citrix adc 12.1 tdm - ОЛЛИ Дистрибуция adc - 12.1... · 2019. 10. 1. · •new...
TRANSCRIPT
-
Citrix ADC 12.1 TDMCore NetScaler
-
Hybrid/Multi Cloud
-
3 © 2018 Citrix | Confidential
• From this release, you can migrate a NetScaler VPX instance by using VMware vMotion
• VMXNET3 and E1000 interfaces are supported from NetScaler 11.0 onwards
• VPX 10 to 15G models are supported
• This was mainly an validation effort and was tested on ESX 6.0 and above.
vMotion Support of NetScaler
https://docs.citrix.com/en-us/netscaler/12-1/deploying-vpx/install-vpx-on-esx.html
https://docs.citrix.com/en-us/netscaler/12-1/deploying-vpx/install-vpx-on-esx.html
-
4 © 2018 Citrix | Confidential
• From this release CPX can support bandwidth greater than 1 Gpbs and upto 10 Gbps.
• Pooled capacity licenses on MAS can be leveraged to allocate bandwidth greater than 1 Gbps.
• For example, If you license CPX with 5Gbps, it will checkout 1 count from INSTANCE pool and 4Gbps from Platinum bandwidth pool, 1 Gpbs is free (continuing the earlier behavior)
• CPX can checkout only from Platinum bandwidth pool.
• User need to ensure that CPX is started with sufficient Packet engines to achieve the licensed capacity.
Support Multicore CPX
https://docs.citrix.com/en-us/netscaler-mas/12-1/license-server/netscaler-virtual-cpu-licensing.html#netscalercpx
https://docs.citrix.com/en-us/netscaler-mas/12-1/license-server/netscaler-virtual-cpu-licensing.html#netscalercpx
-
Optional subtitle
Multi-Zone HA in AWS
-
6 © 2018 Citrix | Confidential
Multi-Zone HA in AWS w/ EIP Support
Same AZ,Same Subnet
Not Applicable *Different AZ,Same Subnet
Same AZ,Different Subnet
Different AZ,Different Subnet
Availability zone
Sub
net
* In the same VPC, different AZs cannot have the same subnet
-
7 © 2018 Citrix | Confidential
Initial Configuration to setup EIP Movement
.
.
.
.
.
.
VPC
Internet
MgmtEIP
EIP. 1
EIP. n
Primary Secondary
MgmtEIP
IGW
• Both primary and secondary have equal number of ENIs
• Other than the ENI meant for management, each ENI can have any one or more private IPs attached.
• A vserver should be configured to listen to one private IP on primary and one on secondary, using the ipset feature of the vserver.
• EIP is attached to the private IP on primary.
• On failover, the EIP should move to the secondary private ip the vserver is listening on.
-
8 © 2018 Citrix | Confidential
EIP Migration in case of failover
VIP_1 VIP_1 ‘
VIP_2VIP_2’
EIP_1
EIP_2
Mgmt_Pvt_IP
Mgmt_Pvt_IP
Mgmt_EIP
Initial Primary Initial Secondary
IGW
Mgmt_EIP
-
9 © 2018 Citrix | Confidential
Two HA Solutions: INC, & Non-INC
ENI Based HA
Same AZ,Same Subnet
Not Applicable *Different AZ,Same Subnet
EIP Based HASame AZ,
Different Subnet
EIP Based HADifferent AZ,
Different Subnet
Availability zone
Sub
net
Non INC mode
INC mode
* In the same VPC, different AZs cannot have the same subnet
-
NetScaler Provisioning from MA Service in AWS
-
11 © 2018 Citrix | Confidential
Workflow: Provisioning of VPX(Standalone) in AWS
1. Provision1.1 Basic settings
1.2 Provision profileCitrix ADM(MA Service)
AWS2. New Standalone VPX
gets created
1 2Citrix ADC Auto-Scale
ConfigurationPre-Requisites
Create Site, Create cloud access profile, Attach site to
Agent
Provision
https://docs.citrix.com/en-us/netscaler-mas/netscaler-management-and-analytics-service/hybrid-multi-cloud-deployments/provisioning-vpx-aws.html
IAM Role, IAM instance profile
2. Define SLA_Service Package.mp41.Registration.mp41.Registration.mp4
-
12 © 2018 Citrix | Confidential
Provisioning of VPX in AWS
-
AWS Backend Auto-Scale
-
14 © 2018 Citrix | Confidential
AWS Backend Auto-Scale Flow
-
15 © 2018 Citrix | Confidential
Scale OUTAutoscaleGroup
HIGH CPU >70
AMAZON CLOUD
New Servers Added in Autoscale
New Server added in the AS group. NS autodetects and load balance traffic to them
-
16 © 2018 Citrix | Confidential
Scale INAutoscaleGroup
Low CPU
-
17 © 2018 Citrix | Confidential
AWS Backend Auto-Scale GUI• Name of cloud profile
