Product Documentation

Inline device integration with Citrix ADC

Security devices such as Intrusion Prevention System (IPS) and Next Generation Firewall (NGFW) protect servers from network attacks. These devices are deployed in layer 2 inline mode and their primary function is to protect servers from network attacks and report security threats on the network. To prevent vulnerable threats and provide advanced security protection, a Citrix ADC appliance is integrated with one or more inline devices. The inline devices can be any security device such as IPS, NGFW. Following are some of the use cases that benefit in using the inline device integration with Citrix ADC appliance:

  • Inspecting encrypted traffic. Most IPS and NGFW appliances bypass encrypted traffic, thereby leaving servers vulnerable to attacks. A Citrix ADC appliance can decrypt traffic and send it to inline devices for inspection. This enhances customer’s network security.
  • Offloading inline devices from TLS/SSL processing. TLS/SSL processing is expensive and this can result in high system CPU in IPS or NGFW appliances if they decrypt the traffic. As encrypted traffic is growing at a fast pace, these systems fail to decrypt and inspect encrypted traffic. Citrix ADC helps in offloading inline devices from TLS/SSL processing. This results in inline device supporting a high volume of traffic inspection.
  • Loading balancing inline devices. The Citrix ADC appliance load balances multiple inline devices when there is a high volume of traffic.
  • Smart selection of traffic. Every packet flowing into the appliance might need to be content inspected, for example download of text files. User can configure the Citrix ADC appliance to select specific traffic (for example .exe files) for inspection and send the traffic to inline devices for processing the data

How Citrix ADC is integrated with inline devices

The following diagram shows how a Citrix ADC is integrated with inline security devices. Inline device integration

When you integrate inline devices with Citrix ADC appliance, the component interacts as given below:

  1. A client sends a request to Citrix ADC appliance.
  2. The appliance receives the request and sends it to an inline device based on policy evaluation. Note: If there are two or more inline devices, the appliance load balances the devices and sends the traffic. If the incoming traffic is an encrypted one, the appliance decrypts the data and sends it as a plain text to the inline device for content inspection.
  3. The inline device inspects the data for threats and decide whether to drop, reset, or send the data back to the appliance.
  4. If there are security threats, the device modifies the data and sends it to the appliance.
  5. The Citrix ADC in turn re-encrypts the data and forwards the request to the back-end server.
  6. The back-end server sends the response to the Citrix ADC appliance.
  7. The appliance again decrypts the data and sends it to the inline device for inspection.
  8. Appliance re-encrypts the data and sends the response to the client

Software licensing

To deploy the inline device integration, your Citrix ADC appliance must be provisioned with one of the licenses given below:

  1. ADC Platinum
  2. ADC Enterprise
  3. Telco Advanced
  4. Telco Premium
  5. SWG license

Configuring inline device integration

You can configure a Citrix ADC appliance with an inline device in three different ways. The configuration scenarios are given below.

Scenario 1 for using a single inline device

If you want to integrate a security device (IPS or NGFW) in inline mode, you must begin by first enabling the Content Inspection feature and enabling Citrix ADC in MBF (MAC-based forwarding) in global mode. Once you have enabled the features, you must add the Content Inspection profile, add Content Inspection action for inline devices to reset, block, or drop the traffic based on inspection. Then, add the Content Inspection policy for the appliance to decide what subset of traffic to send to the inline devices. Then, configure the load balancing virtual server with layer 2 connection enabled on the server. Finally, bind the content inspection policy to the load balancing virtual server.

Using single inline device

Enable MBF (MAC-based forwarding) mode

If you want the Citrix ADC appliance to be integrated to inline devices such as IPS, or firewalls, you must enable this mode. For more information about MBF, see Configure MAC-based Forwarding topic.

At the command prompt, type:

enable ns mode mbf

Enable Content Inspection

If you want Citrix ADC appliance to decrypt and then send the content for inspection to the inline devices, you must enable the Content Inspection and load balancing features.

enable ns feature contentInspection LoadBalancing

Add Content Inspection profile for service

Inline device configuration for a Citrix ADC appliance can be specified in an entity called Content Inspection profile. The profile has a collection of settings that explains how to integrate with an inline device.

