Citrix NetScaler as Forward Proxy

In this blog I will describe how to configure the Citrix NetScaler as Forward Proxy. This installation/screenshots are based on an NetScaler VPX 1000 Platinum license, so there could be some slide differents between the screenshots. The Citrix NetScaler is a good product for replacing Microsoft TMG. Microsoft TMG is end-of-life so customers a searching for another solution. Besides Forward Proxy the Citrix NetScaler could also be an Reserve Proxy. This will be explained in another blog shortly.

In order to use the Citrix NetScaler as forward proxy you should have at least the NetScaler Enterprise or NetScaler Platinum edition license available, because the cache redirection feature needs to configured for this.

Configure Citrix NetScaler as Forward Proxy

Enable Feature

ForwardProxy (1)Select System, Settings, Configure Advanced Features

ForwardProxy (2)Select at least Cache Redirection and click OK

ForwardProxy (1)Select Configure Basic Features

ForwardProxy (3)Select at least Content Filter and Load Balancing and click OK

Create DNS Load Balancing

The Cache Redirection Feature requires an DNS Load Balancing VIP in order to work. So this is the first step.

ForwardProxy (4)Select Traffic Management, Load Balancing, Servers

ForwardProxy (5)Click Add

ForwardProxy (6) Server Name: I used ExternalGateway because I have just one DNS server in my homelab.
IPAddress: Enter the IPAddress of the DNS server

Create for every DNS server you want to use an Server.

ForwardProxy (4)Select Service Group

ForwardProxy (5)Click Add

ForwardProxy (7)Name: DNSServer (choose the Name you want)
Protocol: DNS

Click OK

ForwardProxy (8)Click on Members under Advanced on the right side

ForwardProxy (9)Click on No Service Group Member

ForwardProxy (10)Select Server Based
Server Name: select at least one of the created Servers.
Port: 53

Click Create

If you want to add more, select x Service Group Member(s) and repeat above steps!! Else click Done

 ForwardProxy (11)

Select Virtual Servers

ForwardProxy (5)Click Add

ForwardProxy (12)

Name: ExternalDNS (or something else)
Protocol: DNS
IP Address Type: Non Addressable 

Click OK

I selected Non Addressable because I don’t have to have access to this Load Balancing DNS Virtual Server outside the Citrix NetScaler

ForwardProxy (15) Click OK

ForwardProxy (23)Click on Service Group under Advanced on the right side

ForwardProxy (15)Click on No Load Balancing Virtual Server ServiceGroup Binding

ForwardProxy (16)Click on Click to select

ForwardProxy (17)Select DNSServer (or the name you choose in the above steps)
Click OK

ForwardProxy (18)Click on Bind

ForwardProxy (19)Click Done

Create Cache Redirection Server  

Now we can create an cache redirection server

ForwardProxy (20)Select Traffic Management, Cache Redirection, Virtual Servers 

ForwardProxy (21)Click Add 

ForwardProxy (22)

Name: The Virtual Server Name you like
Protocol: HTTP
IP Address: The IP Address the Virtual Server should respond on (this IP Address needs to be configured on the clients as well)
Port: The Port the Virtual Server should respond on
Cache Type: FORWARD

Click OK

ForwardProxy (23)Click on Policies under Advanced on the right side

ForwardProxy (24)Click on To add, please click on the + icon 

ForwardProxy (25)Choose Policy: Filter

Click Continue

I choose Filter as policy because I want to create rules which server as access to a particular website.

ForwardProxy (26)Click Click to select to bind policies

ForwardProxy (27)Click Add 

ForwardProxy (28)Filter Name: Dropsites
Expression: REQ.HTTP.HEADER Host NOTCONTAINS www.rickroetenberg.com
Request Action: Drop

With this expression every request will be dropped by the NetScaler unless you requesting www.rickroetenberg.com

Another example:
REQ.HTTP.HEADER Host CONTAINS www.rickroetenberg.com && REQ.IP.SOURCEIP == 10.0.0.102

In this example www.rickroetenberg.com will be dropped on the server with IP 10.0.0.102. All other servers/workstation which use the Citrix NetScaler as proxy will be allowed the visit every website.

Click CreateForwardProxy (29) Click OK

ForwardProxy (30)Click Bind

ForwardProxy (31)Click Done

If you follow this blog you can config the Citrix NetScaler as forward proxy.

Share on Facebook0Share on LinkedIn20Tweet about this on TwitterEmail this to someone

6 comments

  1. This works for both HTTP and HTTPs traffic. Point your Browser’s proxy to both the CacheRedirection Vserver IP and port 80, set the proxy to use the same proxy server for all protocols.

    Note that the external traffic will use a Source IP of the SNIP.

  2. Hi Rick,
    Nice article, Do you think its possible to create filter to allow list of allowed websites?
    For instance,
    website1.com allow
    website2.com allow
    Deny all other.

    Regards
    Os

  3. Thanks Rick for sharing. I have a question.
    What is the use of the non-addressable DNS vserver you created? I do not see it being used in CR vserver you created later.

  4. Hi there Rick, nice article. By this in layman terms (I’m a newbie self-studying Netscaler) is this a process to allow users access the internet through Netscaler? Also what does the Reverse proxy do?

    1. Hi Ollie,

      This article describes the functionality to use the Citrix NetScaler as a proxy. If you’d like to use the Citrix NetScaler as Reverse Proxy you should use the Load Balancing feature.

      Greets,

      Rick

Leave a Reply

Your email address will not be published. Required fields are marked *