• Virtual IP for LB VIP to be created
• Protocol
• Autoscaling Group name
• Graceful
• Graceful is to make sure servers are not deleted
Immediately. Enabled means if connection are
Present then it won’t be deleted until 60 seconds
Graceful NO means they will be deleted when scale
Down event will occur
-
Azure Backend Auto-Scale
-
19 © 2018 Citrix | Confidential
• Now NetScaler VPX instances deployed on Azure support autoscale with Azure virtual machine scale sets
• When integrated with the autoscale feature, NetScaler VPX instances provide improved:– Load balancing and load management
– High availability
– Network availability
Azure Back-End Auto Scaling
https://docs.citrix.com/en-us/netscaler/12-1/deploying-vpx/deploy-vpx-on-azure/Autoscale.html
https://docs.citrix.com/en-us/netscaler/12-1/deploying-vpx/deploy-vpx-on-azure/Autoscale.html
-
20 © 2018 Citrix | Confidential
Backend Autoscaling Overview
Server 1
Server 2
Server 3
Server 4
min :2
max :4
scale outscale in
Virtual machine scale set(VMSS)
Server 1
Server 2
Server 3
Server 4
add server remove server
LBVserver
ServiceGroup
NetScaler Azure
Register for Scale In/Out Events
Scale In/ Scale Out Notifications
-
21 © 2018 Citrix | Confidential
Autoscaling event registration and notification
-
22 © 2018 Citrix | Confidential
NetScaler GUI Azure Credentials PageCloud Profile Creation Page New “Azure” tab on left hand side
-
VPX HA across Azure Availability zones
-
24 © 2018 Citrix | Confidential
Availability Set vs Availability Zones
Availability Set Availability Zones
One DataCenter Three DataCenter
Unless the entire data center is down, your workload will keep running. Rack Level availability.
Even if one data center goes down, your workload will keep running. Datacenter level availability.
99.95 % 99.99 %
ThroughoutLimited (Only available in certain Azure Regions - More coming)
-
25 © 2018 Citrix | Confidential
• Prefer HA using Availability Zones, when– Region supports at least two Availability Zones
• Azure SLA– 99.99% Availability for Zones instead of 99.95% for Set
• Citrix ADC VPX Experience– Same, no functional difference
Citrix ADC HA using Availability Zones vs HA using Availability Set
-
26 © 2018 Citrix | Confidential
HA using Availability Zones
-
27 © 2018 Citrix | Confidential
• Require Standard SKU instead of Basic for– Load Balancer
– Public IP (Static)
• Used managed disk for VMs (OS Disk)
• Require Public IP to be static
• Assign zones to VM instead of Availability Set
• Use different port for each VPX in load-balancing rule.
Note: These changes are taken care in the ARM template
Changes as compared to HA deployment using Availability Set
https://azure.microsoft.com/en-in/pricing/details/ip-addresses/https://azure.microsoft.com/en-in/pricing/details/load-balancer/
-
28 © 2018 Citrix | Confidential
Microservice Update
-
29 © 2018 Citrix | Confidential
Application Journey – Deployment Implementation
Static MPX/SDX/VPX with Automated OSS Proxy / CPX
Automated MPX/SDX/VPX
NGINX CPX
OJ OJTea Cola
Static MPX/SDXCPX or OSS LB as Ingress Device
MPX/VPX/SDX as advanced ingress device
GJ
KubeProxy
KubeProxy
OJ OJ
Tea Cola
Automated MPX (MPX as ingress device)
CPX/OSS LB as ingress device
KubeProxy
KubeProxy
-
30 © 2018 Citrix | Confidential
• New Citrix Ingress Controller (CIC) – For low friction insertion
– Ingress controller as stand alone container for MPXs/SDXs/VPXs
– Built into CPX (CPX + CIC)
• Visibility using Open Source: Prometheus exporter container
– Polls Citrix ADCs for counters and sends to Prometheus server. Grafana can display stats.
New Enhancements – Available End of Sept.
-
VPX Express
-
32 © 2018 Citrix | Confidential
• VPX Express is license-less variant on NetScaler VPX.
• Both on-premise VPXs and Cloud.
• No up-front cost commitments.
• Aimed at prospective IT teams and our customers.
• Quickly deploy their applications and get a feel of our features.
• Testing and prototyping needs.
