Scribd
Upload
1K views138 pages

NetScaler ADC TDM Presentation

NetScaler ADC TDM Presentation Netscaler version 11.6

Uploaded by

Aurélien Baillard
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
1K views138 pages

NetScaler ADC TDM Presentation

NetScaler ADC TDM Presentation Netscaler version 11.6

Uploaded by

Aurélien Baillard
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 138

NetScaler ADC TDM

v2 March 2015 Citrix | Confidential

Introduction
HA and Clustering
SDX
Admin Partitions

Agenda

Traffic Management
SSL
Networking
Optimization
Action Analytics

2015 Citrix | Confidential

The Invincible Network

Resilient

2015 Citrix | Confidential

Flexible

Secure

What is NetScaler

Availability

Performance

Offload

Security

NetScaler has been powering Enterprise and


Ecommerce applications since 2002.
Load Balancing Acceleration Security SSL Optimization Availability Performance

2015 Citrix | Confidential

The Details
NetScaler

SQL
FTP
HTTP
DNS
SAAS
SAAS
gateway
gateway

S1
S1

A1
A1

S2
S2

A2
A2

S3
S3

A3
A3

HTTPS
TCP

PwO
PwO

UDP

CG

VIP

CB

NetScaler

IAAS

AD
AD
NetScaler
NetScaler

NetScaler DataStream

Es
Es

Security

Optimization

Management & Visibility

Load Balancing (SLB)

SSL Offload

SSL Offload

HDX Insight

N+1 Clustering

L4-7 ACL

TCP Offload

Web Insight

L4-7 Request Switching

Network ACLs

TCP Buffering

Action Analytics

Advanced Health Checks

DoS Protections

Surge Protection

CLI/GUI

Content Switching

Rewrite + Responder

Compression

Nitro REST API

Cache Redirection

Rate Limiting

Caching

PowerShell

Web Logging

MSSCVMM/MSSCOM

Global Load Balancing (GSLB)

SSL VPN

HTTP 2.0

AppFlow

Dynamic Routing / PBR

AAA for App Traffic

Client Keep-Alive

Syslog

HTTP Callout

Application Firewall

SACK/Nagles

SNMP

NetScaler DataStream

NetScaler Gateway

TCP Westwood+

Command Center
AppExpert Policies

2015 Citrix | Confidential

Platforms
VPX
MPX

SDX

XeServer,
Vmware, 100, 200, 1G, 3G
HyperV
5550-5650
8005-8015,
9700-15500 FIPS,
11515-11542,
14020-14100
22040-24150
25100-25160T
8015,
11515-11542,
14020-14100,
22040-24150

Editions

Pay-As-You-Grow

Availability

Standard, Enterprise ,
Platinum, Express, Developer

Introducing NetScaler TriScaleTM Technology

row capacity upto

80:1 footprint reduction. No Compromises.

5x. No New Hardware.

Elasticity with
Pay-As-You-Grow

Scale Up

Simplicity with
Many-In One

le
a
Sc

In

Better HA than HA. Scalability to Tbps.

Expandability with
Add-and-Go
Clustering
Scale Out
2015 Citrix | Confidential

High Availability & Clustering

2015 Citrix | Confidential

Clustering for High Availability


Need to upgrade a server or NetScaler?
with no downtime?

2015 Citrix | Confidential

Traditional HA
An Active/Passive Pair of NetScalers

NetScaler
External
Network

Primary

NetScaler
Secondary

2015 Citrix | Confidential

Internal
Network

NetScaler High Availability (HA) Essentials


HA is only Active/Standby
The NetScaler GUI and CLI refers to this as Primary/Secondary

NetScaler supports 2 Modes


Configuration Synchronization. Configs are synched at device start and prior to state
change.
Command Propagation. Commands are synchronized at time of execution from Primary to
Secondary unit

Communication
HA communication is on UDP port 3003 and 5 UDP packets are sent every second
Communication ONLY happens between the NSIPs of both NetScalers
Both NetScalers must be of same build (both Major and Minor) for Synchronization and
Propagation
HA communication is on all Enabled Interfaces. Turn -hamon OFF on all unused Interfaces
2015 Citrix | Confidential

NetScaler HA Tips and Tricks


HA Selection Criteria
If state is the same, select lower IP address as Primary
If state is different (i.e. UP vs Not UP) go with UP as Primary
Best Practice: Add secondary node as Not Up (i.e. have unconnected interfaces Enabled with
HAMON ON)

Layer 2 on a Failover
In the event of a fail-over the new Primary will send a Gratuitous ARP
Virtual MACs can be configured on the NetScaler
Best Practice: Use Virtual-Macs (VMACs), a floating MAC between both devices

Other Useful Information


A command can be used to force a preemption, or, to mark a unit primary or secondary
Additionally, a failover or synchronization can be force with a command from a NetScaler

2015 Citrix | Confidential

Why Clustering?
ACTIVE
Elegant solution to scale up traffic

PASSIVE
ACTIVE

Dynamic capacity
Ease of management and configuration
Satisfies same requirements as HA
Configuration replication
Fault tolerance

2015 Citrix | Confidential

32X

0010010001110100100100010001110101001001

Efficient utilization

NetScaler Cluster
Facts

Benefits

Cluster of NetScaler nodes

Provides Linear Scalability

Can be formed with 2 to 32 nodes

Higher Throughput

Single system image for end user

Configuration Scalability

Built on NetScaler nCore architecture

Built-in Fault Tolerance

No Chassis or new hardware required

Active-Active Support

Dynamic changes permitted

Active-Standby Support

2015 Citrix | Confidential

Clustering
Scale for Speed

App
App

App

App App

App App
App App

App

App App

App

App

Scale for App


Redundancy

App

App App App


App App
App

True Clustering:
Data and Management Plane

2015 Citrix | Confidential

App

App

App
App

App

App

Virtual
Appliance
Hardware
Appliance

App
App

NetScale
r
VPX

App

App App

Multi-tenant
Appliance

App

Scale:
Performance + Redundancy

Any Form-factor:
Cluster VPX, MPX, or SDX

Cluster logical topology

2015 Citrix | Confidential

CCO: Configuration coordinator

CCO

Syncs configuration
Propagates commands
Syncs files

Cluster IP

Owned by CCO
Used for management

2015 Citrix | Confidential

Clustering Deployment Types

2015 Citrix | Confidential

ECMP
VIP/32: Node0
VIP/32: Node1
VIP/32: Node2
VIP/32: Node3

Flow
receiver

2015 Citrix | Confidential

Flow
processor

CLAG

CLAG MAC:
02-00-6f-<cluster ID>-00-00
ARP request:
CIP:CMAC ->
VIP:broadcast

ARP reply:
VIP:CLAGMAC
-> CIP:CMAC

2015 Citrix | Confidential

CLAG cont.

