Citrix NetScaler SDX

Knowledge Transfer For JPM ICU

©1 2017 Citrix
 AGENDA

• Citrix ADC Overview

• CITRIX ADC SDX & VPX

• Architectural Design

• High Availability

• Traffic Management

• SSL

• SSLVPN

• Web Application Firewall

2
Citrix ADC Overview
What is Citrix ADC

Availability Performance Offload Security

Citrix ADC has been powering Enterprise and

Ecommerce applications since 2002.
Load Balancing  Acceleration  Security  SSL  Optimization  Availability  Performance
The Details
S1 A1

SQL Citrix ADC

FTP
HTTPS
HTTP VIP
UDP
PwO
S2 A2 Citrix ADC
DNS TCP CG CB
SAAS IAAS
gateway
AD

Citrix ADC S3 A3
Citrix ADC DataStream
Es

Availability Security Optimization Management & Visibility Platforms

Load Balancing (SLB) SSL Offload SSL Offload CLI/GUI
N+1 Clustering L4-7 ACL TCP Offload Nitro REST API SDX

Pay-As-You-Grow
L4-7 Request Switching Network ACLs TCP Buffering PowerShell MPX
Surge Protection MSSCVMM/MSSCOM VPX
Advanced Health Checks DoS Protections
Compression AppFlow CPX
Content Switching Rewrite + Responder
Caching Syslog
Cache Redirection Rate Limiting
Web Logging SNMP
Global Load Balancing (GSLB) SSL VPN Editions
HTTP 2.0 AppExpert Policies
Dynamic Routing / PBR AAA for App Traffic Standard, Advanced, Premium
Client Keep-Alive
HTTP Callout Application Firewall SACK/Nagles
Citrix ADC DataStream Citrix Gateway TCP Westwood+
 NetScaler Platform Product Line
NetScaler Overview

Application Virtual Fabric Microservice

Price-Performance Run Anywhere Consolidation Architecture

SDX CPX
MPX VPX

Application Delivery Software-Defined

Networking
 NetScaler MPX
NetScaler Overview

• Full portfolio of hardware-based app

delivery appliances, featuring 500
Mbps to 160 Gbps of performance.
• Use cases:
• Managing web applications with
multiple gigabits of traffic
• Load balancing for small enterprises
• Ultra-high performance web
application security
• Flex tenancy
 NetScaler VPX
NetScaler Overview

• Software-based virtual appliances that run

on widely deployed hypervisors and
support 10 Mbps to 100 Gbps performance
levels
• Use cases:
• Architecting private and public cloud
infrastructures
• Utilizing NetScaler within non-production
environments
• Architecting scalable multi-tenant
infrastructures with NetScaler SDX
• Attractive application delivery options for
smaller businesses
 Citrix NetScaler SDX
NetScaler Overview

• Hardware-based appliances with

advanced virtualization to consolidate
up to 115 independently-managed
NetScaler instances with up to 160
Gbps of overall performance
• Use cases:
• Supporting datacenter consolidation
• Providing multi-tenancy the right way
• Maintaining tenant isolation without
compromise
• Enabling cloud database build-outs
 NetScaler CPX
NetScaler Overview

• Containerized, microservice
architecture application delivery
appliance
• Utilizes same codebase as other
NetScaler appliances
• Use cases:
• Service registration, discovery, and routing
• Security enforcement point
• Application performance management
• API gateway
 NetScaler Licensing
NetScaler Overview

Platinum
• Web application
delivery solution
providing advanced
Enterprise traffic management
• Web application and powerful
delivery solution design application
to deliver mission- acceleration
critical applications with
fastest performance,
and lowest cost
Standard
• Comprehensive layer 4
through 7 load balancing
and optimizes expensive
server and networking
resources to reduce cost
Feature-specific
licenses are available
for select features.
 3 Software Editions
Feature
Unified Gateway
Application availability
security
Platinum Edition Enterprise Edition Standard Edition

