Documente Academic
Documente Profesional
Documente Cultură
©1 2017 Citrix
AGENDA
• Architectural Design
• High Availability
• Traffic Management
• SSL
• SSLVPN
Citrix ADC S3 A3
Citrix ADC DataStream
Es
Pay-As-You-Grow
L4-7 Request Switching Network ACLs TCP Buffering PowerShell MPX
Surge Protection MSSCVMM/MSSCOM VPX
Advanced Health Checks DoS Protections
Compression AppFlow CPX
Content Switching Rewrite + Responder
Caching Syslog
Cache Redirection Rate Limiting
Web Logging SNMP
Global Load Balancing (GSLB) SSL VPN Editions
HTTP 2.0 AppExpert Policies
Dynamic Routing / PBR AAA for App Traffic Standard, Advanced, Premium
Client Keep-Alive
HTTP Callout Application Firewall SACK/Nagles
Citrix ADC DataStream Citrix Gateway TCP Westwood+
NetScaler Platform Product Line
NetScaler Overview
SDX CPX
MPX VPX
• Containerized, microservice
architecture application delivery
appliance
• Utilizes same codebase as other
NetScaler appliances
• Use cases:
• Service registration, discovery, and routing
• Security enforcement point
• Application performance management
• API gateway
NetScaler Licensing
NetScaler Overview
Platinum
• Web application
delivery solution
providing advanced
Enterprise traffic management
• Web application and powerful
delivery solution design application
to deliver mission- acceleration
critical applications with
fastest performance,
and lowest cost
Standard
• Comprehensive layer 4
through 7 load balancing
and optimizes expensive
server and networking
resources to reduce cost
Feature-specific
licenses are available
for select features.
3 Software Editions
Feature
Unified Gateway
Application availability
security
Platinum Edition Enterprise Edition Standard Edition
Federated
L4 load defenses
DoS balancing
Identityand L7 content switching • • •
NetScaler
OneDoS
Selling
Microsoft
L7 URL/SSO
defenses
& Positioning
SQL,using
MySQLSAML 2.0
Overview • • •
Centralized
AppExpert
L7 rewrite and
rate
Policy
responder
controls
Management (SmartControl) • • •
Stateless
IPv6
XenMobile
support
RDPNetScaler
Proxy connector • • •
Feature Platinum Edition Enterprise Edition Standard Edition
Cluster
Traffic
AAA fordomains
for
traffic
ICA management
proxy (Striped) • • •
Simple Manageability
Monitoring
Subscriber-aware
NetScaler
NetScaler AppFirewall
of XenApp/XenDesktop
Insight trafficwith
steering
Center-Web XML security
traffic (Real time)
Insight •• •• ••
IP
Monitoring
Global
reputation
server
NetScaler ofload
XenApp/XenDesktop
Insight balancing (GSLB)
Center-HDX Insighttraffic (Historical) •• •• •
NetScaler
Carrier-Grade
NetScaler
Gateway
CloudBridge
Network connector
Address Translation (CGNAT) • •
AppExpert visual policy builder • • •
Front-end
Broad
Dynamic
optimization
client
routing
support
ActionAnalytics protocols
for plugins •• •• ••
Content
Customizable
Surge protection
AppExpertlayoutweband
service portal
priority
callouts, queuing and visualizers
templates •• •• ••
SSL VPN Clustering
TriScale
Domain sharding
remote access • • •
Role-based administration and AAA for administration • • •
Application
ICA
Image
proxy
acceleration
optimization
to XenApp
Configuration wizardsand XenDesktop •• •• ••
Style
Contextual
Client
Nativesheets
and server
policies
Citrix and
webJavaScript
TCP
foroptimizations
XenApp/XenDesktop
interface optimization (SmartAccess) •• •• ••
TCP Protocol
Endpoint
AppCompress
optimization
Analysis • • •
Comtrade Management Pack for NetScaler •
Secure browser-only
AppCache
Multi-path TCP access (CVPN) • • •
Citrix Command Center • • •
BIC and CUBIC TCP • • •
CITRIX ADC SDX &
VPX
Citrix ADC SDX
• Multi-tenant Citrix ADC
• Up to 115 instances
• Version independent
• Zero performance loss
• Customer Value
• Network consolidation
• Hardware sensibilities; virtualization benefits
• Support for 3rd party components
Citrix ADC SDX
• Complete appliance instance
per tenant
• Complete CPU, memory, and SSL
isolation
• Independent entity spaces
• Independent versioning
• Independent maintenance
schedule
• Complete Network Isolation
• No performance degradation
Citrix NetScaler SDX Networking
16
Link Aggregation on NetScaler SDX Appliance
• The NetScaler SDX appliance supports static or manual configuration of 802.3ad Link
Aggregation (LA) channels at the NetScaler VPX instance level. For static LA, the appropriate
external switch ports connected to the physical interfaces on the NetScaler SDX appliance
must be statically configured as an etherchannel, with LACP disabled on the external
switch.