2015 Citrix | Confidential

LinkSet
ARP request:
CIP:CMAC ->
VIP:broadcast

ARP reply:
VIP:ARP_OWNER_MAC
-> CIP:CMAC

2015 Citrix | Confidential

Distribution Mechanisms Comparisons


ECMP

Link Sets

CLAG

Upstream device
connectivity

All nodes must be


connected. It can be used
in combination with Link
Sets

Does not require all


nodes to be connected

All nodes must be


connected. It can be used
in combination with Link
Sets

Upstream device
configuration

YES

NO

YES

Pros

Best traffic distribution

Transparent to upstream
device

Better traffic distribution

Cons

Routes are limited to


maximum number
supported by router

2015 Citrix | Confidential

Potential bottleneck.
Number of switch ports
Each VIP is initially
used can be a limitation
handled by only one node

Upgrading the Cluster

Downtime
How is that possible?
Upgrade one node at
a time

2015 Citrix | Confidential

Wouldnt that take down the


cluster?
No. Different versions can
join the cluster
Node reboots sessions
redistributed
Command propagation
disabled

Is this documented?
Yes.
http://bit.ly/1QBqbp0

SDX

2015 Citrix | Confidential

NetScaler SDX
Multi-tenant NetScaler
Up to 80 instances
Version independent
Zero performance loss

Customer Value
Network consolidation
Hardware sensibilities; virtualization benefits
Support for 3rd party components

2015 Citrix | Confidential

PCI DSS validation

When properly deployed


NetScaler SDX will meet the
following PCI DSS version 2.0
requirements, including
deployments with in-scope and outof-scope VPX instances running on
the same SDX appliance.
2015 Citrix | Confidential

NetScaler SDX
Complete appliance instance
per tenant
Complete CPU, memory, and SSL
isolation
Independent entity spaces
Independent versioning
Independent maintenance schedule

Complete Network Isolation


No performance degradation

2015 Citrix | Confidential

SDX Device-level Resource Pools


Define SDX device resource pools
Set CPU, SSL, Memory, Network
Create pool administrators

Pool administrators

Only have access to their pools


Can create/delete instances as they see fit
Can allocate pool resources as they see fit
Have visibility only into their pools

2015 Citrix | Confidential

Details

Use as needed

Complete ADC Isolation All critical system resources, including memory, CPU and SSL processing
capacity are assigned to individual NetScaler instances. This ensures resource demands made by one
tenant does not negatively impact other tenants performance running on the same physical system. It also
provides greater security for each ADC instance by providing full separation of traffic flows.
Each NS instance on SDX has its isolation provided by virtualization technologies We use XS, which
isolates CPU, Memory
For hardware acceleration for both Networking and for crypto, we use SRIOV technology that provide
similar isolation in hardware. Cavium N3 Devices, dont have Standard Mailbox for VF-PF communication
but use Cavium proprietary mailbox method which implements randomly generated 15 bit signature unique
per VF, thus making VF-PF communication highly secure.

Full ADC Functionality NetScaler SDX supports 100 percent of the ADC functionality available with
both hardware-based NetScaler MPX appliances and software-based NetScaler VPX virtual appliances. This
enables NetScaler SDX to consolidate all existing ADC deployments without any policy constraints.

Pay-As-You-Grow The Pay-As-You-Grow option delivers on-demand elasticity enabling organizations to


easily scale ADC capacity to keep pace with application traffic growth. And because it leverages a softwarebased architecture, NetScaler SDX can scale performance and capacity with a simple software key,
eliminating expensive hardware purchases and upgrades.
2015 Citrix | Confidential

Simplified Image Upgrade

2015 Citrix | Confidential

User Experience - Initial Configuration

2015 Citrix | Confidential

User Experience - New Dashboard

2015 Citrix | Confidential

User Experience - Provision NetScaler

2015 Citrix | Confidential

Comparative summary of NetScaler Solutions

2015 Citrix | Confidential

NetScaler
MPX

NetScaler
VPX

NetScaler
SDX

Form Factor

Hardened
network
appliance

Software-base
virtual appliance

Hardened
network
appliance

ADC Density

Up to 80

Performance

Up to 150 Gbps

Up to 8 Gbps

Up to 150 Gbps

Full ADC
Functionality

Pay-As-You-Grow

Admin Partitions

2015 Citrix | Confidential

Key Use Cases


Enterprise

Service Provider

IP overlapping
Virtual Routing
Entity space
separation
1 admin multiple
Partitions
Inter partition access
Authentication

GUI/CLI/API/Mon
Separation
Config/SNMP/Logs
Separation
Conn/Tput/Mem
Separation
Entity space
Separation
RBAC within Partition
IP overlapping

2015 Citrix | Confidential

Cloud
Most Others
API driven definition
Integration with
Orchestration layer

NetScaler Without Partition

2015 Citrix | Confidential

NetScaler With Partition

App No
512

2015 Citrix | Confidential

2015 Citrix | Confidential

Complete Separation
Ns.conf

Data Plane
Network Plane

2015 Citrix | Confidential

Admin Part

User Plane

Auditlogs
SNMP
Debugging
File System

Citrix Confidential - Do Not

Traffic Management

2015 Citrix | Confidential

NetScaler ADC Meets traditional ADC needs

High availability
Geographical failover for disaster recovery
Secure remote access
Increased performance and efficiency through
server offload, caching and compression