Federated
L4 load defenses
DoS balancing
Identityand L7 content switching • • •
NetScaler
OneDoS
Selling
Microsoft
L7 URL/SSO
defenses
& Positioning
SQL,using
MySQLSAML 2.0
Overview • • •
Centralized
AppExpert
L7 rewrite and
rate
Policy
responder
controls
Management (SmartControl) • • •
Stateless
IPv6
XenMobile
support
RDPNetScaler
Proxy connector • • •
Feature Platinum Edition Enterprise Edition Standard Edition
Cluster
Traffic
AAA fordomains
for
traffic
ICA management
proxy (Striped) • • •
Simple Manageability
Monitoring
Subscriber-aware
NetScaler
NetScaler AppFirewall
of XenApp/XenDesktop
Insight trafficwith
steering
Center-Web XML security
traffic (Real time)
Insight •• •• ••
IP
Monitoring
Global
reputation
server
NetScaler ofload
XenApp/XenDesktop
Insight balancing (GSLB)
Center-HDX Insighttraffic (Historical) •• •• •
NetScaler
Carrier-Grade
NetScaler
Gateway
CloudBridge
Network connector
Address Translation (CGNAT) • •
AppExpert visual policy builder • • •
Front-end
Broad
Dynamic
optimization
client
routing
support
ActionAnalytics protocols
for plugins •• •• ••
Content
Customizable
Surge protection
AppExpertlayoutweband
service portal
priority
callouts, queuing and visualizers
templates •• •• ••
SSL VPN Clustering
TriScale
Domain sharding
remote access • • •
Role-based administration and AAA for administration • • •
Application
ICA
Image
proxy
acceleration
optimization
to XenApp
Configuration wizardsand XenDesktop •• •• ••
Style
Contextual
Client
Nativesheets
and server
policies
Citrix and
webJavaScript
TCP
foroptimizations
XenApp/XenDesktop
interface optimization (SmartAccess) •• •• ••
TCP Protocol
Endpoint
AppCompress
optimization
Analysis • • •
Comtrade Management Pack for NetScaler •
Secure browser-only
AppCache
Multi-path TCP access (CVPN) • • •
Citrix Command Center • • •
BIC and CUBIC TCP • • •
CITRIX ADC SDX &
VPX
 Citrix ADC SDX
• Multi-tenant Citrix ADC
• Up to 115 instances
• Version independent
• Zero performance loss

• Customer Value
• Network consolidation
• Hardware sensibilities; virtualization benefits
• Support for 3rd party components
Citrix ADC SDX
• Complete appliance instance
per tenant
• Complete CPU, memory, and SSL
isolation
• Independent entity spaces
• Independent versioning
• Independent maintenance
schedule
• Complete Network Isolation
• No performance degradation
 Citrix NetScaler SDX Networking

• Management port – Every SDX has a 0/1 port.

• The SVM and XenServer management IP are on this NIC.
• You need a minimum of two IPs on a management network connected to the 0/1 port.
• SVM and XenServer cannot use any of the data ports for management.
• LOM port – Every SDX has a Lights Out Management (LOM) port.
• The LOM port gives you out-of-band console access to XenServer. Once you’re on XenServer, you can use
Xen commands to see the SVM console, and/or VPX consoles.
• Data ports – The remaining interfaces can be aggregated into port channels. Port channels are configured at
XenServer, and not from inside the VPXs. Use the Service VM to create channels, and then connect the VPXs to
the channels.
• VPX networking – When VPXs are created, you specify which physical ports to connect the virtual machine to.
• If you want the VPX NSIP to be on the same subnet as SVM and XenServer, then connect the VPX to 0/1.
• Connect the VPX to one or more LA/x interfaces (port channels).
• Once the VPX is created, log into it, and create VLAN objects in the normal fashion. VLAN tagging is handled
by the VPX, not XenServer.
• On SVM, when creating the VPX instance, you can specify a list of allowed VLANs. The VPX administrator is
only allowed to add VLANs that are in this list.
• SVM to NSIP – SVM must be able to communicate with every VPX NSIP. If VPX NSIP is on a different subnet than
SVM, then ensure that routing/firewall allows this connection.

16
 Link Aggregation on NetScaler SDX Appliance

• The NetScaler SDX appliance supports static or manual configuration of 802.3ad Link
Aggregation (LA) channels at the NetScaler VPX instance level. For static LA, the appropriate
external switch ports connected to the physical interfaces on the NetScaler SDX appliance
must be statically configured as an etherchannel, with LACP disabled on the external
switch.