• Each NetScaler VPX instance has na LA channel configured, with the physical interfaces
corresponding to the etherchannel specified within the LA channel. With LA channel
configured, each NetScaler VPX instance has a single MAC address corresponding to that
channel.
17
Firewall & Load Balancer secondary node IP
Migration Strategy – stage 2
Addresses
• The NetScaler appliance uses different IP addresses for management and connections.
• These IP addresss are:
• NSIP (NetScaler IP)
The NetScaler IP (NSIP) is the primary IP for the management of the appliance. That
is the first IP address you must configure on the NetScaler.
The NSIP is used for internal Netscaler communication in HA deployment. In that
case, the NSIP is the only IP enabled on the secondary NetScaler.
• SNIP (Subnet IP)
The Subnet IP (SNIP) is used for server side communication and is also known as
Interface IP.
You should configure a new SNIP address for each subnet you want the NetScaler to
be directly connected to.
• VIP (Virtual IP)
A Virtual IP (VIP) is the IP address of a virtual server that the end users will connect
to. You can host the same VIP on multiple Netscaler instances.
18
NetScaler Initial Setup
NetScaler Owned IP Addresses
Management NetScaler IP (NSIP)
Network
Subnet IP (SNIP)
External Internal
Network Network
NetScaler
Virtual IP (VIP)
NetScaler IP (NSIP) addresses
- Unique IP address and the primary address for management and general system access
Subnet IP (SNIP) addresses
- Used as the proxy address for NetScaler system-to-server communication.
Virtual IP (VIP) addresses
- Used for client-to-NetScaler-system communication
NetScaler Initial Setup
NetScaler Owned IP Addresses
Client Backend
Server
Client IP Citrix
Server IP
NetScaler
Firewall & Load Balancer secondary node Migration
TOPOLOGY Strategy – stage 2
• You can deploy NetScaler in multiple topologies, below are two of the most used:
• One arm - In one arm mode, only one network interface is connected to an Ethernet segment, and the
NetScaler does not isolate the clients and the servers.
• Two arm - In two arm mode, multiple network interfaces are connected to different Ethernet segments, and
the NetScaler is placed between the clients and the servers.
21
Provisioning NetScaler Instances
• Upload a Citrix ADC .xva image
A .xva file is required for adding a Citrix ADC VPX instance. You have to upload the Citrix ADC SDA .xva files to
the SDX appliance before provisioning the VPX instances.
Network
Diagram
Core
Switch
Public Internal
Internet Intranet Public Server Farm
Bless
Architecture Design
10/1 10/1
VPN-DMZE01 VPN-DMZE02
10/4 10/4
DMZ-Public HP5800
VPN-VPN01 VPN-VPN02
10/5 10/5
10/3 10/3
VPN-DMZI01 VPN-DMZI02
DMZ-Intra Aruba 5400
SDX01 SDX02
High Availability Architecture
Int 0/1 Int 0/1
SVM: 10.20.8.41 SVM: 10.20.8.42
XS: 10.20.8.45 XS: 10.20.8.46
VPN-VPN01 VPN-VPN02
VPN-BLESS01 VPN-BLESS02
VPN-DMZI01 VPN-DMZI02
SDX01 SDX02
High Availability
29
Firewall & Load Balancer secondary node Migration
TOPOLOGY Strategy – stage 2
• You can deploy NetScaler in multiple topologies, below are two of the most used:
• One arm - In one arm mode, only one network interface is connected to an Ethernet segment, and the
NetScaler does not isolate the clients and the servers.
• Two arm - In two arm mode, multiple network interfaces are connected to different Ethernet segments, and
the NetScaler is placed between the clients and the servers.
30
Traditional HA
An Active/Passive Pair of Citrix ADC’s
Citrix ADC
External Primary Internal
Network Network
Citrix ADC
Secondary
Citrix ADC High Availability (HA) Essentials
• HA is only Active/Standby
• The Citrix ADC GUI and CLI refers to this as Primary/Secondary
36
Availability
Citrix ADC
If in doubt, use Round Robin. It is the safest and prevents a single malfunctioning server
serving “500” errors from taking all the traffic.
Load Balancing
HTTP Load Balancing Example: Round Robin
User 1
Server 1
Server 2
User 2
Load Balancing
Overview: Persistence Methods
• Most application servers depend on an individual user persist to
one back-end server. As such, vservers have persistence
methods including
• HTTP Cookie insertion
• Source IP
• SSL Session ID (useful for Access Gateway Balancing)
• When balancing HTTP or doing SSL offload, cookie insertion is
recommended if persistence is needed
• When balancing other protocols like SMTP or LDAP, Source IP
persistence is generally your best bet
Load Balancing
HTTP Load Balancing Example: Cookie Persistence
• After services have been created, they are bound to a Load Balancing
Virtual Server.
