Traffic generated by the proxy SG with high dst ports 40xxxx to 60.xxx

I need a solution

Hi  BC Community,

Analyzing different types of traffic in our network (proxys, firewalls, snort), we detected connections generated by our proxy to the internal network (not internet – pub segment). These communications are made through ports dst high 40.xxx to 60.xxx.  Could  someone tell us what kind of traffic is this or why it is generated?.

Kinddly Regards

Security Team 

0

1562155950

Related:

  • No Related Posts

Unmanaged Lab Network Firewall polices – Looking for ideas

I do not need a solution (just sharing information)

We currently have 2 primary firewall policies, OnNet and OffNet.  When OnNet (on the corporate network) the Firewall is enabled but basically in Allow All mode.  When in OffNet (anywhere but the corporate network) the firewall is much more restrictive.  We have an additional unmanaged network that we are trying to figure out how to deal with.  We call it a Lab network and is a combination of corporate laptops that come and go, as well as computers and devices that could have come from anywere really, vendors, customers, etc.  Some of them are computers, some of them are instruments, etc.  Currently when on the “lab” network corporate computers are in OffNet mode.  The issue is this, computers need to talk to devices while on that network that are consistantly being blocked by the firewall.  Sometimes the corporate computer initiates the connection, sometimes the other device inititates the connection. Nothing is consistant either, IP’s ports or protocols, the use case is very broad. What we don’t want to do is just turn the firewall off when they are on this network, but there is also no easy way to define what ports and protocols need to be allowed. Does anyone have any suggestions on how to deal with this?

0

Related:

  • No Related Posts

Overload Traffic on Network monitor

I need a solution

Hi Experts, i need your help,

is there any suggestion if you have a very busy traffic on network monitor that will cause the network monitor to become low disk? 

everyday i have like long message time and lowdisk status or events,

see the file attachments for more details,

1. do i need to add another network monitor server for this area to help this one ?( i have 5 network monitor for 5 area/our client region), if i do really need one more server can i use VM rather than physical server again ?

2. or do i need a good new packet capture card for the network monitor ?

3. tunning up the policies ?

4. ask the NS team to filtering the traffic ?

thanks,

0

Related:

  • No Related Posts

Where does a Citrix ADC appliance fit in the network?

A Citrix ADC appliance resides between the clients and the servers, so that client requests and server responses pass through it. In a typical installation, virtual servers configured on the appliance provide connection points that clients use to access the applications behind the appliance. In this case, the appliance owns public IP addresses that are associated with its virtual servers, while the real servers are isolated in a private network. It is also possible to operate the appliance in a transparent mode as an L2 bridge or L3 router, or even to combine aspects of these and other modes.

Physical deployment modes

A Citrix ADC appliance logically residing between clients and servers can be deployed in either of two physical modes: inline and one-arm. In inline mode, multiple network interfaces are connected to different Ethernet segments, and the appliance is placed between the clients and the servers. The appliance has a separate network interface to each client network and a separate network interface to each server network. The appliance and the servers can exist on different subnets in this configuration. It is possible for the servers to be in a public network and the clients to directly access the servers through the appliance, with the appliance transparently applying the L4-L7 features. Usually, virtual servers (described later) are configured to provide an abstraction of the real servers. The following figure shows a typical inline deployment.

Figure 1. Inline Deployment

image

In one-arm mode, only one network interface of the appliance is connected to an Ethernet segment. The appliance in this case does not isolate the client and server sides of the network, but provides access to applications through configured virtual servers. One-arm mode can simplify network changes needed for Citrix ADC installation in some environments.

For examples of inline (two-arm) and one-arm deployment, see “Understanding Common Network Topologies.”

Citrix ADC as an L2 device

A Citrix ADC appliance functioning as an L2 device is said to operate in L2 mode. In L2 mode, the ADC appliance forwards packets between network interfaces when all of the following conditions are met:

  • The packets are destined to another device’s media access control (MAC) address.
  • The destination MAC address is on a different network interface.
  • The network interface is a member of the same virtual LAN (VLAN).