• Each NetScaler VPX instance has na LA channel configured, with the physical interfaces
corresponding to the etherchannel specified within the LA channel. With LA channel
configured, each NetScaler VPX instance has a single MAC address corresponding to that
channel.

17
Firewall & Load Balancer secondary node IP
Migration Strategy – stage 2
Addresses
• The NetScaler appliance uses different IP addresses for management and connections.
• These IP addresss are:
• NSIP (NetScaler IP)
The NetScaler IP (NSIP) is the primary IP for the management of the appliance. That
is the first IP address you must configure on the NetScaler.
The NSIP is used for internal Netscaler communication in HA deployment. In that
case, the NSIP is the only IP enabled on the secondary NetScaler.
• SNIP (Subnet IP)
The Subnet IP (SNIP) is used for server side communication and is also known as
Interface IP.
You should configure a new SNIP address for each subnet you want the NetScaler to
be directly connected to.
• VIP (Virtual IP)
A Virtual IP (VIP) is the IP address of a virtual server that the end users will connect
to. You can host the same VIP on multiple Netscaler instances.

18
 NetScaler Initial Setup
NetScaler Owned IP Addresses
Management NetScaler IP (NSIP)
Network

Subnet IP (SNIP)

External Internal
Network Network
NetScaler
Virtual IP (VIP)
 NetScaler IP (NSIP) addresses
- Unique IP address and the primary address for management and general system access
 Subnet IP (SNIP) addresses
- Used as the proxy address for NetScaler system-to-server communication.
 Virtual IP (VIP) addresses
- Used for client-to-NetScaler-system communication
NetScaler Initial Setup
NetScaler Owned IP Addresses

Client Backend
Server

VIP NSIP SNIP

Client IP Citrix
Server IP
NetScaler
Firewall & Load Balancer secondary node Migration
TOPOLOGY Strategy – stage 2

• You can deploy NetScaler in multiple topologies, below are two of the most used:
• One arm - In one arm mode, only one network interface is connected to an Ethernet segment, and the
NetScaler does not isolate the clients and the servers.

• Two arm - In two arm mode, multiple network interfaces are connected to different Ethernet segments, and
the NetScaler is placed between the clients and the servers.

21
Provisioning NetScaler Instances
• Upload a Citrix ADC .xva image
A .xva file is required for adding a Citrix ADC VPX instance. You have to upload the Citrix ADC SDA .xva files to
the SDX appliance before provisioning the VPX instances.

• Add a Citrix ADC instance

When you add Citrix ADC instances from the Management Service, you need to provide values for some
parameters, and the Management Service implicitly configures these settings on the Citrix ADC instances.
• Name, IP Address & Citrix ADC .xva image
• License Allocation
• Crypto Allocation
• Resource Allocation
• Instance administration
• Network Settings
• Management VLAN Settings
Typically, the Management Service and the management address (NSIP) of the VPX instance are in the
same subnetwork, and communication is over a management interface. However, if the Management
Service and the instance are in different subnetworks, you have to specify a VLAN ID at the time of
provisioning a VPX instance, so that the instance can be reached over the network when it starts.
Architectural Design
 Logical MyGovNet Internet Intranet

Network
Diagram

DMZ DMZ DMZ

Intranet BLESS Public

Core
Switch

NetScaler SDX 15030

Network Architecture Diagram

Public Internal
Internet Intranet Public Server Farm

Bless
Architecture Design

0/1 LACP 0/1

LACP

10/1 10/1

VPN-SEC01 10/2 10/2 VPN-SEC02

Core 1 HP 12508

VPN-DMZE01 VPN-DMZE02
10/4 10/4

DMZ-Public HP5800
VPN-VPN01 VPN-VPN02
10/5 10/5

VPN-BLESS01 DMZ-Bless HP58001 VPN-BLESS02

10/3 10/3

VPN-DMZI01 VPN-DMZI02
DMZ-Intra Aruba 5400

SDX01 SDX02
 High Availability Architecture
Int 0/1 Int 0/1
SVM: 10.20.8.41 SVM: 10.20.8.42
XS: 10.20.8.45 XS: 10.20.8.46