At the command prompt, type:

add contentInspection profile <name> -type InlineInspection -egressInterface <interface_name> -ingressInterface <interface_name>[-egressVlan <positive_integer>] [-ingressVlan <positive_integer>]

Example:

add contentInspection profile Inline_profile1 -type InlineInspection -ingressinterface “1/2” -egressInterface “1/3”

Add IPS-TCP monitor (optional)

If you want to configure monitors, you first decide whether to use a built-in monitor or add a TCP monitor. Note: You cannot delete or modify default monitors. When you bind any other monitor to a TCP service, you must unbound the default monitor from the service. Also, the monitor is bound to a transparent device such as firewall. If you are adding a monitor, the transparent device must be enabled.

add lb monitor <monitorName> <type> [-destIP <ip_addr|ipv6_addr>] [-destPort <port>] [-transparent ( YES | NO )]

Example:

add lb monitor ips_tcp TCP -destIP 192.168.10.2 -destPort 80 -transparent YES

Add service

You must add a service for each inline device to which the appliance is integrated. The service provides the device configuration details. The service now represents the inline device. At the command prompt, type: add service <Service_name> <IP> TCP <Port> - contentinspectionProfileName <Name> -healthMonitor OFF -usip ON –useproxyport OFF

Example:

add service Inline_service1 10.102.29.200 TCP * -contentInspectionProfileName Inline_profile1 -healthMonitor OFF -usip ON -useproxyport OFF –healthMonitor OFF

Bind service to TCP monitor (optional)

You must bind the service to the TCP monitor. At the command prompt, type the following

bind service <name>@ (-policyName <string> | (-monitorName <string>@ [-monState ( ENABLED | DISABLED )] [-weight <positive_integer>] [-passive]))

Example:

bind service ips_svc -monitorName ips_tcp

Add Content Inspection action for service

After you enable the Content Inspection feature and then after add the inline profile and service, you must add the Content Inspection action for handling the request. Based on the content inspection action, the inline device can drop, reset or block action after it has inspected the data.

At the command prompt, type:

add contentInspection action <name> -type <type> (-serverName <string> | (-serverip <ip_addr|ipv6_addr> [-serverport <positive_integer>])) [-icapProfileName <string>] [-ifserverdown <ifserverdown>] [-reqTimeout <positive_integer>] [-reqTimeoutAction <reqTimeoutAction>] add ContentInspection action < action_name > -type InlineINSPECTION -serverName Service_name/Vserver_name>

Example:

add ContentInspection action <Inline_action> -type InlineSPECTION –serverName Inline_service1

Add content inspection policy for inspection

After you create a Content Inspection action, you must add Content Inspection policies to evaluate requests for inspection. The policy is based on a rule which consists of one or more expressions. The policy evaluates and selects the traffic for inspection based on the rule.

At the command prompt, type the following:

add responder action responder_act respondwith "\"HTTP/2.0 403 Page not allowed at your location \" + CLIENT.IP.SRC.LOCATION + \"\r\n\""

Example:

add responder policy responder_pol CLIENT.IP.SRC.MATCHES_LOCATION("Asia.India.Karnataka.Banglore.*.*") responder_act -logaction log_act

Add content switching or load balancing virtual server of type HTTP/SSL

To receive the web traffic, you must add a load balancing virtual server. Also you must enable the layer2 connection on the virtual server.

At the command prompt, type:

add lb vserver <name> <vserver name> -l2Conn ON

Example:

add lb vserver HTTP_vserver HTTP 10.102.29.200 8080 –l2Conn ON

Bind Content Inspection policy to content switching virtual server or load balancing virtual server of type HTTP/SSL

You must bind the load balancing virtual server or content switching virtual server of type HTTP/SSL to the Content Inspection policy. At the command prompt, type the following:

bind lb vserver <vserver name> -policyName < policy_name > -priority < priority > -type <REQUEST>

Example:

bind lb vserver HTTP_vserver -policyName Inline_pol1 -priority 100 -type REQUEST

Scenario 2: Load balancing multiple inline devices using dedicated interfaces

If you are using two or more inline devices, you must load balance the devices using different content inspection services in a dedicated VLAN setup. In this case, the Citrix ADC appliance load balances the devices on top of sending a subset of traffic to each device through a dedicated interface. For basic configuration steps, refer to scenario 1.

Inline device integration using dedicated VLAN

Add content inspection profile1 for service1

Inline configurations for a Citrix ADC appliance can be specified in an entity called Content Inspection profile. The profile has a collection of device settings. The Content Inspection profile1 is created for inline service 1 and the communication is through 1/2 and 1/3 dedicated interfaces.