2015 Citrix | Confidential

Load balancing and GSLB with NetScaler


Load Balancing

Requests

Smooths out demand across all available servers


Health monitoring of local resources
Provides high availability if a server fails
Sessions seamlessly transferred to alternative
server

Global Server Load Balancing


Allows for disaster recovery - provides HA
between sites
Load balancing across geo locations
Optimizes performance across locations sending
users to best-performing source

43
2015 Citrix | Confidential

Requests

Availability
Server Load Balancing
Provides the intelligence to always direct
each request to the right server resource
NetScaler
Airgap

Continuously monitors the health of


application and web servers

Content
Layer 7 load balancing
Switching
Present different content to different
users
Can be based on IP range, geographical
area, language, or device used
2015 Citrix | Confidential

Load Balancing
TCP and UDP Client Requests

Maintaining User
Sessions

Distributing Traffic

Monitoring Server
Health and Availability

Source IP
Cookie

Least Connections
Lowest Response Time

TCP Connection
HTTPS Connection

SSL Session ID
Server-ID in URL Query

SNMP-based
IBM SASP

Extended Content Verification


Scriptable Health Checks

Customer Server-ID
Token (header or body)

Hash-based
Many more

2015 Citrix | Confidential

L7 Content Switching

HTTP Requests

Client Attributes

Request
Protocol

Anything in request body


Device Type

Any TCP Request

Language
Cookie

HTTP Post

Browser Capability
XML XPath support
2015 Citrix | Confidential

HTTP Get

Request Method
Any TCP payload
value
Any HTTP payload
value
Domain
Wildcard URL

Availability

Global Server
Load
Balancing
(GSLB)

Operates under same general principles as


Load Balancing
Load balance traffic between multiple data
centers
Evaluate server health to distribute traffic
Works via DNS

Use Case: Maintain business continuity during site level disasters

2015 Citrix | Confidential

Global Server Load Balancing

Site A

Site A

B2C

Remote
Public or
Private
B2B

P2P

Site B
2015 Citrix | Confidential

Site B

Content Switching Virtual Server Support for GSLB


Introduction

Current GSLB Deployment Limitations:


Cannot limit the number of GSLB service for selection
Limited support for Selecting service on basis of traffic
Separate GSLB backupVserver for subset of GSLB service

Feature Support:
Limiting number of service on the basis of CS policy/traffic type
Can defined separate backup vserver for every GSLB vserver

2015 Citrix | Confidential

NetScaler and SQL


NetScaler allows better scalability Scale-out rather than
Scale-up
Lower costs by using more, smaller servers

Improved availability of data


Intelligent load balancing and content switching NetScaler can parse
SQL

Reduced CPU usage = lower license costs


NetScaler reduces CPU usage of SQL Servers
Caching means fewer requests need to go to the SQL Servers
NetScaler handles the encryption, taking load off the servers

Improved user experience from reduced data retrieval


latency
2015 Citrix | Confidential

DataStream
App
App
Server
App
Server
App
Server
AppServer
App
Server
App
Server
App
Server
AppServer
App
Server
App
Server
App
Server
Server

SQL
Server

SQL
Server

SQL
Server

SQL
Server

SQL
SQL
SQL Server
Server
Server

1.
2.
3.
4.
5.

SQL-intelligent load balancing


Offloads database connections
Up to 20x increase in performance
HA and Disaster Recovery
MS SQL Server and MySQL support

SQL
Server

SQL
Server

SQL
Server

SQL
Server

Citrix Exclusive. Competition offer no policy controls, no performance


improvements.

2015 Citrix | Confidential

Delivering Microsoft Applications


Business critical applications
Availability is enhanced through load balancing
Improved security
Secure access required over SSL often internally
as well
Application firewall protection

Simple deployment via templates, including


Hyper-V
Small deployments benefit from VPX
Mobile access to email via native apps

2015 Citrix | Confidential

Reduced load on server do more with existing


servers

Why NetScaler for Exchange 2013?

Availability
2015 Citrix | Confidential

Performance

Security

User Experience

Reduced Load on Servers


CUSTOMERS

SSL
PARTNERS

EMPLOYEES

SSL Offload
TCP Multiplexing and Buffering
Static and Dynamic Caching
HTTP Compression

Supports greater user capacity and more apps with minimal investment
2015 Citrix | Confidential

SSL

2015 Citrix | Confidential

Auto Detection of CertKey Encoding


NetScaler can now auto-detect the encoding type and load the certificate and
key.
No need to figure out and give the inform option.

Supported Formats: PEM, DER, PFX/PKCS#12


For PFX, with bundle option of add certkey command.

NetScaler will parse the PFX file.


Load the server-cert and server-key
Load all the Intermediate-CA certs present in the PFX file
Link the certificates.

2015 Citrix | Confidential

Cipher/Protocol

SSL Upcoming Enhancements


Protocols and Ciphers
TLS 1.1/1.2 on backend on VPX
appliances
ECDHE, AES-GCM and SHA2 ciphers
on MPX-FIPS appliances
AES-GCM and SHA2 ciphers on VPX

Appliances
MPX

VPX

TLS 1.1/1.2 Frontend


TLS 1.1/1.2 Backend
ECDHE Frontend
ECDHE Backend
GCM, SHA2 Frontend
ECDSA Frontend

Already supported
Prioritized (H116)
Future

2015 Citrix | Confidential

FIPS

DEFAULT Cipher Alias Re-ordering (Front-end)


Give preference to AES/AES-GCM/ECDHE ciphers.
De-prioritize RC4 ciphers.
No ciphers dropped.
Old Cipher Re-Order List

New Cipher Re-Order List

SSL3-RC4-MD5 (0x0004)
SSL3-RC4-SHA (0x0005)
SSL3-DES-CBC3-SHA (0x000a)
TLS1-AES-256-CBC-SHA (0x0035)
TLS1-AES-128-CBC-SHA (0x002f)
SSL3-EDH-DSS-DES-CBC3-SHA (0x0013)
TLS1-DHE-DSS-RC4-SHA (0x0066)
TLS1-DHE-DSS-AES-256-CBC-SHA (0x0038)
......