NSIP: 10.20.72.8 NSIP: 10.20.72.9

VPN-SEC01 VPN-SEC02

NSIP: 10.20.65.194 NSIP: 10.20.65.195

High
VPN-DMZE01 Availability VPN-DMZE02

NSIP: 10.20.65.197 NSIP: 10.20.65.198

VPN-VPN01 VPN-VPN02

NSIP: 172.20.52.82 NSIP: 172.20.52.83

VPN-BLESS01 VPN-BLESS02

NSIP: 10.20.65.27 NSIP: 10.20.65.28

VPN-DMZI01 VPN-DMZI02

SDX01 SDX02
High Availability

© 2015 Citrix | Confidential

Firewall & Load Balancer secondary nodeADC
Citrix Migration Strategy – stage 2
High Availability
• High Availability Configuration (HA) is a primary/secondary failover configuration that provides redundancy while
Clustering provides redundancy and scalability by distributing read and write load across multiple nodes.
• Disable any unused ports when one network adapter is configured within a NetScaler high availability configuration. 
• The primary and the secondary appliance of the high availability setup use the NetScaler IP address for communication
between the appliances. NetScaler IP addresses for the appliance is used to configure the NetScaler HA within
the following procedures.
• When configuring HA, the configured appliances must have same password for the nsroot account.

29
Firewall & Load Balancer secondary node Migration
TOPOLOGY Strategy – stage 2

• You can deploy NetScaler in multiple topologies, below are two of the most used:
• One arm - In one arm mode, only one network interface is connected to an Ethernet segment, and the
NetScaler does not isolate the clients and the servers.

• Two arm - In two arm mode, multiple network interfaces are connected to different Ethernet segments, and
the NetScaler is placed between the clients and the servers.

30
Traditional HA
An Active/Passive Pair of Citrix ADC’s

Citrix ADC
External Primary Internal
Network Network

Citrix ADC
Secondary
 Citrix ADC High Availability (HA) Essentials
• HA is only Active/Standby
• The Citrix ADC GUI and CLI refers to this as Primary/Secondary

• Citrix ADC supports 2 Modes

• Configuration Synchronization. Configs are synched at device start and prior to state change.
• Command Propagation. Commands are synchronized at time of execution from Primary to
Secondary unit
• Communication
• HA communication is on UDP port 3003 and 5 UDP packets are sent every second
• Communication ONLY happens between the NSIPs of both Citrix ADC’s
• Both Citrix ADC’s must be of same build (both Major and Minor) for Synchronization and
Propagation
• HA communication is on all Enabled Interfaces. Turn -hamon OFF on all unused Interfaces
 Citrix ADC HA Tips and Tricks
• HA Selection Criteria
• If state is the same, select lower IP address as Primary
• If state is different (i.e. UP vs Not UP) go with UP as Primary
• Best Practice: Add secondary node as Not Up (i.e. have unconnected interfaces Enabled with HAMON
ON)
• Layer 2 on a Failover
• In the event of a fail-over the new Primary will send a Gratuitous ARP
• Virtual MACs can be configured on the Citrix ADC
• Best Practice: Use Virtual-Macs (VMACs), a floating MAC between both devices
• Other Useful Information
• A command can be used to force a preemption, or, to mark a unit primary or secondary
• Additionally, a failover or synchronization can be force with a command from a Citrix ADC
Traffic Management
 Citrix ADC – Meets traditional ADC needs
• High availability
• Geographical failover for disaster recovery
• Secure remote access
• Increased performance and efficiency through server offload, caching
and compression
 Load balancing and GSLB with Citrix
ADC

• Load Balancing Requests

• Smooths out demand across all available servers
• Health monitoring of local resources
• Provides high availability if a server fails
• Sessions seamlessly transferred to alternative
server
• Global Server Load Balancing
• Allows for disaster recovery - provides HA
between sites
• Load balancing across geo locations
Requests
• Optimizes performance across locations sending
users to best-performing source

36
 Availability
Citrix ADC

Server Load Balancing

• Provides the intelligence to always direct
each request to the right server resource
Citrix ADC
“Airgap”
• Continuously monitors the health of
application and web servers
Content Switching
Layer 7 load balancing
Present different content to different users
Can be based on IP range, geographical
area, language, or device used
Load Balancing

