Campus Logic Cloud to On-Premise Network and Citrix ADC Configuration

Summary

The Campus Logic Connect server accesses the Campus Logic cloud environment via our standard Internet PAT Address (just like any other device on our network).  However, since the Cl Cloud must connect to the Connect server, we can either create a Network Address Translation (NAT) entry in the firewall and create a direct conduit from the Internet to the Connect Server, or we can front the Connect Server with a Load Balancer/Reverse Proxy.

Since this is an API call across HTTPS, tclconnect.nic.edu is content switched.

Systems Involved

• adcman.nic.edu
• tclconnect.nic.edu
• clconnect.nic.edu

Departments that use the system

• Financial Aid

Overview

Since the Content Switched Virtual Server/VIP is already presented to the Internet (198.187.133.66 for test, 198.187.133.68 for production), all we need to do is add tclconnect.nic.edu and clconnect.nic.edu to the existing VIP's.  For this document, we will just work with tclconnect.nic.edu.

Citrix ADC Configuration

• Login into the Citrix ADC:  https://adcman.nic.edu for production, https://tadc01.nic.edu for test
• Navigate to Traffic Management->Load Balancing->Servers and add the servers

• Create the Service for this server (this service is uses the HTTP protocol, but you can use SSL if the server is listening on HTTPS)

• Create a cs-vs Load Balancing SSL Virtual Server for the Content Switching Action to bind to - remember that the IP address of the virtual server will be Non Addressable

• Be sure to Bind this new cs-vs-virtual-server to the service you created earlier and to the *.nic.edu Certificate since this IS a SSL Virtual Server

• Now Navigate to Traffic Management->Content Switching-Actions
• Create a Content Switching Action and select the cs-vs-virtual server you just created

• Create the Policy that will determine when the ADC should invoke the action.  You can see that the policy below

http.req.header("host").set_text_mode(ignorecase).contains("tclconnect.nic.edu")

• Will check to see if the host request has tclconnect.nic.edu in the host part of the URL,  If it does, then it executes the cs_act_tclconnect action which will point the client to the cs_vs_tclconnect virtual server.

• Now that the Policy is created, we can bind this policy to the appropriate Content-Switched-VIP.  Since this is the test server, it will be bound to Content-Switched-VIP-Test

Now that the service is bound, the ADC should process any requests for https://tclconnect.nic.edu and send them to the server.  However, we still need to update DNS (External and internal DNS), and verify that the ADC (which is in the DMZ), can access tclconnect.nic.edu which is in the Internal network

External DNS Configuration

• Log into https://nicns1.nic.edu
• Click on BIND DNS Server under Servers in the left navigation menu

• Under Existing DNS Zones, click on nic.edu

• Click on Addresses

 

• Enter the fully qualified host name along with the IP address you want that hostname to resolve to.  Since the loadbalancer VIP is acting as an actual host, we will create a standard "A" record.  However, since this IP address is used for multiple hosts, we will not bother with updating the reverse record.  

• Once created, the record will not take effect until you click on Apply Configuration on the top right corner of the management window

Now that our External DNS has been updated, let's verify that the ADC has access to the server since the ADC is in a DMZ

• There is an existing rule that allows HTTP/HTTPS access from the ADC's to web servers that are members of the following Object Groups
  • NIC_Prod_Web_Apps
  • NIC_TestDev_Web_Apps
• Verify with the Network team that your server is a member of the appropriate group.  If it is not defined, the firewall will block traffic sourced from the ADC to the server (and the server will be red when it is added to the ADC).