• To create a vserver, navigate to Traffic Management > Load Balancing
> Virtual Servers, then click Add.
• Give the new vserver a name, select the appropriate protocol and
port number, assign an IP address, then click OK.
• On the next screen, bind the load balancing services to the virtual
server and click Done.
Load Balancing Traffic Types
Load Balancing
LB Methods LB Methods
• Least connections (default) • Source IP hash
• Round robin and • Destination IP hash
weighted round robin • Source/Dest IP hash
• Least response time • Call ID hash
• Least bandwidth • Least response time monitoring (LTRM)
• Least packets • CustomLoad LB using SNMP
• Token
• SASP Support for Dynamic Weight Calculation
• URL hash
• Domain name hash
Load Balancing Weighted Services
• Weighting is available only on certain LB methods
• Least Connections
• Round Robin
• Least Response Time
• Least Bandwidth
• Least Packets
• LTRM (least response time monitoring)
• A number of load balancing methods allow for particular services to
be weighted differently from each other. This can be done to direct
more traffic to a newer server in a cluster
Firewall & Load Balancer secondary node Migration
SSL Strategy – stage 2
OFFLOADING
• One excellent feature of Citrix NetScaler that is often overlooked is SSL Offload as it include a Cavium SSL
accelerator card, this card has the ability to handle SSL encryption/decryption cycles using a hardware card, rather
than consuming valuable CPU resources.
• SSL encryption/decryption is a very CPU intensive task; as such it can severely impact the scalability of servers that
host content requiring SSL encryption. NetScaler can help this by essentially moving all of the
encryption/decryption tasks from the back end servers to the NetScaler itself, freeing valuable CPU resource on
the backend servers.
• To configure SSL offloading, you must enable SSL processing on the NetScaler appliance and configure an SSL
based virtual server that will intercept SSL traffic, decrypt the traffic, and forward it to a service that is bound to
the virtual server. To secure time-sensitive traffic, such as media streaming, you can configure a DTLS virtual server.
To enable SSL offloading, you must import a valid certificate and key and bind the pair to the virtual server.
57
Reduced Load on Servers
CUSTOMERS
SSL
PARTNERS
• SSL Offload
EMPLOYEES
60
Cipher support matrix
• Missing ciphers are prioritized for H2 ‘17.
Cipher/Protocol Near Future
Legends
TLS 1.1/1.2 Frontend
Supported
TLS 1.1/1.2 Backend
In 12.0
ECDHE Frontend
ECDHE Backend
http://blogs.citrix.com/2015/05/22/scoring-an-a-at-ssllabs-com-with-citrix-netscaler-the-sequel/
How to get that “Awesomeness”
Like the EPA plug-in, administrative access is required for installation, and
possible for some major updates.
NetScaler Gateway Plug-in Selection for End
Users
• The session profile allows an administrator to choose which plug-in a user
will use:
• Windows / MacOS
• Java
• Remember that:
• Session profiles can be bound at user, group, and virtual server levels.
• When all else fails, the global settings will be applied.
• An end user may pick up settings from multiple session profiles.
Internal Network Resources Connection
• No Split Tunnel: all traffic goes through the SSL tunnel
• Split Tunnel: defined traffic goes through the SSL tunnel
• Use “Intranet Applications” to define
Timeout Settings Configuration
• Forced Timeout / Timeout warning
(Session Profile > Network >Advanced)
• Session Timeout
• Client Idle Timeout
(Session Profile > Client Experience)
• Like all the Session Profile settings, timeout settings can be set globally
or at user, group, or virtual server levels.
End-User Device Clean-Up
• NetScaler Gateway allows an administrator to remove potentially sensitive
information from a client device upon termination of the VPN session.
• Can be forced upon a user
• Configured in Session Profile > Client Experience > Advanced > Client
Cleanup
Name Service Resolution Configuration
• Needed to allow a client to have visibility of corporate DNS or WINS details
• Session Profile > Network Configuration
Clientless Access
• No need for a VPN Plugin to be installed
• Provides authenticated, authorized, and secure access to internal web
resources such as:
• OWA
• SharePoint
• Intranet
• With this hybrid model, NetScaler AppFirewall can protect against all known and unknown threats. Data protections,
various advanced protections and PCI compliance reports are also all available.
79
Web Application Firewall
Signature Maintenance/Updates
• Based on SNORT
• Can be updated without
changing build
• Open format for signature
files
• Signature versioning
• Automatic signature update
NetScaler Application Firewall Action
Action - Blocking
84
Work better. Live better.