TCP and UDP Client Requests

Maintaining User Distributing Traffic Monitoring Server Health and

Sessions Availability

• Source IP • Least Connections • TCP Connection

• Cookie • Lowest Response Time • HTTPS Connection
• SSL Session ID • SNMP-based • Extended Content Verification
• Server-ID in URL Query • IBM SASP • Scriptable Health Checks
• Customer Server-ID • Hash-based
• Token (header or body) • Many more…
 Configure Basic Load Balancing
Configurations for HTTP and SSL

• Review the basic concepts of load balancing

• Create an HTTP Load Balancing vserver and associated services
• Test Load Balancing & learn how to view HTTP headers
• Create an SSL LB vserver and self signed certificate
 Load Balancing
Overview: Service and Vserver

• The overall purpose of load balancing is to accept traffic as if it was

destined to one server, and split the load to many servers
• The fundamental object types used within the NetScaler to define the
load balancing relationships are the service and the vserver
• The service represents the target server’s ip, port and protocol
• The vserver represents the virtual server’s ip, port and protocol
• Additional optional objects are associated with these two object
types, but these two are required
 User’s
Request
Load Balancing
Service and VServer Relationship
Virtual Server Vserver IP:Port
Object + Protocol

• The flow of traffic is dictated by the

vserver and service relationship, which LB
is called “binding.” Processing
• A request comes from a user.
• It is received by the vserver object and is
processed based on the vserver Service Service 1 Service 2
attributes. Objects IP:Port+Protocol IP:Port+Protocol

• When a load-balancing decision occurs,

the request is passed to the appropriate
service object.
• Based on the service attributes, the Server 1 Server 2
IP:Port IP:Port
request is sent to a server’s IP and port.
 Load Balancing
Overview: Load Balancing Methods

• Depending on the application type, there are different ways of

splitting the load between services, the most commonly used being
• Round Robin
• Least Response Time
• Least Connections (default)
• Least Bandwidth
• URL Hashing
• Source and/or Destination IP hashing

If in doubt, use Round Robin. It is the safest and prevents a single malfunctioning server
serving “500” errors from taking all the traffic.
 Load Balancing
HTTP Load Balancing Example: Round Robin

1. The NetScaler system opens idle server connections.

2. Clients then initiate their TCP connections.
3. Once connected, requests are balanced in the order they are
received, sharing server TCP connections.
Load Balancing
Example: HTTP Load Balancing With Round Robin

User 1
Server 1

Server 2
User 2
 Load Balancing
Overview: Persistence Methods
• Most application servers depend on an individual user persist to
one back-end server. As such, vservers have persistence
methods including
• HTTP Cookie insertion
• Source IP
• SSL Session ID (useful for Access Gateway Balancing)
• When balancing HTTP or doing SSL offload, cookie insertion is
recommended if persistence is needed
• When balancing other protocols like SMTP or LDAP, Source IP
persistence is generally your best bet
 Load Balancing
HTTP Load Balancing Example: Cookie Persistence

1. The server and clients open their TCP connections.

2. With the first response, a cookie is sent to the client.
3. With each new request, the client sends the cookie, and the
NetScaler system sends request to the same server.
 Load Balancing
Process

There are four main parts to load balancing on the NetScaler:

-Server
-Monitor
-Service
-Virtual Server
 Load Balancing
Monitors

There are several pre-built load balancing monitors on the

NetScaler
You can also create a custom monitor using the included
templates and set your own thresholds
If you want to get more custom than that, the monitors are
programmed in ColdFusion and can be created and uploaded to
the appliance if needed
 Load Balancing
Load Balancing Virtual Server

• After services have been created, they are bound to a Load Balancing
Virtual Server.
• To create a vserver, navigate to Traffic Management > Load Balancing
> Virtual Servers, then click Add.
• Give the new vserver a name, select the appropriate protocol and
port number, assign an IP address, then click OK.
• On the next screen, bind the load balancing services to the virtual
server and click Done.
 Load Balancing Traffic Types
Load Balancing

