PRJ-2026-04-dmz-migration: External Services DMZ Migration

1. Project Summary

Field Value

PRJ ID

PRJ-2026-04-dmz-migration

Owner

Evan Rosado

Priority

P1 — security audit + remediation

Category

Network Security / Architecture

Status

Active — audit phase

Objective

Move all externally accessible internal services behind NetScaler (DMZ reverse proxy)

Risk

Internal services exposed directly to external traffic bypass inspection, WAF, and TLS termination

2. Purpose

2.1. Problem

Internal services (web portals, applications, APIs) are currently reachable from external networks without passing through the DMZ reverse proxy (NetScaler). This means:

  • No TLS termination/inspection at the perimeter

  • No WAF (Web Application Firewall) protection

  • No rate limiting or DDoS mitigation

  • Direct exposure of internal server IPs to the internet

  • If compromised, attacker lands directly on the internal network

2.2. Target Architecture

CURRENT (risky):
  Internet → Firewall NAT → Internal Server
                             ↑ no inspection, no proxy

TARGET (secure):
  Internet → Firewall → DMZ ─────────────────────── Internal
                          │                            │
                          │  NetScaler (reverse proxy)  │
                          │  - TLS termination          │
                          │  - WAF inspection           │
                          │  - Rate limiting             │
                          │  - Load balancing            │
                          │  - Health monitoring         │
                          │                            │
                          └──── forwards clean ────────┘
                                traffic only

2.3. Key Concepts

Reverse Proxy: Accepts external requests, inspects them, then forwards to internal servers. External users never see internal IPs.

Load Balancer: Distributes traffic across multiple internal servers for availability and performance.

NetScaler (Citrix ADC): Performs BOTH functions. Already in the DMZ — just needs services pointed through it.

DMZ (Demilitarized Zone): Network segment between external firewall and internal firewall. Compromising a DMZ host does NOT give access to internal network.

3. Phase 1: Discovery Audit

3.1. Step 1: Identify All External-Facing Services

Gather from firewall rules (NAT/PAT rules that expose internal IPs):

Service Internal IP External Port Protocol Purpose Behind NetScaler?

example: Patient Portal

10.x.x.x

443

HTTPS

Patient access

NO — direct NAT

Where to find this:

  • Firewall NAT/PAT rules (pfSense/VyOS/ASA — look for destination NAT to internal IPs)

  • NetScaler vServer list (what’s already proxied)

  • DNS external records (what FQDNs resolve to your public IPs)

  • Load balancer configs

  • Nmap scan from external perspective (with authorization)

3.2. Step 2: Classify Each Service

Category Action Examples

Must be behind NetScaler

Migrate to DMZ reverse proxy

Web portals, patient-facing apps, vendor APIs, OWA/Exchange, remote access portals

Should NOT be externally accessible

Remove NAT rule entirely

ISE admin, database servers, AD/LDAP, internal monitoring, management interfaces, hypervisor consoles

Already behind NetScaler

Verify and document

Services already proxied correctly

VPN only

Move behind VPN, remove direct access

Internal tools that only employees use remotely

3.3. Step 3: Risk Score Each Service

Service Data Sensitivity User Base Current Protection Risk Score

example

PHI/ePHI

External patients

Direct NAT (no proxy)

CRITICAL

4. Phase 2: Migration Plan (per service)

For each service being migrated behind NetScaler:

4.1. Pre-Migration

  • Document current NAT rule (source, dest, port, protocol)

  • Document internal server IP, port, health check URL

  • Obtain or generate TLS certificate for the service FQDN

  • Create NetScaler vServer configuration

  • Create NetScaler service/service group pointing to internal server

  • Configure health monitor (HTTP/HTTPS health check)

  • Configure WAF policies (if applicable)

  • Test in staging/lab if possible

4.2. Migration Window

  • Create NetScaler vServer + service binding

  • Update firewall: external traffic → NetScaler VIP (DMZ) instead of internal IP

  • Update DNS if needed (point FQDN to NetScaler VIP)

  • Verify external access works through NetScaler

  • Verify TLS certificate is correct (no mixed content, no cert errors)

  • Verify internal server sees traffic from NetScaler SNIP (not external IP directly)

  • Remove old direct NAT rule

4.3. Post-Migration

  • Monitor NetScaler logs for errors

  • Verify no users impacted (check with service owner)

  • Document the change (CR in domus-captures)

  • Update firewall rule documentation

5. Phase 3: Hardening

After all services are behind NetScaler:

  • Enable WAF profiles on all HTTPS vServers

  • Configure rate limiting (prevent brute force)

  • Enable bot management (if licensed)

  • Configure content inspection policies

  • Set up NetScaler monitoring → Sentinel log ingestion

  • Remove ALL direct NAT rules to internal servers

  • Perform external vulnerability scan to validate no internal services are directly reachable

6. Services That Must NEVER Be Externally Accessible

Service Ports Why

ISE Admin/ERS

443, 9060, 8910

Network access control — internal only

Active Directory / LDAP

389, 636, 88, 3268

Domain services — VPN only

Database servers

1433, 3306, 5432, 1521, 2484

Data stores — internal only

Hypervisor management

443, 8006

VM infrastructure — internal only

Monitoring dashboards

3000, 9090, 5601

Grafana, Prometheus, Kibana — VPN only

SSH to servers

22

Management access — VPN + jump host only

SNMP

161, 162

Network management — internal only

Syslog

514

Log collection — internal only

7. Metadata

Field Value

PRJ ID

PRJ-2026-04-dmz-migration

Author

Evan Rosado

Created

2026-04-01

Last Updated

2026-04-01

Status

Active — audit phase

Next Review

2026-04-08

8. Related