28 ciphers

TLS1-AES-256-CBC-SHA (0x0035)
TLS1-AES-128-CBC-SHA (0x002f)
TLS1.2-AES-256-SHA256 (0x003d)
TLS1.2-AES-128-SHA256 (0x003c)
TLS1.2-AES256-GCM-SHA384 (0x009d)
TLS1.2-AES128-GCM-SHA256 (0x009c)
TLS1-ECDHE-RSA-AES256-SHA (0xc014)
TLS1-ECDHE-RSA-AES128-SHA (0xc013)
......

28 ciphers

2015 Citrix | Confidential

Cipher Re-ordering (Back-end)


Give preference to AES/AES-GCM/ECDHE ciphers.
RC4-SHA still on top.
Internal network.
Legacy servers.

No ciphers dropped.
Old Cipher Re-Order List
TLS_RSA_WITH_RC4_128_MD5 (0x0004)
TLS_RSA_WITH_RC4_128_SHA (0x0005)
TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x0003)
TLS_RSA_WITH_DES_CBC_SHA (0x0009)
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0008)
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA (0x0064)
TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 (0x0060)
.

55 ciphers
2015 Citrix | Confidential

New Cipher Re-Order List


TLS_RSA_WITH_RC4_128_SHA (0x0005)
TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
TLS_RSA_WITH_RC4_128_MD5 (0x0004)
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
TLS_DHE_DSS_WITH_RC4_128_SHA (0x0066)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
(0x0039)
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
(0x0033)
......

55 ciphers

SSL Manageability Improvement


Default SSL Profile
Convenient adding/removing/reordering ciphers and cipher
groups
Better control over SSL parameters

SSL Certificate management improvement


Minimum steps; maximum usecase coverage
Least possibility of error

Reporting and Debugging Improvements


SSL N3 chip utilization reporting on MPX
appliances
TLS 1.1/1.2 session and connection reporting
Client authentication counter at VIP level

60

2015 Citrix | Confidential

SSL Profile *
Profile container object which represents a combination of several SSL attribute objects.
All settings on SSL vserver, global SSL parameters (*) are available on profile.
Changes to a profile is directly reflected to all vserver it is bound to.
New Changes:
Global and per vserver SSL profile.
Global Default Profile.
Enabled via set ssl parameter command
Newly created SSL vserver inherits the default profile.

Only one profile bound to a vserver.

2015 Citrix | Confidential

Global, private profiles


Global

Default
Profile

Vserver Va
Profile-1

Vserver V1
Vserver V2

Vserver Vb
Profile-2
Vserver Vn

2015 Citrix | Confidential

Elliptic Curve
Cipher

ECDHE Rocks

DH Key Exchange

Perfect Forward
Secrecy

2015 Citrix | Confidential

Uses smaller keys


Requires less CPU
and memory
ECC is faster
ECC is more secure

Best key exchange


mechanism
No exchange of premaster secret

Future protection of
data
ECC compensates the
cost of PFS in ECDHE

SNI
Host multiple domains on a single IP
Server Name Indication allows multiple
applications to run on one IP address and
port
Bind multiple certificates to one server; one
for each application
Enables a server to host a group of domain
names
Client indicates which hostname to connect
in client hello
Most browsers support SNI; its time for
servers now
2015 Citrix | Confidential

Client hello

Site1 cert

Requesting site1.com

Site2 cert

Server hello

Site3 cert

Site1 Certificate

SAN
One certificate, multiple domains
Subject Alternative Names allows various values for
fields within a certificate
More powerful than wildcard certificates
Great when protecting alternate domains with the
same website
Ex. site1.com and site1.org

Improves certificate management across multiple


servers

2015 Citrix | Confidential

VPX Performance Improvement


NetScaler could ready solution, VPX, will have
improved performance and better SSL TPS
Latest SSL protocol and cipher support on
frontend and backend VPX ensures that all cloud
deployment will be much more secure

66

2015 Citrix | Confidential

ECDHE Performance Improvements in 11.0


Test scenario
Cipher TLS1-ECDHE-RSA-AES128-SHA
ECC Curve P_256

TPS

+120%

8200
3750

10.5

30000

11.0
Software Release

2015 Citrix | Confidential

65000

Corinth Decapolis

NetScaler FIPS Solutions


MPX

MPX 9700/10500/12500/1550
FIPS

SDX

2015 Citrix | Confidential

VPX

Thales nShield

Network-attached hardware security module


(HSM)
FIPS 140-2 Level 3 and Common Criteria EAL 4+
certified
Protects and manages private keys

Identity-based authentication mechanisms

Strong separation of duties

FIPS 140-2 Level 3


Tamper response mechanisms - mechanisms
that wipe out keys and critical security
parameters if the cover is opened or if physical
probing is detected

2015 Citrix | Confidential

SDX
VPX
MPX

Qualys SSL Labs Report: NetScaler MPX/SDX/VPX

http://blogs.citrix.com/2015/05/22/scoring-an-a-at-ssllabs-com-with-citrix-netscaler-the-sequel/
2015 Citrix | Confidential