Supported Protocols Session Protocols

• HTTP • TCP
• TCP • UDP
• FTP • SSL_TCP
• DNS General Traffic Types
• NNTP • SSL_BRIDGE
• SSL (HTTPS) • ANY
 Load Balancing Methods
LB Methods
• Least connections (default)
• Round robin and
weighted round robin
• Least response time
• Least bandwidth
• Least packets
• Token
• URL hash
• Domain name hash
LB Methods
• Source IP hash
• Destination IP hash
• Source/Dest IP hash
• Call ID hash
• Least response time monitoring (LTRM)
• CustomLoad LB using SNMP
• SASP Support for Dynamic Weight Calculation
Load Balancing Weighted Services
• Weighting is available only on certain LB methods
• Least Connections
• Round Robin
• Least Response Time
• Least Bandwidth
• Least Packets
• LTRM (least response time monitoring)
• A number of load balancing methods allow for particular services to
be weighted differently from each other. This can be done to direct
more traffic to a newer server in a cluster
Firewall & Load Balancer secondary node Migration
SSL Strategy – stage 2
OFFLOADING

• One excellent feature of Citrix NetScaler that is often overlooked is SSL Offload as it include a Cavium SSL
accelerator card, this card has the ability to handle SSL encryption/decryption cycles using a hardware card, rather
than consuming valuable CPU resources.

• SSL encryption/decryption is a very CPU intensive task; as such it can severely impact the scalability of servers that
host content requiring SSL encryption. NetScaler can help this by essentially moving all of the
encryption/decryption tasks from the back end servers to the NetScaler itself, freeing valuable CPU resource on
the backend servers.

• To configure SSL offloading, you must enable SSL processing on the NetScaler appliance and configure an SSL
based virtual server that will intercept SSL traffic, decrypt the traffic, and forward it to a service that is bound to
the virtual server. To secure time-sensitive traffic, such as media streaming, you can configure a DTLS virtual server.
To enable SSL offloading, you must import a valid certificate and key and bind the pair to the virtual server.

57
Reduced Load on Servers

CUSTOMERS

SSL

PARTNERS

• SSL Offload
EMPLOYEES

• TCP Multiplexing and Buffering

• Static and Dynamic Caching
• HTTP Compression
Supports greater user capacity and more apps with minimal investment
SSL
Firewall & Load Balancer secondary node
Create Migration
and use SSLStrategy – stage 2
Certificate
• Perform the following steps to create a certificate and bind it to an SSL virtual server.
1. Create a private key.
2. Create a certificate signing request (CSR).
3. Submit the CSR to a CA.
4. Create a certificate-key pair.
5. Bind the certificate-key pair to an SSL virtual server

• The following diagram illustrates the end-to-end flow.

60
Cipher support matrix
• Missing ciphers are prioritized for H2 ‘17.
Cipher/Protocol Near Future

MPX/SDX VPX FIPS 9700 FIPS 14000

series series

Legends
TLS 1.1/1.2 Frontend
Supported
TLS 1.1/1.2 Backend

In 12.0
ECDHE Frontend

ECDHE Backend

GCM, SHA2 Frontend

GCM, SHA2 Backend For complete details, see -

http://docs.citrix.com/en-us/netscaler
ECDSA Frontend /11-1/ssl/cipher_protocl_support_mat
rix.html
ECDSA Backend
 DEFAULT Cipher Alias Re-ordering (Front-end)
• Give preference to AES/AES-GCM/ECDHE ciphers.
• De-prioritize RC4 ciphers.
• No ciphers dropped.
Old Cipher Re-Order List New Cipher Re-Order List

SSL3-RC4-MD5 (0x0004) TLS1-AES-256-CBC-SHA (0x0035)

