A customer recently requested a solution for an interesting challenge: “How do we filter incoming email based on a client IP range when our email filter and relay cannot respond to the client’s IP as it is behind a firewall and load balancer?”
After some discovery involving wire traces, and a review of the network topology the answer was clear – NetScaler!
A NetScaler appliance was already handling the load balancing for the servers, sitting between the firewall and the server network. This was good news as no new firewall rules or changes to the existing firewall were needed.
What is Content Switching? According to Citrix, the NetScaler content switching feature enables the NetScaler appliance to distribute client requests across multiple servers on the basis of specific content that you wish to present to those users.
The customer used Trustwave Secure Email Gateway. This product provides email spam filtering and relay services to Microsoft Exchange. Trustwave Secure Email Gateway allows relay and filter rules to be created using a source IP address (but, we can make this happen without the server requiring the client address).
A typical environment might place the Secure Email Gateway server on the edge of the network thus allowing the server to have full visibility into the inbound request. This type of implementation was not in the best interest of high availability and security, so our solution configured the NetScaler to examine the client IP and utilizing a content switch to direct that traffic to one of the two load balanced virtual servers that were bound to a content switch.
Each virtual server used for the solution was configured with a virtual service that sent traffic to the Secure Email Gateway the same way apart from the source address, utilizing separate subnet IP addresses - or SNIPs as I like to call it - bound to Network Profiles and the data was forwarded to the servers.
The Secure Email gateway can now see different IP addresses that can be parsed allowing the spam filter and relay to work without the server being able to respond directly to the client submitting the message.
The result of the solution? Messages are received! The rules are evaluated and the messages were relayed for successful processing. An alternate solution would be to create:
- A new server,
- Another DNS record,
- New security considerations and;
- Potentially some compromise but for sure additional cost (which is probably we don’t want to do)
Oftentimes, a networking team might be asked to solve issues that are more complex than one resource communicating with another. If your organization has a NetScaler in the network, application networking challenges are a lot easier to handle with much less downtime, and when properly implemented, there is a high level of security. NetScaler content switching can be implemented with an cloud solution or even on-premise where most payloads can be examined and conditional rules can be created to direct that traffic.
If you’re experiencing a network challenge and nothing has helped so far, then maybe it’s time for you to consider a Citrix NetScaler solution in your network. If you've got questions, then we've got answers!