Citrix ADC SDX

Consolidation across security zones

An SDX appliance is often used for consolidation across security zones. The DMZ adds an extra layer of security to an organization’s internal network, because an attacker has access only to the DMZ. It does not have access to the internal network of the organization. In high-compliance environments, a single Citrix ADC instance with VIP addresses in both the DMZ and an internal network is not acceptable. With SDX, you can provision instances hosting VIP addresses in the DMZ, and other instances hosting VIP addresses in an internal network.

Sometimes, you might need separate management networks for each security zone. The NSIP addresses of the instances in the DMZ can be in one network. The NSIP addresses of the instances with VIPs in the internal network can be in a different management network. Also, often, communication between the Management Service and the instances might need to be routed through an external device, such as a router. You can configure firewall policies to control the traffic that is sent to the firewall and to log the traffic.

The SDX appliance has two management interfaces (0/1 and 0/2) and, depending on the model, up to eight 1G data ports and eight 10G data ports. You can also use the data ports as management ports (for example, when you need to configure tagged VLANs, because tagging is not allowed on the management interfaces). If you do so, the traffic from the Management Service must leave the appliance and then return to the appliance. You can route this traffic or, optionally, specify an NSVLAN on an interface assigned to the instance. If a management interface is common between an instance and the Management Service, the traffic between the two does not have to be routed. However, if your setup explicitly requires it, the traffic can be routed.

Note Tagging is supported in Citrix Hypervisor version 6.0.

Consolidation across security zones