By default, all network interfaces are members of a pre-defined VLAN, VLAN 1. Address Resolution Protocol (ARP) requests and responses are forwarded to all network interfaces that are members of the same VLAN. To avoid bridging loops, L2 mode must be disabled if another L2 device is working in parallel with the Citrix ADC appliance.

For information about how the L2 and L3 modes interact, see Packet forwarding modes.

For information about configuring L2 mode, see the “Enable and disable layer 2 mode” section in Packet forwarding modes.

Citrix ADC as a packet forwarding device

A Citrix ADC appliance can function as a packet forwarding device, and this mode of operation is called L3 mode. With L3 mode enabled, the appliance forwards any received unicast packets that are destined for an IP address that does not belong to the appliance, if there is a route to the destination. The appliance can also route packets between VLANs.

In both modes of operation, L2 and L3, the appliance generally drops packets that are in:

  • Multicast frames
  • Unknown protocol frames destined for an appliance’s MAC address (non-IP and non-ARP)
  • Spanning Tree protocol (unless BridgeBPDUs is ON)

For information about how the L2 and L3 modes interact, see Packet forwarding modes.

For information about configuring the L3 mode, see Packet forwarding modes.

Related:

  • No Related Posts

How to Configure Full VPN Setup on a NetScaler Gateway Appliance

Configure a full VPN Setup on a NetScaler Gateway Appliance

To configure a VPN setup on NetScaler Gateway appliance, complete the following procedure:

  1. From NetScaler configuration utility, navigate to Traffic Management > DNS.

  2. Select the Name Servers node, as shown in the following screen shot.

    Ensure that the DNS Name Server is listed. If it is not available, add a DNS Name Server.

    User-added image

  3. Expand NetScaler Gateway > Policies.

  4. Select the Session node.

  5. Activate the Profiles tab of NetScaler Gateway Session Policies and Profiles page and click Add.

    Note: For each component you configure in the Configure NetScaler Gateway Session Profile dialog box, ensure that you select the Override Global option for the respective component.

  6. Activate the Client Experience tab.

  7. Type the intranet portal URL in the Home Page field if you would like to present any URL when the user login into the VPN.

    If homepage parameter is set to “nohomepage.html”, homepage will not be displayed. When the plug-in starts, a browser instance starts and gets killed automatically.

    User-added image

  8. Ensure to select the desired setting from the Split Tunnel list (for more information about this setting, check above).

  9. Select OFF from the Clientless Access list if you want FullVPN.

    User-added image

  10. Ensure that Windows/Mac OS X is selected from the Plug-in Type list.

  11. Select the Single Signon to Web Applications option if desired.

  12. Ensure that the Client Cleanup Prompt option is selected if required, as shown in the following screen shot:

    User-added image

  13. Activate the Security tab.

  14. Ensure that ALLOW is selected from the Default Authorization Action list, as shown in the following screen shot:

    User-added image

  15. Activate the Published Applications tab.

  16. Ensure that OFF is selected from the ICA Proxy list under Published Applications option.

    User-added image

  17. Click Create.

  18. Click Close.

  19. Activate the Policies tab of the NetScaler Gateway Session Policies and Profiles page in the Vserver or activate the Session Policies at the GROUP/USER Level as required.

  20. Create a Session policy with a required expression or ns_true, as shown in the following screenshot:

    User-added image

  21. Bind the Session policy to the VPN virtual server.

    Go to NetScaler Gateway virtual server > Policy. Choose the required session policy (in this example Session_Policy) from the drop-down list.

  22. If Split Tunnel was configured to ON, you should configure the Intranet Applications you would like the users to access when connected to the VPN. Go to NetScaler Gateway > Resources > Intranet Applications.

    User-added image

  23. Create a new Intranet Application. Select Transparent for FullVPN with Windows client. Select the protocol you would like to allow (TCP, UDP, or ANY), Destination Type (IP address and Mask, IP address Range, or Hostname).

