Skip to content

Citrix ADC Integration with ApiFort

Overview

Citrix ADC (Application Delivery Controller) is a comprehensive application delivery and load-balancing solution designed to optimize application performance, availability, and security. Formerly known as NetScaler ADC, Citrix ADC provides a range of features and functionalities to ensure that applications are delivered efficiently to end-users.

Citrix ADC can function as a gateway, providing secure access to applications and data for remote users. This functionality, often called the Citrix Gateway, includes features such as Virtual Private Network (VPN) capabilities, authentication, and access control.

ApiFort allows you to mirror the traffic from Citrix ADC by creating an IP tunnel to the Virtual machine where the ApiFort Httpcap agent is installed.

Citrix ADC Integration Architecture

Architecture Overview

The diagram above shows a high-level deployment architecture where:

  • Client traffic is encrypted and passes through Citrix ADC at the L3 Layer
  • An IP tunnel is established between Citrix ADC and a Router
  • The ApiFort Httpcap Agent runs on a RHEL or Ubuntu VM

Before You Begin

Prerequisites

Make a note of the following points before proceeding with the integration:

  • Choose the type of VM from Ubuntu or RHEL where you want to install the ApiFort Httpcap agent
  • Launch an Ubuntu or RHEL VM. The ApiFort Httpcap agent would be installed on this VM, and the IP address of the VM would be the IP address of the ApiFort Httpcap agent
  • Make sure that you have already installed and configured Citrix ADC (formerly Netscaler)
  • Note the IP address of Citrix ADC's interface that will send the mirror data
  • Note the IP address of the ApiFort Httpcap agent. This will receive the mirrored traffic

Additional Resources

For more information on traffic mirroring from Citrix ADC, see the Integrating Citrix layer 3 with passive security devices (Intrusion Detection System).

Configuration

The configuration to mirror the traffic consists of the following steps:

  1. Creating an IP tunnel on the VM where the ApiFort Httpcap agent will be installed
  2. Steps in Citrix ADC

Step 1 - Create an IP Tunnel

You first need to create an IP tunnel to the VM from Citrix ADC, as shown in the deployment diagram above. Complete the steps for the type of VM you have chosen.

Create a file /etc/netplan/51-iptunnel.yaml and add the following to it:

YAML
network:
  tunnels:
    ipip0:
      mode: ipip
      local: <Local IP>
      remote: <Remote IP>
      mtu: 1500
  version: 2

IP Configuration

  • Remote IP - Remote IP address is the IP address of the Citrix ADC interface
  • Local IP - The local IP address is the IP address of the ApiFort Httpcap agent

Run the following command after creating the above file:

Bash
sudo netplan apply

On RHEL VM, run the following command:

Bash
nmcli connection add type ip-tunnel ip-tunnel.mode ipip con-name ipip0 ifname ipip0 remote <remote_ip> local <local_ip>

Command Explanation

Following is an explanation of the above command:

  • nmcli connection add: This part of the command instructs NetworkManager to add a new connection
  • type ip-tunnel: Specifies the type of connection as an IP tunnel
  • ip-tunnel.mode ipip: Sets the tunneling mode to IPIP (IP in IP)
  • con-name ipip0: Assign a name to the new connection. In this case, it's named "ipip0"
  • ifname ipip0: Specifies the interface name for the new connection as "ipip0"
  • remote <remote_ip>: Sets the remote IP address for the tunnel. Replace <remote_ip> with the Citrix ADC IP address
  • local <local_ip>: Sets the local IP address for the tunnel. Replace <local_ip> with the ApiFort Httpcap agent IP address

About IPIP Protocol

IPIP - IP in IP is a tunneling protocol that encapsulates IP packets within IP packets. It is a simple and straightforward method for creating virtual private networks (VPNs) or tunneling traffic over an existing IP network. The basic idea is to encapsulate the original IP packet within a new IP packet, allowing it to traverse another IP network.

Step 2 - Steps in Citrix ADC

Complete the following steps in Citrix ADC:

1. Enable Content Inspection

Bash
enable ns feature contentInspection LoadBalancing

2. Create an IP-IP Tunnel

Bash
add ipTunnel iptunnel-tpa <ApiFortInstanceIP> 255.255.255.255 *

Note

ApiFortInstanceIP is the IP address of the ApiFort Httpcap agent.

3. Add Content Inspection Profile

Bash
add contentInspection profile ApiFort_IDS_profile1 -type MIRROR -ipTunnel iptunnel-tpa

4. Add IDS Service

Bash
add service ApiFort_IDS_service <ApiFortInstanceIP> ANY 8080 -contentInspectionProfileName ApiFort_IDS_profile1 -healthMonitor OFF

5. Add Content Inspection Action

Bash
add ContentInspection action ApiFort_IDS_action -type MIRROR -serverName ApiFort_IDS_service

6. Add Content Inspection Policy

Bash
add contentInspection policy ApiFort_IDS_pol1 -rule true -action ApiFort_IDS_action

7. Identify Virtual Server

Important

You should have an existing content switching or load balancing virtual service of type HTTP/SSL. Keep the name handy for the next step.

8. Bind Content Inspection Policy

Bash
bind lb vserver <HTTP_vserver> -policyName ApiFort_IDS_pol1 -priority 100 -type REQUEST

Note

Substitute <HTTP_vserver> with the virtual server name from step 7.

Verification

To verify Tcp packets comes form Citrix ADC to Apifort Httpcap Agent, please run the following command.

Bash
sudo tcpdump -n -i any -s 0 -vvv -X 'ip proto 4'

Example output will be like;

Example IPIP Tcpdump Output

Integration Verification

To verify a successful integration, check that tcp packets from output of command.