How to get that Awesomeness


Disable SSL 3.0

TLS 1.2 must be enabled

Cipher list to prefer ECDHE

RC4 ciphers must be removed

Implement Strict Transport Security

Servers should support


TLS_FALLBACK_SCSV

http://blogs.citrix.com/?p=174211630
2015 Citrix | Confidential

Both server certificate and intermediate


certificates should be SHA2 signed

Networking

2015 Citrix | Confidential

Highlights
Full proxy IPv6-IPv4
Server Load
Balancing

Full
Fullfeatured
featuredWAF
WAFfor
forIPv6
IPv6

Static and Dynamic


Routing support

NAT64, NAT46,
DNS64

ACL, RNAT, INAT

IPv6 management

Best IPv6 / IPv4


performance ratio

Feature parity with


IPv4

No additional license
fee for IPv6

2015 Citrix | Confidential

IPv6 Features Summary


Networking

Manageme
nt

Routing
Dynamic (OSPF,
RIP, BGP) & Static
Neighbor Discovery
Address
Resolution, DAD,
Neighbor
Unreachability,
Router Discovery
Path MTU discovery
VLANs
Port Based
Prefix Based
VMACs
DNS

2015 Citrix | Confidential

Load Balancing /
Performance

Security

ACLs
RNAT
PBR
Application Firewall
DDoS Protection
HDOSP
Surge Protection
Sure Connect
Priority queuing

Mixed mode
deployments
IPv4 and IPv6
coexistence
Layer 4/7 Load
Balancing
SSL Offload
IPv6 monitors
DSR and USIP
LLB

Application Layer
Support

Migration
Dual-Stack support
IPv4-IPv6 and IPv6IPv4 NAT
Prefix Based
Translation
Host Header
Modification

IPv6 addresses for NSIPs (SNIPs, VIPs)


IPv6 Protocols (TCP6, UDP6, ICMP6)
Ping6, Telnet6, SSH6
SNMP and CVPN for IPv6
HA

Citrix Confidential For NDA

Integrated Caching
Compression
Rewrite
Responder
Rate Limiting
AAA-TM

Use Cases
Clients Migration
Mix of IPv4 and IPv6 clients
IPv6 clients access IPv4 servers

Slow Server Migration


Mix of IPv4 and IPv6 servers
IPv4 clients access IPv6 servers

Test IPv6 Ready Applications without upgrading the entire infrastructure to


IPv6

2015 Citrix | Confidential

SLB64 Internet Edge


Make your IPv4 web applications available to external IPv6 users
No changes to existing server infrastructure
Performance, Availability, Reliability and Security of application preserved

IPv4
Internet

IPv6 VIPs exposed to


IPv6 users
IPv4
Network

IPv6
Internet

2015 Citrix | Confidential

IPv6 Application Load Balancing


SLB for IPv6 applications (e.g. Microsoft DA / UAG)
Make IPv6 applications available to IPv4 and IPv6 clients
Feature parity with IPv4 for advanced ADC functions

IPv4
Internet

IPv6
Internet

2015 Citrix | Confidential

IPv6
Network

IPv4
Network

Support matrix

2015 Citrix | Confidential

Client facing
(Virtual IP)

Server facing
(SNIP)

IPv4

IPv4

IPv6

IPv4

IPv4

IPv6

IPv6

IPv6

Citrix Confidential For NDA

NAT
SLB NAT
Layer 3 NAT
INAT
RNAT
Prefix based IPv6-IPv4 NAT

2015 Citrix | Confidential

SLB NAT
SLB NAT is used when server responses don't
automatically pass through the NetScaler
One-Arm mode
Servers and the NetScaler are in different subnets

SLB NAT is performed only when USIP is DISABLED


NS performing
SLB NAT

Server
Server
10.102.1.1
10.102.1.5 10
10.102.1.11
10.102.1.15 20
10.102.1.21
10.102.1.25 - 30

Sales
Server
Server
Eng
Server
Server

Manf
2015 Citrix | Confidential

SLB NAT Network profile


SNIP/MIP used as source IP for backend communication
Network profiles used for selecting source IP (SNIP/MIP)
Network profiles can be associated with service/vserver
Server
Server
10.102.1.1
10.102.1.5 10
10.102.1.11
10.102.1.15 20
10.102.1.21
10.102.1.25 - 30

Network Profiles for


selecting source IP

Sales
Server
Server
Eng
Server
Server

Manf
2015 Citrix | Confidential

Network Profile order of selecting source IP


Use Source IP (USIP) Enabled
Client IP is always used for backend communication

Network Profile and USIP disabled


Network Profile bound to service is used
Network Profile bound to servicegroup is used
Network Profile bound to vserver is used

Network Profile and Monitoring


Network Profile bound to monitor is used
Network Profile bound to service is used
Network Profile bound to servicegroup is used

2015 Citrix | Confidential

Network Profile Configuration


Adding a Network Profile
add netprofile salesNetPro -srcIp 10.102.1.1

Adding Network Profile with IPSET


add netprofile salesNetPro srcIp rangeIP

Setting a Network Profile


set netprofile salesNetPro -srcIp 192.168.1.1

Binding a Network Profile

set lb vserver salesVs netProfile salesNetPro


set service salesSvc netProfile salesNetPro
set servicegroup salesSvcGrp netProfile salesNetPro
set monitor sales_mon netProfile salesNetPro

2015 Citrix | Confidential

Use case for NetProfile


Apple want to choose source IP for Syslog traffic
Source IP now can be used to identify syslog traffic
Firewalls can be configured for the specific source IP

2015 Citrix | Confidential

1. Types of L3 NAT INAT

INAT
NetScaler replaces the
destination IP address

2015 Citrix | Confidential

INAT Destination NAT


Destination IP translation
Supported Scenarios:

