Handling 'enclaves of NetScaler's' with UHMC

Hello!

I just had a call from a colleague, customer XYZ (not their real name) has purchased the new Universal Hybrid Multi Cloud ‘bundle’. They need to run some NetScaler’s in an ‘enclave’. In this case, an enclave is a separate ‘air gapped network’. How can they do that when their NetScaler Console is managing and covering NetScaler(s) in the broader network and it has no connectivity into the enclave(s)?

1. Who comes up with these names? Universal Hybrid Multi-cloud is soooo long. It will be called UHMC from now on in this piece.
2. The enclave environment exists as an isolated segment from the main network, they are not connected at all. I remember speaking with a Nuclear power outfit, they had a three separate network zones that were all segmented from each other. They had weird names, but each to their own…

Why is this a problem?

In some environments the segmentation of enclaves has to be achieved physically, typically for security reasons. You know why.

Trust no one!

One of the new models for issuing NetScaler licenses uses a centrally placed license Console to provide capacity to the appliances. This centralised model will then present an issue for the air gapped segmented approach that some customers have.

This diagram shows a customer that has two environments.

When you have a NetScaler that has a local license file, this isn’t a problem. As you can take the file across to the Red network and set it up on the various appliances. To be clear there would be different files for each appliance. You will likely only need to do this every few years, so it is not too much of a problem.

However, how can you do this when you need a centralised NetScaler Console?

The solution(s)

There are two options to solve for this issue.

1. Continue to use local licenses. NetScaler can still be bought to use local licenses, just request it when ordering. These are called ‘Fixed capacity/term licenses’.
2. Deploy a smaller NetScaler Console systems to provide capacity within the enclaves and assign capacity locally to this server and then from this to the locally connected NetScalers.

To be fair, in some cases, the commercial options for the UHMC deal are more attractive than buying multiple fixed licenses. As this typically, gives the customer more capacity and flexibility for covering the NetScaler requirements across the estate. This is for enclaves and for the main network.

Read on to see how that second option is deployed.

Adding a local copy of NetScaler Console for the enclave

The solution is to place a NetScaler console into the enclave, it can then service the local NetScaler’s in that environment.

In the example above:

• The blue network is the ‘regular network’.
• The red network is the enclave, that runs totally separate from the blue network.

What does NetScaler Console require to run?

This <in comments> has the requirements, the key table is below.

I expect, if you need to setup a few enclaves, that 32GB and 8 vCPU per Console requirement could become a bit of an objection.

To be clear, NetScaler Console is available in two versions.

1. NetScaler Console running on-premise.
2. NetScaler Console Service.

One that runs as a cloud service, is obviously not going to work for an enclave, as they typically don’t have internet access. For security reasons right?

The assumption is that NetScaler Console on-premise will be used in this case for the Red enclave.

NetScaler Console, licenses server only mode.

One option when setting up NetScaler Console is to select this.

Choosing the second option allows the Console to be deployed with less resources, which might offer a better fit for this enclave requirement. The docs link is here .

How do I get this to actually work?

Here are the steps.

1. Deploy NetScaler Console into the ‘Red’ enclave. Download the latest 14.1 NetScaler console and spin it up with the resources suggested above (8G of memory, 4 vCPU cores and the default drive size). Naturally, you will need a suitable hypervisor to run this on, choose an image that suits.
2. Make a note of the ‘Host id’ once the Console is deployed. It is here:

3. Once the NetScaler Console is running and you have a note of that host ID (its a 10minute deployment job), login to the Citrix license portal with a suitable account. There will be a list of licenses, like this:

4. We need to assign capacity to this Console. In the screen shot above there are multiple lines of licenses. Assuming that my Red enclave is going to be running NetScaler VPX FIPS instances.

I will need:

NetScaler flexed VPX FIPS SW Instances - I will take 12 of these units.

NetScaler Flexed Platinum BW 100MB - I will take 120 of these units.

This will give me 12 x VPX Premium 1Gbps appliances. Having this capacity on the NetScaler Console will allow this to be flexed between instances in the Red enclave.

5. When the capacity is assigned, I just import the two files on to the Red NetScaler Console.

6. I can then go to each NetScaler in the Red enclave and point them at the new Console IP address. If the assignment is different for the NetScaler, this might require a reboot.

Issues?

There has been some assumption’s about how to solve this issue in this piece. What else could be a problem? I can only think of one main problem.

1000 enclaves?

Clearly, if there are many enclaves, using NetScaler Console could be a problem as the resources and management needed could be unwanted. It means there is another point to manage and update, in addition to the NetScaler’s themselves. There are some plans to address this with some product updates.

Summary

Okay, so we have a local NetScaler Console running in the ‘Red’ enclave, providing licensed capacity as required.

The steps might look ‘onerous’, however it isn’t that time consuming really. The steps above are quite detailed. This process can be more of a problem for customer when they find this out and it might be something that they did not expect to have to do. This process took about 30 minutes, start to finish.

Hopefully, this was useful. Let me know if there are points that need further clarification.