    User-added image

  24. There is no full VPN support for for iOS and Android apps.

    Set a new policy for Citrix VPN on iOS and Android using following expression:

    REQ. HTTP . HEADER User-Agent CONTAINS /NSGiOSplugin Il REQ.HTTP.HEADER User -Agent CONTAINS /CitrixVPN

    User-added image

  25. Bind the Intranet Applications created at the USER/GROUP/VSERVER level as required.

Additional Parameters

The following are some of the parameters we can configure and a brief description of each:

Split Tunnel

Diagram of split tunnel settings

User-added image

Split Tunnel Off

When split tunnel is set to off, the NetScaler Gateway Plug-in captures all network traffic originating from a user device and sends the traffic through the VPN tunnel to NetScaler Gateway. In other words, the VPN client establishes a default route from the client PC pointing to the NetScaler Gateway VIP, meaning that all the traffic needs to be sent through the tunnel to get to the destination. Since all the traffic is going to be sent through the tunnel, authorization policies must determine whether the traffic is allowed to pass through to internal network resources or be denied.

While set to “off”, all traffic is going through the tunnel including Standard Web traffic to websites. If the goal is to monitor and control this web traffic then we should forward these requests to an external Proxy using NetScaler. User devices can connect through a proxy server for access to internal networks as well.

NetScaler Gateway supports the HTTP, SSL, FTP, and SOCKS protocols. To enable proxy support for user connections, you must specify these settings on NetScaler Gateway. You can specify the IP address and port used by the proxy server on NetScaler Gateway. The proxy server is used as a forward proxy for all further connections to the internal network.

For more information review the following links:

Enabling Proxy Support for User Connections

Split Tunnel OFF

Split Tunnel ON

You can enable split tunneling to prevent the NetScaler Gateway Plug-in from sending unnecessary network traffic to NetScaler Gateway. If split tunnel is enabled, the NetScaler Gateway Plug-in sends only traffic destined for networks protected (intranet applications) by NetScaler Gateway through the VPN tunnel. The NetScaler Gateway Plug-in does not send network traffic destined for unprotected networks to NetScaler Gateway. When the NetScaler Gateway Plug-in starts, it obtains the list of intranet applications from NetScaler Gateway and establishes a route for each subnet defined on the intranet application tab in the client PC. The NetScaler Gateway Plug-in examines all packets transmitted from the user device and compares the addresses within the packets to the list of intranet applications (routing table created when the VPN connection was started). If the destination address in the packet is within one of the intranet applications, the NetScaler Gateway Plug-in sends the packet through the VPN tunnel to NetScaler Gateway. If the destination address is not in a defined intranet application, the packet is not encrypted and the user device then routes the packet appropriately using the default routing originally defined on the client PC. “When you enable split tunneling, intranet applications define the network traffic that is intercepted and send through the tunnel”.

For more information review the following link:

Split Tunnel ON

Reverse Split Tunnel

NetScaler Gateway also supports reverse split tunneling, which defines the network traffic that NetScaler Gateway does not intercept. If you set split tunneling to reverse, intranet applications define the network traffic that NetScaler Gateway does not intercept. When you enable reverse split tunneling, all network traffic directed to internal IP addresses bypasses the VPN tunnel, while other traffic goes through NetScaler Gateway. Reverse split tunneling can be used to log all non-local LAN traffic. For example, if users have a home wireless network and are logged on with the NetScaler Gateway Plug-in, NetScaler Gateway does not intercept network traffic destined to a printer or another device within the wireless network.

To configure split tunneling

  1. From the Configuration Utility navigate to Configuration tab > NetScaler Gateway > Policies > Session.
  2. In the details pane, on the Profiles tab, select a profile and then click Open.
  3. On the Client Experience tab, next to Split Tunnel, select Global Override, select an option and then click OK twice.

Configuring Split Tunneling and Authorization

When planning your NetScaler Gateway deployment, it is important to consider split tunneling and the default authorization action and authorization policies.

For example, you have an authorization policy that allows access to a network resource. You have split tunneling set to ON and you do not configure intranet applications to send network traffic through NetScaler Gateway. When NetScaler Gateway has this type of configuration, access to the resource is allowed, but users cannot access the resource.