IPv4-IPv4 Mapping
IPv4-IPv6 Mapping
IPv6-IPv4 Mapping
IPv6-IPv6 Mapping

2015 Citrix | Confidential

INAT Source IP Selection


Is USIP
Enabled

Yes

Use Client IP

No
Is Proxy IP
Configured

Yes

Use Proxy IP

No
Is USNIP
Enabled

Yes

Use SNIP

No
Is MIP
Configured ?
No
Error

2015 Citrix | Confidential

Yes

Use MIP

INAT - Configuration
add inat <name> <publicIP> <privateIP> [-tcpproxy ( ENABLED | DISABLED )]
[-ftp (ENABLED | DISABLED )] [-usip ( ON | OFF )] [-usnip ( ON | OFF )] [proxyIP <ip_addr|ipv6_addr>] [-tftp (ENABLED | DISABLED )] [-mode
(ENABLED | DISABLED )]
Public IP can be one of the NS owned VIPs
Private IP Translation IP
TCP Proxy: Useful for security reasons to mitigate DoS / DDoS attacks
Enabled: Maintains the TCP session state
Disabled: Does not maintain the TCP session state

rm inat <name>
show inat [<name>]
2015 Citrix | Confidential

2. Types of L3 NAT RNAT

RNAT
NetScaler replaces
the source IP address

2015 Citrix | Confidential

RNAT Source NAT


Address based translation: NATing is performed for all packets matching the
address
Extended ACL based translation: NATing is performed for all packets matching
the configured ACL
NAT IP address used in translation:
SNIP or MIP
Unique IP configured as part of the NAT rule (-natip option)

RNAT takes precedence over USIP mode if configured

2015 Citrix | Confidential

RNAT Source IP Selection


NATIP is always used when configured
If NATIP is not configured
Based on the destination source IP is selected from
VIP If explicitly configured using NATIP
SNIP If USNIP is ON
MIP For rest of the cases

For RNAT in LLB source IP selection is based on the router (Check LLB
documentation for more details)

2015 Citrix | Confidential

Citrix Confidential For NDA

RNAT Example Scenario


Blue Colored Flow:
1. Packet generated by server: Src =
192.168.2.1; Dst = 100.100.100.1
2. Packet Received by client: Src =
200.200.200.202; Dst = 100.100.100.1
3. Response from client: Src =
100.100.100.1; Dst = 200.200.200.202
4. Response received by server: Src =
100.100.100.1; Dst = 192.168.2.1

Red Colored Flow:


1. Packet generated by server: Src =
192.168.1.1; Dst = 100.100.100.1
2. Packet Received by client: Src =
200.200.200.201; Dst = 100.100.100.1
3. Response from client: Src =
100.100.100.1; Dst = 200.200.200.201
4. Response received by server: Src =
100.100.100.1; Dst = 192.168.1.1
2015 Citrix | Confidential

RNAT Configuration
set rnat <IPAddress> <netmask>
MIP or SNIP will be used for translation

set rnat IPAddress <netMask> -natip <NATIPAddress>


Provide a single IP or a range in < NATIPAddress>
NATIP will be used for translation

set rnat <aclname> [-redirectPort <port>]


MIP or SNIP will be used for translation for packets matching the ACL
rediectPort destination port to which traffic is redirected

set rnat <aclname> [-redirectPort <port>] -natIP <NATIPAddress>


Provide a single IP or a range in < NATIPAddress>
NATIP will be used for translation for packets matching the ACL
rediectPort destination port to which traffic is redirected

show rnat
2015 Citrix | Confidential

Citrix Confidential For NDA

Prefix based IPv6-IPv4 translation


IPv6 to IPv4 translation based on the matching prefix
Destination IP is translated based on the configured prefix last 32 bits are used
as the IPv4 address
Configuration

2015 Citrix | Confidential

Source:
2001::1
Destination: 3ffe::74.125.91.105

IPv6
Packet

Source:
202.12.46.10 [NS]
Destination: 74.125.91.105

IPv4
Packet

set ipv6 [-natprefix <ipv6_addr|*>]


show ipv6

NAT Summary
Scenario
INAT
Provide a Private IP
1:1

corresponding to the
public IP

N:1

Provide same
Private IP in
different INAT rules

M:N

NA

2015 Citrix | Confidential

RNAT

SLB NAT

Provide only one IP in


the rule with
configured NATIP
Address

Combination of
Listen rule and Net
Profile with one IP
attached to Vserver

Provide a subnet in the


RNAT rule

Net Profile with one


IP attached to
Vserver

Provide a subnet in the Net Profile with range


RNAT rule and a range / subnet IP attached
in NATIP Addresses
to Vserver

Dynamic Routing
Protocols Supported

Routing Information Protocol (RIP) version 2


Open Shortest Path First (OSPF) version 2
Border Gateway Protocol (BGP)
Routing Information Protocol next generation (RIPng) for IPv6
Open Shortest Path First (OSPF) version 3 for IPv6
ISIS Protocol

Protocols uses industry standard ZebOS

2015 Citrix | Confidential

Dynamic Routing
Dynamic Routing Protocol

Command Reference Guide

Unsupported Commands

OSPF

OSPF Command Reference

Domain-id command
Graceful restart related commands
OSPF-TE related commands
OSPF-VPN related commands
CSPF-TE related commands
ip ospf resync-timeout command
capability opaque command
enable ext-ospf-multi-inst command

IPv6 OSPF (OSPFv3)

OSPF Command Reference

Graceful restart related commands


OSPF-TE related commands

BGP

BGP Command Reference

VPN/VRF related commands


Graceful restart related commands
MPLS related commands
6PE commands (IPv6 provider edge)
MD5 authentication related commands
Multicast options
set-overload-bit command

IS-IS

IS-IS Command Reference

capability cspf command


enable-cspf command
mpls traffic-eng command
mpls traffic-eng router-id command
multi-topology for ipv6 address family related
commands
neighbor command

RIP and IPv6 RIP (RIPng)


2015 Citrix | Confidential

Jumbo Frames
Use Case
Ability to send across larger frame size on network which helps with large file transfer and
content download use cases.

