Tag Archives: snip

NetScaler NSIP/SNIP/MIP/VIP

NetScaler IP Address type definitions

There are a number of types of IP addresses which can be defined on the NetScaler, all of which have specific usages.

NSIP – NetScaler IP Address

The NetScaler IP (NSIP) address is the IP address at which you access the NetScaler for management purposes.
You must add this IP address when you configure the NetScaler for the first time.
You cannot remove the NSIP address.
The NetScaler can have only one NSIP.
The NSIP is also called the Management IP address.
If you modify this address, you must reboot the NetScaler.

SNIP – NetScaler Subnet IP Address

A subnet IP (SNIP) is similar in functionality to a MIP (defined later)
A subnet IP (SNIP) address is used in connection management and server monitoring.
It is not mandatory to specify a SNIP when you initially configure the NetScaler appliance.
In a multiple-subnet scenario, the NetScaler IP (NSIP) address, the mapped IP (MIP) address, and the IP address of a server CAN exist on different subnets.
To eliminate the need to configure additional routes on devices such as servers, you can configure subnet IP addresses (SNIPs) on the NetScaler
With Use SNIP (USNIP) mode enabled, a SNIP is the source IP address of a packet sent from the NetScaler to the server, and the SNIP is the IP address that the server uses to access the NetScaler. This mode is enabled by default.
When you add a SNIP, a route corresponding to the SNIP is added to the routing table. The NetScaler determines the next hop for a service from the routing table, and if the IP address of the hop is within the range of a SNIP, the NetScaler uses the SNIP to source traffic to the service.
When multiple SNIPs cover the IP addresses of the next hops, the SNIPs are used in round robin manner.

MIP – Mapped IP Address

A Mapped IP address is similar in functionality to a MIP (defined above)
Mapped IP addresses (MIP) are used for server-side connections.
A MIP can be considered a default subnet IP (SNIP) address, because MIPs are used when a SNIP is not available or Use SNIP (USNIP) mode is disabled.
If the mapped IP address is the first in the subnet, the NetScaler appliance adds a route entry, with this IP address as the gateway to reach the subnet
You can create or delete a MIP during run time without rebooting the appliance.
As an alternative to creating MIPs one at a time, you can specify a consecutive range of MIPs.

VIP – Virtual IP Address

The Virtual IP address is where the external users will be authenticated.
A VIP is an IP address assigned to multiple domain names, servers or applications residing on a single server instead of connected to a specific server or network interface card (NIC) on a server
Incoming data packets are sent to the VIP address which are routed to actual network interfaces.
A server IP address depends on the Media Access Control (MAC) address of the attached NIC, and only one logical IP address may be assigned per card. However, VIP addressing enables hosting for several different applications and virtual appliances on a server with only one logical IP address.
VIP have several variations and implementation scenarios, including Common Address Redundancy Protocol (CARP) and Proxy Address Resolution Protocol (Proxy ARP).
VIPs are mostly used to consolidate resources through the allocation of one network interface per hosted application.
It is also used for connection redundancy by providing alternative fail-over options on one machine; A VIP address may still be available if a computer or NIC fails, because an alternative computer or NIC replies to connections.
A VIP is the only IP address which can be disabled, causing any attached devices or services to go down.

NetScaler IP Address communication Usage

With the NetScaler, certain traffic will be sent using a specific type of IP address as the source address. Ensure that when you are deploying a NetScaler between firewall(s) that the correct traffic is permitted to run from the correct IP address.

LDAP, RADIUS, and other authentication traffic will use the NetScaler IP (NSIP).
DNS / WINS traffic will use the mapped IP (MIP) or Subnet IP (SNIP), depending on the route to the destination host.
VPN Traffic (from the Access Gateway Enterprise Edition to internal resources) uses the MIP, SNIP, or Intranet IP depending on which configuration you have chosen.
File System Portal, which is the “File Transfer” button on Access Gateway Enterprise Edition, uses the NSIP.
If ICA PROXY is switched ON, the MIP or SNIP is used, depending on the route to the destination host.

Example Firewall Rules
Usage Source Target Port Numbers
Management Internal Network NSIP Address

TCP 443 (HTTPS)

TCP 80 (HTTP)

TCP 22 (SSH)

TCP 3008 (JAVA)

TCP 3010 (JAVA)
External User Access Client Machine / Internet VIP Address TCP 443 (HTTPS)
DNS Lookup MIP / SNIP DNS Server

TCP 53 (DNS)

ICMP Echo (PING)

DNS Servers MUST be PING-able to be reported as UP and for the NetScaler to use them.

Authentication –

Active Directory / LDAP
NSIP Domain Controller(s) / LDAP Server(s)

TCP 389 (LDAP) and/or

TCP 636 (LDAPS)

Authentication –

RADIUS
MIP / SNIP RADIUS Server(s) TCP 1812 (RADIUS)
NTP Time Sync NSIP Time Server UDP 123 (NTP)

Citrix Edgesight Monitoring In Internal Network / Edgesight Server NSIP TCP 9307 (Edgesight Agent)
Citrix Edgesight Monitoring Out NSIP Internal Network / Edgesight Server TCP 9307 (Edgesight Agent)
SCOM Monitoring In Internal Network / Management Server NSIP TCP 5723 (SCOM Agent)
SCOM Monitoring Out NSIP Internal Network / Management Server TCP 5723 (SCOM Agent)

Web Interface Access
MIP / SNIP Web Interface Server TCP 443 (HTTPS)
Web Interface SSO Call Back Web Interface Server VIP TCP 443 (HTTPS)
ICA / XenApp Access MIP / SNIP XenApp Servers

TCP 443 (HTTPS)

TCP 1494 (Citrix ICA)

TCP 2598 (Citrix ICA with session reliability)
Licence Server Access (If Needed) NSIP Licence Server TCP 27001 (Citrix Licence)

BackEnd Communications (MIP or SNIP)

The following are the different scenarios where a NetScaler appliance selects the IP address to initiate the backend server connections using a MIP or a SNIP (depending on which you are configured for).
MIP and SNIP Address Available and USNIP Disabled

A NetScaler appliance uses MIP address to open a backend server connections and SNIP addresses are not used.

MIP and SNIP Address Available, USNIP Disabled, and SNIP is Bound to VLAN and L3 Interface

A NetScaler appliance uses MIP address to open backend server connections and SNIP addresses are not used. SNIP address is used only for L3 connectivity.

MIP and SNIP Address Available and USNIP Enabled

A NetScaler appliance uses SNIP address to open backend server connections and MIP addresses are not used. If the MIP address is configured in the same subnet as that of SNIP address, then MIP address is also used.
When you enable USNIP the NetScaler appliance selects the IP address. The appliance looks up for a route or subnet for the destination IP address and selects the IP address regardless of whether it is SNIP or MIP address.

MIP and SNIP Address Available, USNIP Enabled, and SNIP is Bound to VLAN and L3 Interface

A NetScaler appliance uses SNIP address to open backend server connections and MIP address is not used. The SNIP address is also used for L3 connectivity. If you configure the MIP address in the same subnet as that of SNIP address, then MIP address is also used.
When you enable USNIP the NetScaler appliance selects the IP address. The appliance looks up for a route or subnet for the destination IP address and selects the IP address regardless of whether it is SNIP or MIP address.
VLAN binding does not affect the source IP address selection.