This article describes how to use NetScaler to load balance transparent network devices such as firewall.

Background

Many partners and customers ask if NetScaler can help them to load balance transparent network devices such as, firewall, NG-Firewall, anti-spam and IPS (Intrusion Prevention System). They said the performance of the security network devices cannot be scaled-out and want to find a solution to help them scale-out the performance of those devices seamlessly.

Below is a simple topology of the transparent firewall deployment:

The key challenge here is to keep the security devices transparent. So first we need to deploy NetScaler in L2 mode. But how do we load balance the transparent network devices when there is no IP assigned to it. Luckily we have "Inter Traffic Domain Entity Bindings" from v11.0 onwards that helps us with the following design:

---

Instructions

The following are some of the features that we need enabled on NetScaler: L2 mode, LB, USIP, and USNIP.

Also create a service to monitor the firewall. Because SNIP 169.254.10.1 is in TD0 and SNIP 169.254.10.2 is in TD11, if the firewall is down then the service of 169.254.10.2 in TD0 will be down too.

Run the following command from NetScaler CLI:
add server TD_0_169.254.20.2 169.254.20.2
add server TD_0_169.254.10.2 169.254.10.2
add serviceGroup SG_0to11 ANY -maxClient 0 -maxReq 0 -cip DISABLED -usip YES -useproxyport NO -cltTimeout 120 -svrTimeout 120 -CKA NO -TCPB NO -CMP NO -appflowLog DISABLED
bind serviceGroup SG_0to11 TD_0_169.254.10.2*
bind serviceGroup SG_0to11 TD_0_169.254.20.2*
 
Then create the VS to intercept the client traffic:
add lb vserver VS_to_FW ANY * * -persistenceType NONE -lbMethod SRCIPDESTIPHASH -Listenpolicy "CLIENT.INTERFACE.ID.EQ("1/1")" -Listenpriority 10 -m MAC -cltTimeout 120
bind lb vserver VS_to_FW SG_0to11
 
Now we can dispatch the traffic to go through different firewall, but the traffic still cannot go out to the destination IP address. We need to create another VS in TD11 to let the traffic out.
 
We need to let NetScaler to understand the different connection table by enabling below lb parameter:
set lb parameter -vServerSpecificMac ENABLED
add server TD_0_192.168.1.252 192.168.1.252
add service S_GW TD_0_192.168.1.252 ANY * -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip YES -useproxyport NO -sp OFF -cltTimeout 120 -svrTimeout 120 -CKA NO -TCPB NO -CMP NO
add lb vserver VS_FW_to_GWout ANY * * -persistenceType NONE -lbMethod ROUNDROBIN -m MAC -cltTimeout 120 -td 11
bind lb vserver VS_FW_to_GWout S_GW
 
If you want more advanced scenario like mentioned below, then this can also be done by NetScaler.

1. Bypass the traffic to router if all the firewalls are traversed.
2. Only redirect the TCP traffic to firewall.
3. Redirect specific destination port of traffic to firewall.
4. Bypass specific protocol to router directly without firewall inspection.

And by using the power of NetScaler clustering, we are able to scale-out the performance of NetScaler seamlessly too.

If you want to use NetScaler to load balancing NAT firewall, then refer the docs.citrix.com.

This article describes how to use NetScaler to load balance transparent network devices such as firewall.