Feature
Receiving and transmitting jumbo frames containing up to 9216 bytes of IP data
Jumbo Frames support for following protocols

TCP
UDP
HTTP
SIP
Radius

nCore is being validated in 10.5


2015 Citrix | Confidential

Standard Ethernet Frame vs Jumbo Frame


Say, Transferring a
file of size 8500
bytes

Application Data (8500 bytes)

1500 bytes
Standard
Ethernet
Frame

H
D
R

Application
Data

1500 bytes
H
D
R

Application
Data

1500 bytes
H
D
R

Application
Data

HDR + 8500 bytes


Jumbo Frame

2015 Citrix | Confidential

H
D
R

Application Data

1500 bytes
H
D
R

Application
Data

<1500
bytes

1500 bytes
H
D
R

Application
Data

H
D
R

Applicati
on Data

Benefits of Ethernet jumbo frames


Big Payloads

Fewer Packets

Reduced
Protocol
Processing

Increased
Throughput and
Goodput
2015 Citrix | Confidential

Less Packet
switching

Reduced
Network I/O

Lowered CPU
Usage

VXLAN Support
Virtualization has placed increased demands on the physical networking
infra
VMs may be grouped according to their Virtual LAN, limit of 4096 is
inadequate
Need to host multiple tenants, each with their own isolated networking
domain
Each tenant may independently assign mac-addresses and VLAN IDs.
Need for overlay network which is used to carry MAC traffic from
individual VMs in an encapsulated format over logical tunnel

2015 Citrix | Confidential

Server reachability over VXLAN

CLIENT
CLIENT

VLAN 2

VXLAN 10000
VTEP

SERVER
VM

VTEP : 10.216.1.2
CLIENT IP : 123.1.1.1
VIP
: 65.1.1.1

add vxlan 10000


add ipTunnel t1 10.216.1.2 255.255.255.255 * protocol
vxlan
bind vxlan 10000 tunnel t1
bind vxlan 10000 ipAddress 192.168.1.10
255.255.255.0

2015 Citrix | Confidential

SERVER IP : 192.168.1.10

Server reachability over stretched VLAN

VTEP

CLIENT
CLIENT

SERVER
VM

VLAN 2
SERVER IP : 192.168.1.10

VLAN 10
CLIENT IP : 123.1.1.1
VIP
: 65.1.1.1

add vxlan 10000 vlan 10


add ipTunnel t1 239.1.0.3 255.255.255.255 * protocol
vxlan
bind vxlan 10000 tunnel t1
2015 Citrix | Confidential

Vlan 10 stretched by VXLAN 10000

SERVER SUNBET :
192.168.1.0/24

Bridging between VLAN and VXLAN

VLAN 2
SERVER 1

enable ns mode L2
add vxlan 20000 vlan 2
add ipTunnel tun1 224.0.0.7 255.255.255.255 * -protocol
vxlan
bind vxlan 20000 tunnel tun1

2015 Citrix | Confidential

VXLAN 20000
VTEP

SERVER 2

NetScaler VXLAN Capabilities


Server / client reachability over VXLAN tunnels
Bridge traffic between VLAN and VXLAN segments
Two types of VXLANs
VXLANs that stretch / extend existing VLAN
VXLANs as independent Layer 3 entities - scale beyond the limit of 4K vlans

Unicast and Multicast VXLAN tunnels


No support for IGMP as yet VTEPs should be one hop away when tunnel is multicast

VXLAN port configurable (default 4789)


Identical VXLAN configuration on HA nodes
Scaling 4K vlan extensions and 2K layer 3 configurations
2015 Citrix | Confidential

NetScaler VXLAN Capabilities


Bridge table learns VNID, VTEP
VNID, VTEP configurable for static ARP/ND6
ACL, ACL6, PBR, PBR6 policies to match VXLAN
Policy expressions to match VXLAN
VXLANs can be bound to traffic domains
IPv4 / v6 address can be bound to VXLANs
VXLAN stat / snmp support

2015 Citrix | Confidential

Optimization

2015 Citrix | Confidential

Caching
AppCache
Reduce Server workloads by removing
repeatable content
Caching allows content to be held on the
NetScaler
Prepopulation or policy driven should content
become popular
Improved user experience
Less strain on server infrastructure

2015 Citrix | Confidential

Compression
AppCompress
Advanced compression capability to reduce transmitted data to
user
Improved user experience combining compression capabilities of
browser
Reduces server overheads
Eliminates bandwidth bottlenecks & improves application
performance significantly

2015 Citrix | Confidential

TCP Congestion Control


Use Case: Add support for high speed TCP congestion control algorithms which
can help with:
Minimizing bandwidth stolen
Ensure that co-existing flows with different RTT are treated fairly
Ensure efficient usage of available bandwidth

Feature: 2 new TCP congestion control algorithm supported


BIC
CUBIC

2015 Citrix | Confidential

BIC and CUBIC


BIC:
Focus is on High Speed Networks, bandwidth up to 10 Gbps
Ability to transfer large amount of data over long distance in short amount of time
TCP Fairness ability to share bandwidth with TCP Connections on low-speed networks

CUBIC:
Enhanced BIC
Maintain BICs scalability & stability

Simplify the window control


Improve BICs friendliness
Two competing CUBIC flows will converge to fair share windows

Use real-time, rather than ACK-clocked, updates to window


The window growth rate is time dependent and RTT Independent, allowing for a fairer sharing

2015 Citrix | Confidential

Mobile protocol acceleration for best


performance over lossy and high latency links
Intelligent multi-path networking to seamlessly
leverage wireless and cellular connectivity

MobileStream

TM

Multi-layer application optimizations


with granular security and control

Optimized web content streaming for faster


download and rendering
Per app and user access management for
end-to-end secure delivery
Built-in protocol and app visibility for
compliance
Extensible policies for mobile threat and
malware protection

2015 Citrix | Confidential

NetScaler MobileStream

2015 Citrix | Confidential

Content Layout

JS & Image
dominate
page content

PNG is still not


mainstream

Avg Response size is


increasing.
Pages are becoming
heavier.

Browser and client


cache can be better
utilized

114

2015 Citrix | Confidential

Top 1000 sites (http://httparchive.org/interesting.php)

Introduction
JS/CSS and images comprise most part of the web content.
FEO focuses on faster and efficient web content delivery by optimizing these
components.
Along with this , FEO tries to leverage the client cache.