Diagram of split tunneling and authorization policy

User-added image

If the authorization policy denies access to a network resource, you have split tunneling set to ON, and intranet applications are configured to route network traffic through NetScaler Gateway, the NetScaler Gateway Plug-in sends traffic to NetScaler Gateway, but access to the resource is denied.

For more information about authorization policies, review the following:

Configuring Authorization

Configuring Authorization Policies

Setting Default Global Authorization

To configure network access to internal network resources

  1. In the configuration utility, on the Configuration tab > NetScaler Gateway > Resources > Intranet Applications.
  2. In the details pane, click Add.
  3. Complete the parameters for allowing network access, click Create and then click Close.


Intranet IPs

No Intranet IPs

User-added image

When we do not setup intranet IPs for the VPN users, the user sends the traffic to the NetScaler Gateway VIP and then from there the NetScaler builds a new packet to the intranet application resource located on the internal LAN. This new packet is going to be sourced from the SNIP toward the intranet application. From here, the intranet application gets the packet, processes it and then attempts to reply back to the source of that packet (the SNIP in this case). The SNIP get the packet and send the reply back to the client who made the request.

For more information review the following link:

No Intranet IPs

Intranet IPs

User-added image

When Intranet IP are being used, the user sends the traffic to the NetScaler Gateway VIP and then from there the NetScaler is going to map the client IP into one of the configured INTRANET IPs from the Pool. Be advised that the NetScaler is going to own the Intranet IP pool and for this reason these ranges shouldn’t be used in the internal network. The NetScaler will assign an Intranet IP for the incoming VPN connections like a DHCP server would do. The NetScaler builds a new packet to the intranet application located on the LAN the user would access. This new packet is going to be sourced from one of the Intranet IPs toward the intranet application. From here, intranet applications gets the packet, process it and then attempt to reply back to the source of that packet (the INTRANET IP). In this case the reply packet needs to be routed back to the NetScaler, where the INTRANET IPs are located (Remember, the NetScaler owns the Intranet IPs subnets). To accomplish this task, the network administrator should have a route to the INTRANET IP, pointing to one of the SNIPs (it would be recommended to point the traffic back to the SNIP that holds the route from which the packet leaves the NetScaler the first time to avoid any asymmetric traffic).

For more information review the following link:

Intranet IPs

Configuring Name Service Resolution

During installation of NetScaler Gateway, you can use the NetScaler Gateway wizard to configure additional settings, including name service providers. The name service providers translate the fully qualified domain name (FQDN) to an IP address. In the NetScaler Gateway wizard, you can configure a DNS or WINS server, set the priority of the DNS lookup, and the number of times to retry the connection to the server.

When you run the NetScaler Gateway wizard, you can add a DNS server at that time. You can add additional DNS servers and a WINS server to NetScaler Gateway by using a session profile. You can then direct users and groups to connect to a name resolution server that is different from the one you originally used the wizard to configure.

Before configuring an additional DNS server on NetScaler Gateway, create a virtual server that acts as a DNS server for name resolution.

To add a DNS or WINS server within a session profile

  1. In the configuration utility, configuration tab > NetScaler Gateway > Policies > Session.
  2. In the details pane, on the Profiles tab, select a profile and then click Open.
  3. On the Network Configuration tab, do one of the following:
    • To configure a DNS server, next to DNS Virtual Server, click Override Global, select the server and then click OK.
    • To configure a WINS server, next to WINS Server IP, click Override Global, type the IP address and then click OK.

Related:

VPN Client IP Pool (IIP) Traffic Flow and Routing

There are two examples each of communication with and without IIP, check the SRCIP / DSTIP in the packets to understand the key differences.

Familiarity with basic networking concepts like static routes / default routes / nating etc. is needed for proper understanding

For easier viewing, a ppt containing these slides is attached

User-added image


User-added image

User-added image


User-added image


User-added image

Key Points to note:

1. The IIP is first seen on the wire only when VPN traffic is exiting NetScaler Gateway towards the Destination the VPN Client wants to connect.

2. The exit interface of NetScaler Gateway for VPN Traffic is always determined by route lookup of the Destination the VPN Client wants to connect.

