresses (GSLBIP)
- Removing a NetScaler-Owned IP Address
- Configuring Application Access Controls
Configuring Application Access Controls
Sep 30, 2015
Application access controls, also known as management access controls, form a unified mechanism for managing user authentication and implementing rules that determine user access to applications and data. You can configure MIPs and SNIPs to provide access for management applications. Management access for the NSIP is enabled by default and cannot be disabled. You can, however, control it by using ACLs.
For information about using ACLs, see Access Control Lists (ACLs).
The NetScaler appliance does not support management access to VIPs.
The following table provides a summary of the interaction between management access and specific service settings for Telnet.
| Management Access | Telnet (State Configured on the NetScaler) | Telnet (Effective State at the IP Level) |
|---|---|---|
| Enable | Enable | Enable |
| Enable | Disable | Disable |
| Disable | Enable | Disable |
| Disable | Disable | Disable |
The following table provides an overview of the IP addresses used as source IP addresses in outbound traffic.
| Application/ IP | NSIP | MIP | SNIP | VIP |
|---|---|---|---|---|
| ARP | Yes | Yes | Yes | No |
| Server side traffic | No | Yes | Yes | No |
| RNAT | No | Yes | Yes | Yes |
| ICMP PING | Yes | Yes | Yes | No |
| Dynamic routing | Yes | No | Yes | Yes |
The following table provides an overview of the applications available on these IP addresses.
| Application/ IP | NSIP | MIP | SNIP | VIP |
|---|---|---|---|---|
| SNMP | Yes | Yes | Yes | Yes |
| System access | Yes | Yes | Yes | No |
You can access and manage the NetScaler by using applications such as Telnet, SSH, GUI, and FTP.
Note: Telnet and FTP are disabled on the NetScaler for security reasons. To enable them, contact the customer support. After the applications are enabled, you can apply the controls at the IP level.
To configure the NetScaler to respond to these applications, you need to enable the specific management applications. If you disable management access for an IP address, existing connections that use the IP address are not terminated, but no new connections can be initiated.
Also, the non-management applications running on the underlying FreeBSD operating system are open to protocol attacks, and these applications do not take advantage of the NetScaler appliance's attack prevention capabilities.
You can block access to these non-management applications on a MIP, SNIP, or NSIP. When access is blocked, a user connecting to a NetScaler by using the MIP, SNIP, or NSIP is not be able to access the non-management applications running on the underlying operating system.
To configure management access for an IP address by using the command line interface
At the command prompt, type:
set ns ip
<IPAddress>
-mgmtAccess <value>
-telnet <value>
-ftp <value>
-gui <value>
-ssh <value>
-snmp <value>
-restrictAccess (ENABLED | DISABLED)
Example
> set ns ip 10.102.29.54 -mgmtAccess enabled -restrictAccess ENABLED Done
To enable management access for an IP address by using the configuration utility
- Navigate to .
- Open an IP address entry, and select the Enable Management Access control to support the below listed applications option.
Support:
https://www.citrix.com/support
Feedback and forums:
https://discussions.citrix.com