Domains, CNAMEs, DMZ? How do I do this?

N

nitrobass24

[H]ard|DCer of the Month - December 2009
Joined
Apr 7, 2006
Messages
10,465
As of right now I have a pretty simple network. No VLANs, no DMZ.
Internet --> Modem --> Sophos UTM --> Switch

I have a single static IP and I have a single domain...nitrobass24.com

What I want to do is have VPN access and VDI access through nitrobass24.com
Maybe something like remote.nitrobass24.com - UTM/VPN & vdi.nitrobass24.com for the Netscaler?

Thinking of adding a Citrix NetScaler to my setup to allow VDI outside of my network, but am confused on where to place the device.
 
We use Netscaler to host our VDI to the intarwebs.
Although our org has an interesting network design.

We have a public IP that's NAT'ed to the internal IP on port 443. That's it.
Netscaler/Citrix Access Gateway then uses 1494 over the SSL VPN tunnel (that's established at the Access Gateway piece of the Netscaler) for the virtual desktop traffic.

One thing to note; VDI is finnicky with SSL certs. They cannot be self-signed certs if you want to access it via iOS or Android device, since those devices won't trust the cert.

So I guess what I"m saying is that the Netscaler can be behind the UTM.
 
Yea i already have dealt with the certificate issue. I am using a self-signed cert....all you need to do is export the root CA from your desktop as a .cer file and then email it to yourself, open on ipad, and install.
 
You have a single IP address. Any CNAME you use would just point to an A record with that IP address.

You might as well just use a wildcard pointing at the A record at the zone apex.
 
He means there is no point in having

vpn.whatever.com
remote.whatever.com
vdi.whatever.com
www.whatever.com

Because they will all point to the same IP.
 
Actually, you _should_ separate host names based on functionality - even if they all point to same addresses _now_. If you spread out to separate IP addresses in the future, then all you need to do is update a DNS record and not thousands of separate host name users.

Liberal use of CNAMEs is a good thing when it's thought out properly and not a mess.
 
You must log in or register to reply here.
Back
Top