At the command prompt, type:

add contentInspection profile <name> -type InlineInspection -egressInterface <interface_name> -ingressInterface <interface_name>[-egressVlan <positive_integer>] [-ingressVlan <positive_integer>]

Example:

add contentInspection profile Inline_profile1 -type InlineInspection -ingressinterface “1/2” -egressInterface “1/3”

Add content inspection profile2 for service2

The Content Inspection profile2 is added for service2 and the inline device communicates with the appliance through 1/4 and 1/5 dedicated interfaces. At the command prompt, type:

add contentInspection profile <name> -type InlineInspection -egressInterface <interface_name> -ingressInterface <interface_name>[-egressVlan <positive_integer>] [-ingressVlan <positive_integer>]

Example:

add contentInspection profile Inline_profile2 -type InlineInspection -ingressinterface “1/4” -egressInterface “1/5”

Add service 1 for inline device 1

After you enable the Content Inspection feature and add the inline profile, you must add an inline service 1 for inline device 1 to be part of the load balancing setup. The service that you add, provides all the inline configuration details.

At the command prompt, type:

add service <Service_name_1> <Pvt_IP1> TCP * -contentInspectionProfileName <Inline_Profile_1> -healthmonitor OFF –usip ON –useproxyport OFF

Example:

add service Inline_service1 10.102.29.200 TCP 80 -contentInspectionProfileName Inline_profile1 -healthmonitor OFF -usip ON -useproxyport OFF

Add service 2 for inline device 2

After you enable the Content Inspection feature and add the inline profile, you must add an inline service 2 for inline device 2. The service that you add, provides all the inline configuration details.

At the command prompt, type:

add service <Service_name_1> <Pvt_IP1> TCP * -contentInspectionProfileName <Inline_Profile_2> -healthmonitor OFF –usip ON –useproxyport OFF

Example:

add service Inline_service1 10.29.20.205 TCP 80 -contentInspectionProfileName Inline_profile2 -healthmonitor OFF -usip ON -useproxyport OFF

Add load balancing virtual server

After you have added the inline profile and the services, you must add a load balancing virtual server for load balancing the services.

At the command prompt, type:

add lb vserver <vserver_name> TCP <Pvt_IP3> <port>

Example:

add lb vserver lb-Inline_vserver TCP *

Bind service 1 to the load balancing virtual server

After you add the load balancing virtual server, now bind the load balancing virtual server to the first service.

At the command prompt, type:

bind lb vserver <Vserver_name> <Service_name_1>

Example:

bind lb vserver lb-Inline_vserver Inline_service1

Bind service 2 to the load balancing virtual server

After you add the load balancing virtual server, now bind the server to the second service.

At the command prompt, type:

bind lb vserver <Vserver_name> <Service_name_1>

Example:

bind lb vserver lb-Inline_vserver Inline_service2

Add content inspection action for the service

After you enable the Content Inspection feature, you must add the Content Inspection action for handling the inline request information. Based on the action selected, the inline device drops, resets, or blocks after it has examined the given subset of traffic.

At the command prompt, type:

add contentInspection action <name> -type <type> (-serverName <string> | (-serverip <ip_addr|ipv6_addr> [-serverport <positive_integer>])) [-icapProfileName <string>] [-ifserverdown <ifserverdown>] [-reqTimeout <positive_integer>] [-reqTimeoutAction <reqTimeoutAction>] add ContentInspection action < action_name > -type InlineINSPECTION -serverName Service_name/Vserver_name>

Example:

add ContentInspection action Inline_action -type InlineINSPECTION –serverName lb-Inline_vserver

Add content inspection policy for inspection

After you create a Content Inspection action, you must add Content Inspection policy to evaluate requests for service. The policy is based on a rule which consists of one or more expressions. The rule is associated to the Content Inspection action that is associated if a request matches the rule.

At the command prompt, type the following:

add contentInspection policy <policy_name> –rule <Rule> -action <action_name>

Example:

add contentInspection policy Inline_pol1 –rule true –action Inline_action

Add content switching or load balancing virtual server of type HTTP/SSL

Add a content switching or load balancing virtual server to accept web traffic. Also you must enable the layer2 connection on the virtual server. For more information about load balancing, refer to How load balancing works topic.

At the command prompt, type:

add lb vserver <name> <vserver name> -l2Conn ON

Example:

add lb vserver http_vserver HTTP 10.102.29.200 8080 –l2Conn ON

Bind Content Inspection policy to load balancing virtual server of type HTTP/SSL

You must bind the content switching or load balancing virtual server of type HTTP/SSL to the Content Inspection policy.

