Where to securely deploy Citrix Netscaler?

citrix netscaler

Solution 1:

You simply cannot deploy a citrix netscaler without access to the LAN behind it... remember, that you want to securely give access to Virtual Desktops to your users, so the netscaler must be able to forward traffic to the hosted servers!

Of course, you could cut off LDAP authentication, and establish some sort of authentication servers (the Netscaler / VPX instance has such options). But in my point of view, this makes no sense, and creates a lot of work afterwards.

The only thing what makes sense is to move netscaler / LDAP server (probably windows domain controller) and Windows Terminal Servers to its own dedicated LAN (VLAN), so that it is separated from the rest of your network. And, you can deploy a firewall between netscaler and your hosted servers, since the ports in use are well known...

[Edit] In response to the comment below:

  • a vpn in front of netscaler gets you nowhere - from the attackers point of view, it doesn't matter if he attacks IP a.b.c.d or IP e.f.g.h ...
  • 2FA is possible and supported by Citrix, this is definitely an option for increased security. Just remember that your users need to enter the 2FA every time they login, so this might create some "annoyance"...
  • In your Virtual Desktop Deployment, you are able to define a Group of users, which are allowed to access the deployment - so you are able to define a group which does not contain any Domain Admin - it is a good idea to disallow Domain Admins the login from outside...
  • Don't forget the firewall! if your netscaler gets compromised, the firewall is your first line of defence!

Related

Kubernetes eks supported HPA api version
How can I filter a Dynamic Distribution Group by Database name?
systemd starts one more 'unwanted' instance of my template
Rewrite robots.txt based on host with htaccess
Load, Compare & Diff Registry of Windows Servers & Clients on VHDs?
Is there a way to control how pytest-xdist runs tests in parallel?
How to read "List Separator" settings from Regional configuration of control panel?
How do I add typescript to an existing Asp.Net MVC project? [duplicate]
Git changes my file permissions upon checkout
Which exception to throw for invalid input which is valid from client perspective
Editing a rich data structure in React.js
Google Play Services Missing in Emulator (Android 4.4.2)