3. The Source IP of the packet exiting NetScaler Gateway

– Will be the SNIP determined by route-lookup, If IIP is Disabled

– Will be the IIP assigned to the VPN Client, If IIP is Enabled, regardless of the exit interface.

Related:

High Availability Traffic/Heartbeats are not seen on NetScaler Tagged Channel Network Interfaces

If you are optimizing traffic on a multi tenant server network with numerous VLANs, while isolating management traffic you might encounter a problem where heartbeat packets are not visible on all interfaces.

This is common on NetScaler high availability pairs using Link Aggregation on ether-channel switch ports (in this example Cisco Switches). The following demonstrates this issue:

> show node1) Node ID: 0IP: 10.187.125.21 (ns01)Node State: UPMaster State: PrimaryFail-Safe Mode: OFFINC State: DISABLEDSync State: ENABLEDPropagation: ENABLEDEnabled Interfaces : 0/1 LA/1Disabled Interfaces : 1/8 1/7 1/6 1/4 1/3 1/2 0/2HA MON ON Interfaces : 1/8 1/7 1/6 1/4 1/3 1/2 0/1 0/2 LA/1Interfaces on which heartbeats are not seen : LA/1Interfaces causing Partial Failure: NoneSSL Card Status: UPHello Interval: 200 msecsDead Interval: 3 secsNode in this Master State for: 0:21:42:50 (days:hrs:min:sec)2) Node ID: 1IP: 10.187.125.22Node State: UPMaster State: SecondaryFail-Safe Mode: OFFINC State: DISABLEDSync State: SUCCESSPropagation: ENABLEDEnabled Interfaces : 0/1 LA/1Disabled Interfaces : 1/8 1/7 1/6 1/4 1/3 1/2 0/2HA MON ON Interfaces : 1/8 1/7 1/6 1/4 1/3 1/2 0/1 0/2 LA/1Interfaces on which heartbeats are not seen : LA/1Interfaces causing Partial Failure: NoneSSL Card Status: UPLocal node information:Critical Interfaces: 0/1 LA/1Done

In most situations the heartbeat packets will stop by vLAN tagging mismatch on the switch. Review the following article for additional information: CTX109843 – How to Configure a NetScaler Appliance Using Link Aggregation to Connect Pairs of Interfaces to the Cisco Switches​

Related:

  • No Related Posts

Big problem with VNX and Global Security

Hi All, good morning

I’ve a problem with “virgin” VNX

I put a vnx in a rack and I would have to configure it from scratch going on the IP page x.x.x.x /setup

IMPORTANT: The VNX is not in a network anymore (’cause it’s a LAB environment)



When i get to the setup page i receive the a certificate error and following messages:

“”global security is not initialized. You must initialize global security in order to target this system.””

First question: i need to connect my laptop by crossed cable to one HUB, and from the HUB to the VNX by normal ethernet cable right?

Second question: i don’t know why when the browser try to find a certificate will propose me, for example, my outlook certificate….

Some ideas on how i can enter the setup page?

Tnx a lot to all

Related:

  • No Related Posts

Re: Adding static route in Avamar

Hello All,

I don’t know whether this is a right question to ask but as a newbie to Avamar product,I want someone to answer my question regarding adding static routes to Avamar (single node grid). is it even possible ?

We have two networks (network 1, network 2) which are isolated but recently we decided to backup all the clients from network 2 to network 1. since both the networks are segregated the networking team created a routing interface for devices in network 1 to talk to devices in network 2 and vice versa. so my question is, is it possible to add static route in (Avamar)IDPA for all the devices in network 1 to talk to devices in network 2

Note : the networking team did a ping test from all the routers (16) in network 2 to Avamar and to routing interface everything is reachable. Even the Avamar in Network 1 can reach the routing interface that’s created but cannot reach any router (16) in network 2. There are no firewalls on the routers in network 2.So what changes need to be made on Avamar/DD. Is it even possible ?

I hope this makes sense. Let me know if you have any questions. I can provide more details if needed.

Thanks in Advance

PK

Related:

  • No Related Posts