At the command prompt, type the following:

bind lb vserver <vserver name> -policyName < policy_name > -priority <> -type <L7InlineREQUEST | L4Inline-REQUEST>

Example:

bind lb vserver http_vserver -policyName Inline_pol1 -priority 100 -type REQUEST

Scenario 3: Load balancing multiple inline devices using shared interfaces

You can refer to this configuration, if you are using multiple inline devices and if you want to load balance the devices using different services in a shared VLAN interface.
This configuration using shared VLAN interfaces is similar to use case 2. For basic configuration, refer to scenario 2.

Load balancing multiple inline devices using shared VLAN

Bind VLAN A with sharing option enabled

At the command prompt, type the following:

bind vlan <id> -ifnum <interface> -tagged

Example:

bind vlan 100 –ifnum 1/2 tagged

Bind VLAN B with sharing option enabled

At the command prompt, type the following:

bind vlan <id> -ifnum <interface> -tagged

Example:

bind vlan 200 –ifnum 1/3 tagged

Bind VLAN C with sharing option enabled

At the command prompt, type the following:

bind vlan <id> -ifnum <interface> -tagged

Example:

bind vlan 300 –ifnum 1/2 tagged

Bind VLAN D with sharing option enabled

At the command prompt, type the following:

bind vlan <id> -ifnum <interface> -tagged

Example:

bind vlan 400 –ifnum 1/3 tagged

Add content inspection profile1 for service1

Inline configurations for a Citrix ADC appliance can be specified in an entity called Content Inspection profile. The profile has a collection of device settings. The Content Inspection profile1 is created for inline service 1 and the communication is through 1/2 and 1/3 dedicated interfaces.

At the command prompt, type:

add contentInspection profile <name> -type InlineInspection -egressInterface <interface_name> -ingressInterface <interface_name>[-egressVlan <positive_integer>] [-ingressVlan <positive_integer>]

Example:

add contentInspection profile Inline_profile1 -type InlineInspection -ingressinterface “1/2” -egressInterface “1/3” –egressVlan 100 -ingressVlan 300

Add content inspection profile2 for service2

The Content Inspection profile2 is added for service2 and the inline device communicates with the appliance through 1/2 and 1/3 dedicated interfaces.

At the command prompt, type:

add contentInspection profile <name> -type InlineInspection -egressInterface <interface_name> -ingressInterface <interface_name>[-egressVlan <positive_integer>] [-ingressVlan <positive_integer>]

Example:

add contentInspection profile Inline_profile2 -type InlineInspection -ingressinterface “1/2” -egressInterface “1/3” –egressVlan 200 -ingressVlan 400

Configure inline service integration using the Citrix ADC GUI

  1. Navigate to Security > Content Inspection > ContentInspection Profiles.
  2. In the ContentInspection Profile page, click Add.
  3. In the Create ContentInspectionProfile page, set the following parameters.

    1. Profile Name. name of the content inspection profile
    2. Type. Select the profile types as InlineInspection.
    3. Egress Interface. The interface through which the traffic is sent from Citrix ADC to the Inline device.
    4. Ingress Interface. The interface through which the traffic is received from Inline device to Citrix ADC.
    5. Egress VLAN. The interface VLAN ID through which the traffic is sent to the Inline device
    6. Ingress VLAN. The interface VLAN ID through which the traffic is received from Inline to Citrix ADC (if it is configured).
  4. Click Create.
  5. Navigate to Load Balancing> Services and click Add.
  6. In the Services page, enter the content inspection service details.
  7. In the Advanced Settings section, click Profiles.
  8. Go to the Profiles section and click the Pencil icon to add the Inline content inspection profile.
  9. Click OK.
  10. Navigate to Load Balancing > Servers. Add a virtual server of type HTTP or SSL.
  11. After entering the server details, click OK and again OK.
  12. In the Advanced Settings **section, click **Policies.
  13. Go the Policies section and click the Pencil icon to configure content inspection policy.
  14. On the Choose Policy page, select Content Inspection. Click Continue.
  15. In the Policy Binding section, click “+” to add a Content Inspection policy.
  16. In the Create CI Policy page, enter a name for the Inline content inspection policy.
  17. In the Action field, click the “+” sign to create an Inline content inspection action.
  18. In the Create CI Action page, set the following parameters.

    1. Name. Name of the content inspection Inline policy.
    2. Type. Select the type as InlineInspection.
    3. Server Name. Select the server/service name as Inline devices.
    4. If Server Down. Select an operation if server goes down.
    5. Request Time-out. Select a time-out value. Default values can be used.
    6. Request Time-out Action. Select a time-out action. Default values can be used.
  19. Click Create.
  20. In the Create CI Policy page, enter other details.
  21. Click OK and Close.

Inline device integration with Citrix ADC