Background

A NetScaler appliance operates in the proxy mode. This mode requires the appliance to initiate connections to server pools by using IP addresses, such as Mapped IP (MIP) and Subnet IP (SNIP) addresses, configured on the appliances. These IP addresses are dynamically selected from the global pool of MIP and SNIP addresses while connecting with a server. Depending on the subnet in which the physical server is placed, NetScaler appliance decides whether a MIP should be used or SNIP. This address pool is used for sending traffic as well as monitor probes. The administrator does not have any control on the selection of the IP addresses that appliance uses to initiate a connection. This functionality is same for the actual client requests and the appliance-generated monitoring requests.

Network Profile

The Network Profile feature enables you to use the specific source IP addresses for the connections initiated from the NetScaler appliance. This feature defines the networking characteristics of any entity on the NetScaler appliance. The feature is developed to address the requirement of specifying the source IP address to be used on the NetScaler appliance.

With the Network Profile feature, you can specify an IP address, or use IPSET to specify a set of IP addresses, to be used for the appliance-initiated connections. You create a Network Profile as an individual entity and bind it to the IP addresses. You can bind the following to a network profile:

Note: You must add the IP addresses to the NetScaler appliance before you bind the same to the network profile.

Usage of a net profile for sending traffic:

If the Use Source IP Address (USIP) option is enabled, NetScaler uses the IP address of the client and ignores all the net profiles. If the USIP option is not enabled, NetScaler selects the source IP in the following manner:

You can bind a network profile to the following entities of the appliance:

Usage Scenarios

There are multiple scenarios where you can use the Networking Profile feature of a NetScaler appliance. The following are some of the examples:

Separating Server Farms

You can use a network profile to separate the back end server farms for the traffic originating from a NetScaler appliance. In deployments where back end resources belong to multiple groups or tenants, and you do not want IP address sharing, you can use the Network Profile feature to address the concern.

The following diagram shows a sample deployment with IP based separation from the NetScaler appliance:

Differentiating Between the Monitoring and Actual Client Traffic

A NetScaler appliance uses the same source IP address for monitoring as well as for actual client traffic. Therefore, for a back end server performing a specific operation on traffic, it is not possible to differentiate a monitoring request from the actual client request. For example, the back end server might be logging every HTTP request or performing security check against every HTTP request. In such a scenario, there is no need to log or parse the monitoring request if the server can identify the monitoring traffic on the basis of the originating source IP address.

The following diagram shows the use of the Network Profile feature to differentiate between the monitoring and actual client traffic:

Identifying Multiple Data Paths on the Server Side

You can bind a single service to multiple virtual servers of a NetScaler appliance. Therefore, the same back end server receives client traffic through different virtual server paths. However, there can be a logical separation for various virtual servers through which the data flows. By using the Network Profile feature, you can ensure that the service uses different source IP address, defined in the profiles at virtual server level, when communicating to the back end server. As a result, the back end server can use the source IP address to differentiate a traffic originating from a service entity.

The following diagram shows the traffic flow in such a scenario:

To create a Network Profile by using the configuration utility