SSL3-RC4-SHA (0x0005)
SSL3-DES-CBC3-SHA (0x000a)
TLS1-AES-256-CBC-SHA (0x0035)
TLS1-AES-128-CBC-SHA (0x002f)
SSL3-EDH-DSS-DES-CBC3-SHA (0x0013)
TLS1-DHE-DSS-RC4-SHA (0x0066)
TLS1-DHE-DSS-AES-256-CBC-SHA (0x0038)
…………......
………………
………………28 ciphers…
TLS1-AES-128-CBC-SHA (0x002f)
TLS1.2-AES-256-SHA256 (0x003d)
TLS1.2-AES-128-SHA256 (0x003c)
TLS1.2-AES256-GCM-SHA384 (0x009d)
TLS1.2-AES128-GCM-SHA256 (0x009c)
TLS1-ECDHE-RSA-AES256-SHA (0xc014)
TLS1-ECDHE-RSA-AES128-SHA (0xc013)
…………......
………………
……………… 28 ciphers…
 Cipher Re-ordering (Back-end)
• Give preference to AES/AES-GCM/ECDHE ciphers.
• RC4-SHA still on top.
• Internal network.
• Legacy servers.
• No ciphers dropped.

New Cipher Re-Order List

Old Cipher Re-Order List
TLS_RSA_WITH_RC4_128_SHA (0x0005)
TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
TLS_RSA_WITH_RC4_128_MD5 (0x0004)
TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
TLS_RSA_WITH_RC4_128_SHA (0x0005)
TLS_RSA_WITH_RC4_128_MD5 (0x0004)
TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x0003)
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
TLS_RSA_WITH_DES_CBC_SHA (0x0009)
TLS_DHE_DSS_WITH_RC4_128_SHA (0x0066)
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0008)
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA (0x0064)
…………......
TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 (0x0060)
………………
……………….
………………
………………
55 ciphers…
………………
55 ciphers…
SNI
Host multiple domains on a single IP

• Server Name Indication allows multiple

Client hello Site1 cert
applications to run on one IP address and port
Requesting site1.com Site2 cert
• Bind multiple certificates to one server; one for
each application Server hello Site3 cert
• Enables a server to host a group of domain Site1 Certificate
names
• Client indicates which hostname to connect in
client hello
• Most browsers support SNI; its time for servers
now
Qualys SSL Labs Report: Citrix ADC MPX/SDX/VPX

http://blogs.citrix.com/2015/05/22/scoring-an-a-at-ssllabs-com-with-citrix-netscaler-the-sequel/
 How to get that “Awesomeness”

Disable SSL 3.0 TLS 1.2 must be enabled

Cipher list to prefer ECDHE RC4 ciphers must be removed

Implement Strict Transport Security Servers should support

TLS_FALLBACK_SCSV

Both server certificate and intermediate

http://blogs.citrix.com/?p=174211630 certificates should be SHA2 signed
SSLVPN
 Secure Tunnel Establishment
• Uses the Citrix NetScaler Gateway Plug-in.
• End user can authenticate:
• By logging in to the NetScaler Gateway web page.
• Directly from the plug-in.
• Once connected, NetScaler Gateway tells the plug-in which private
networks are to be sent down the secure connection.
• Any TCP, UDP, or ICMP traffic destined for those networks is secured by SSL
• NetScaler Gateway then proxies the data to the backend host.
• Once established, the secure tunnel remains open until either the user
logs off or a timeout causes a disconnection.
 Network Firewalls and Proxies
NetScaler Gateways are usually deployed behind a Firewall[ with these
guidelines]:
• Ensure [that] there is external access to the NetScaler Gateway virtual
server IP address on ports 443 (SSL) and 80 (HTTP, redirects to SSL)
• [You m]ay also need backend firewall rules creating for:
• Authentication
• User traffic
 Secure Tunnel Termination
• NetScaler Gateway SSL secure traffic between an endpoint device and the
corporate network
• The tunnel is terminated on the NetScaler Gateway
• Traffic is then proxied to backend services
• Traffic will appear to come from a MIP or SNIP
• Alternatively, unique per-connection IPs can be allocated from an IP Pool
(essential for anything which needs to have outgoing connections, such as Active
FTP, VOIP, or remote support)
 NetScaler Gateway Plug-in Support
Several options for installing the NetScaler Gateway plug-in:
• Download from the NetScaler Gateway when trying to connect the VPN.
• Deploy through Software Distribution methods, for example SCCM or
Active Directory.
• Download from the Citrix Downloads site.