115
2015 Citrix | Confidential

Optimization Techniques
Stages in Web Page Delivery
Initial connection
setup

Content Generation

Embedded object
download

Page Rendering

116

2015 Citrix | Confidential

Domain sharding
Cache extension
Image GifToPNG
Image Resizing
Jpeg Image Weakening
Image to Jxr/Webp
External Script/stylesheet
CSS & JS inlining
Small image inlining
Combine CSS

minification

Moving CSS in front/Convert import to link


Defer JS loading
Lazy loading of images

How does FEO work?


First Request:
1.

NetScaler receives the response from the server and forwards it to the client.

2.

Client parses the info, and sends a request for the first embedded object.

3.

NS sends the request to the server, server sends the processed content.

4.

NS optimizes the content, saves it in cache.

5.

NS sends the original image to client.

Subsequent Requests:
6.

NetScaler receives the response from the server.

7.

NS parses the HTML page and checks for the optimized content and sends the
optimized content to the client.

8.

Client sends a request to the optimized content.

9.

NS fetches the content from the cache and sends the optimized content to the client.

2015 Citrix | Confidential

Demo

2015 Citrix | Confidential

COP

No- COP

HTTP 2.0

2015 Citrix | Confidential

Problem with HTTP/1.1


Suboptimal use of TCP
Average number of TCP connections per page used in popular sites:
Slow Start
Good for Network, Bad for Client experience

TCP connections per domain : 6 (common in most of the browsers)

2015 Citrix | Confidential

37

Problem with HTTP/1.1


Increase in transfer size and
number of objects per page

2015 Citrix | Confidential

Problem with HTTP/1.1


Protocol overhead
Duplicate headers
No header compression
GET /frameworks/barlesque/2.83.4/orb/4/script/orb/api.min.js HTTP/1.1
Host: static.bbci.co.uk
Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118
Safari/537.36
DNT: 1
Referer: http://www.bbc.co.uk/
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8,ne;q=0.6

2015 Citrix | Confidential

GET /locator/0.119.7/script/locator.js HTTP/1.1


Host: static.bbci.co.uk
Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118
Safari/537.36
DNT: 1
Referer: http://www.bbc.co.uk/
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8,ne;q=0.6

HTTP/1.1 Solutions

Spriting
Inlining
Concatenation
Sharding

2015 Citrix | Confidential

HTTP/2: HTTP/1.1 Protocol Fix


HTTP/2 Goals
Backward compatibility
Header compression
Server push
Substantially and measurably improve end-user perceived
latency
Address the "head of line blocking" problem
Not require multiple connections to a server to enable parallelism
improving its use of TCP, especially regarding congestion control

2015 Citrix | Confidential

HTTP/2 summary
Binary Protocol
Opens single TCP Connection per domain
Multiple requests are streamed into one connection
Streams are
Multiplexed
Prioritized
flow controlled

Header Compression
Change in wire format, no change in semantics
2015 Citrix | Confidential

HTTP/2 Application
Binary Framing
TLS
Transport
Network
Physical

NetScaler HTTP/2 Architecture

Persistency
Cache Redirection

ION Release: NS supports HTTP/2 Gateway


Front-End HTTP/2, Back-End HTTP/1.1

Content Optimization
AppFirewall
AGEE/VPN
Caching
Compression
TCP Optimization

Single TCP connection


with Request Multiplexing
HTTP/2 Browser

2015 Citrix | Confidential

NetScaler HTTP/2 Gateway

HTTP/1.1 Server Farm

NetScaler HTTP/2 Architecture

Client PCB

Stream Session 1

Server PCB

Stream Session 3

Server PCB

Stream Session 5

Server PCB

Stream Session 7

Server PCB

Single TCP connection


with Request Multiplexing
HTTP/2 Browser

2015 Citrix | Confidential

NetScaler HTTP/2 Proxy

HTTP/1.1
Server Farm

Action Analytics

2015 Citrix | Confidential

How do Action Analytics Impact the Network?

Dynamic
Configuration
&
Flexibility

2015 Citrix | Confidential

Action Analytics

Framework to collect statistics of run time


objects

Statistics collected can be used to take run-time


decisions

130

Statistics collected per object include


Total No. of Requests
Bandwidth
Response Time
Current Connections

2015 Citrix | Confidential

Action Analytics
Uses rate limiting framework & structures to measure traffic.
Counter results are exposed to the Policy Engine.
Two components to measuring traffic objects:
1. Selector
2. Stream Identifier

Selector: Defines a click.


Stream Identifier: Measurement intervals.

131

2015 Citrix | Confidential

Action Analytics Stream Selector


NetScaler comes with some pre-defined selectors

132

2015 Citrix | Confidential

Action Analytics Stream Identifier


NetScaler comes with predefined
Identifiers
Defines the selector used.
Time interval in minutes
Sample Rate

133

2015 Citrix | Confidential

Action Analytics Stream Identifier


To start counting, a No Operation responder policy must be bound.
These are also predefined.
Stream Analytics will now start counting

134

2015 Citrix | Confidential

Action Analytics - Requirements


Stream Selector

Stream Identifier

Feature Policy configured & bound e.g.


add cache policy Cache-Top-URLS -rule
"ANALYTICS.STREAM(\"Top_URL\").IS_TOP(10)" -action CACHE
-storeInGroup top-requests
Responder Policy Configured and bound
135

2015 Citrix | Confidential

Action Analytics Use Case


Online retailer wants to ensure availability
of most frequently viewed items on sale
Ability to cache data objects on NetScaler
for faster access and free up server
resources for processing transactional
data

2015 Citrix | Confidential

Your Invincible Network


Resiliency + Performance + Flexibility = Invincible
Provide intelligent optimization for superior performance

Protect
business
with responsive,
dynamic
configurations
Ensure
the
highest logic
availability
with live clusters
zero
downtime,
even during upgrades
2015 Citrix | Confidential

Work better. Live better.

2015 Citrix | Confidential

You might also like