Like the EPA plug-in, administrative access is required for installation, and
possible for some major updates.
 NetScaler Gateway Plug-in Selection for End
Users
• The session profile allows an administrator to choose which plug-in a user
will use:
• Windows / MacOS
• Java
• Remember that:
• Session profiles can be bound at user, group, and virtual server levels.
• When all else fails, the global settings will be applied.
• An end user may pick up settings from multiple session profiles.
 Internal Network Resources Connection
• No Split Tunnel: all traffic goes through the SSL tunnel
• Split Tunnel: defined traffic goes through the SSL tunnel
• Use “Intranet Applications” to define
 Timeout Settings Configuration
• Forced Timeout / Timeout warning
(Session Profile > Network >Advanced)

• Session Timeout
• Client Idle Timeout
(Session Profile > Client Experience)

• Like all the Session Profile settings, timeout settings can be set globally
or at user, group, or virtual server levels.
 End-User Device Clean-Up
• NetScaler Gateway allows an administrator to remove potentially sensitive
information from a client device upon termination of the VPN session.
• Can be forced upon a user
• Configured in Session Profile > Client Experience > Advanced > Client
Cleanup
 Name Service Resolution Configuration
• Needed to allow a client to have visibility of corporate DNS or WINS details
• Session Profile > Network Configuration
 Clientless Access
• No need for a VPN Plugin to be installed
• Provides authenticated, authorized, and secure access to internal web
resources such as:
• OWA
• SharePoint
• Intranet

• NetScaler Gateway has specific support for SharePoint 2003/2007 and

OWA
• Single sign-on to web applications
Web Application
Firewall
Firewall & Load Balancer secondaryWeb
nodeApplication
Migration Strategy
Firewall– stage 2
• NetScaler AppFirewall’s security model is a hybrid model, combining the best of both worlds. 

• Positive Security Model

The first is the Positive Security Model which has upfront protection for common Cross Site scripting, SQL injection
attacks and various application logic attacks. 

• Negative Security Model

The second part of the hybrid model is the Negative Security Model which is all about providing protection against
all known threats.  This really simplifies customer deployments by making it easy to deploy with signatures for
known vulnerabilities. 

• With this hybrid model, NetScaler AppFirewall can protect against all known and unknown threats.  Data protections,
various advanced protections and PCI compliance reports are also all available.

79
Web Application Firewall
Signature Maintenance/Updates

• Based on SNORT
• Can be updated without
changing build
• Open format for signature
files
• Signature versioning
• Automatic signature update
NetScaler Application Firewall Action
Action - Blocking

Request side block results in:

1. Redirect to root of the website (/) – default.
2. Redirect to a URL of your choice (relative or
absolute)
3. Custom error page served from appliance

Response side block results in:

• Termination of response
• X-Out of sensitive data.
NetScaler Application Firewall Action
Action - Logging

•Every block action will be logged.

•We can choose not
to block, but still log
the violation.
•We can create
‘relaxations’ directly
from the logs.
•Logging is on the appliance, or can be sent to 3rd party.
•Logging is in Syslog format, and as NetScaler 10 –
Common Event Format (CEF Format)
Application Firewall Action
Action - Stat

•NetScaler AppFirewall will collect stats on violations

•Reporting is on the appliance
•Reporting can be performed by 3rd party also (e.g. Splunk)
•The best reporting tool is NetScaler MAS.
Firewall & Load Balancer secondary nodeWeb
Deploying Migration Strategy
Application – stage 2
Firewall
Questions to ask before doing Netscaler WAF implementation:
• Backend Web server OS: Windows, Linux, Unix, others
• Web Server Type : IIS , Apache
• Application Type : ASP. NET, PHP, ActiveX, Apache Tomcat, Domino, and WebLogic
• No of Web servers: Load balancing and content switching required.
• SSL: Do you require SSL? If so, what key size (512, 1024, 2048, 4096) is used for signing certificates?
• Application Traffic Volume: Average traffic of applications and high utilization timeframes.
• Backend Database and Connectivity: MS-SQL, MySQL, Oracle, , Sybase or postgress

Step By Step Configuration of WAF

• These steps will apply to all editions, however standalone WAF edition will have very minimal features required only for
WAF.
1. Infrastructure and virtual server Details
2. Create WAF policies
3. Assign WAF policy to virtual server
4. Test the URL

84
Work better. Live better.