VPX Express
-
33 © 2018 Citrix | Confidential
GSLB
-
34 © 2018 Citrix | Confidential
Enterprise: US-
west
GLB node
MA-SVC
GLB node
GLB node
LB node
LB node
LB node
Metric exchange
protocol (MEP)
communication
AWS VPC:
singapore
Azure
VNet: India
Monitoring
• Stylebook enhanced
for multi-cloud/hybrid
cloud use-cases
• Supports static and
proximity based GLB
methods
Multi-cloud GLB: Phase 1
-
35 © 2018 Citrix | Confidential
Enterprise: US-
west
GLB node
MA-SVC
GLB node
GLB node
NS-LB
Metric exchange
protocol (MEP)
communication
AWS VPC:
singapore
Azure
VNet: India
NS-LB NS-LB
NS-LB
NS-LB
NS-LB
- Statistics collected from
LB nodes using MEP
- LB nodes should be NS
- Needs GSLB
configuration even on
LB node
Conventional Parent-child Topology
-
36 © 2018 Citrix | Confidential
• Eases the firewall configuration
• Single window for managing all the GSLB sites– Eases GSLB configuration
• For a 2 GSLB site Deployment – Time taken for config sync using GSLB autosync 90 seconds
– Time taken for config sync using stylebook : 25 seconds
– Savings will be more pronounced with larger config
Multi-Cloud GLB StylebookMotivation
-
37 © 2018 Citrix | Confidential
• Enables easy and quick configuration across the data centers that are distributed geographically.
• Enables you to create, manage, and monitor GLB nodes across geographic locations from a single, unified console.
• Provides the flexibility of moving part of your infrastructure to the cloud.
• Supports various load balancing solutions such as NetScaler load balancer, ELB for AWS, or other third-party load balancers.
• Supports active-passive topology for disaster recovery and ensures continuous availability of applications by protecting against points of failure.
• Supports multiple global load balancing methods such as Round Robin, Static Proximity, Leastconnection, and Round-Trip Time (RTT).
• Supports sitePersistence ConnectionProxy and HTTPRedirect.
Multi-Cloud GLB StylebookIntroduction
-
38 © 2018 Citrix | Confidential
Single Management Console • Key Benefits– Cloud transitions made easier
– Cloud service provider agnostic management console
– Eases the GSLB and firewall configuration
-
39 © 2018 Citrix | Confidential
GSLB Service Groups (Enables Cloud Migration)
AWS-singapore
ELB
Application
AWS-N.virginia
ELB
Application
Netscaler-
LB
Application
On - prem
GSLB
ELB-1
ELB-2
-
40 © 2018 Citrix | Confidential
GSLB Domain Named Auto Scale Service Groups
GSLB1 Singapore
GSLB2 N.California
LDNS
Load Balancer
AWS Auto-scaling domain based
ELB
Backend Servers
MEP
Client
Site B: AWS Cloud
Site A: On-Prem
Auto-scaling Backend Servers
-
41 © 2018 Citrix | Confidential
GSLB vserver
GSLB DBS Servicegroup –Singapore ELB
domain
GSLB DBS Servicegroup –Nvirginia ELB domain
HTTPS monitor
HTTPS monitor
www.vzdemo.com
ADNS Service
ELB-Singapore-IP1
ELB-Singapore-IP2
ELB-Nvirginia-IP1
ELB-Nvirginia-IP2
GSLB Auto-Scaling Service GroupsComponents of the Solution
-
44 © 2018 Citrix | Confidential
Latest GeoDB• IPv4 geolocation database shipping with build to be renewed. GeoLite
2 IPv4 database to be used.
• IPv6 geolocation database will be shipped with the build
Incremental improvements
• DNS name server support over TCP• O365 domain names resolves to >512 bytes packet size; TC-bit is set and
name server retries over TCP (which fails today)
GeoIP Database & DNS Features
-
45 © 2018 Citrix | Confidential
Convert Maxmind Geolocation DB to NetScaler Format
Where is Geolocation database used?
• Location based custom policies. Ex. Block when CLIENT.IP.SRC.matches_location(“Asia.India.*.*”)
• GSLB static proximity
We ship IPv4 and IPv6 Maxmind DB, then why do customers want their own DB?
• Full version database
• Geolocation database changes frequently. Customers want the latest version of the database
How customers use their own DB today?
• Buy/download the latest/full DB from Maxmind
• Write code or outsource to convert Maxmind format to NetScaler format ($$$)
What’s new?
• Support for a script to convert Maxmind format to NetScaler format for easy conversion
-
46 © 2018 Citrix | Confidential
Networking
-
47 © 2018 Citrix | Confidential
• Amazon has an IPv4 address shortage– Wants to use Class E IP range for internal clients
• 240.x.x.x to 253.x.x.x can now be used
• 254.x.x.x to 255.x.x.x still reserved (for internal purposes)
• Note: NetScaler will support Class E IP address range (aka IPSET)
Class E IP address support
-
48 © 2018 Citrix | Confidential
• NetScaler must drop the packets from Internet for which the clients didn’t initiate
Old Behaviour
One has to add forwarding sessions or add ACLs to allow responses from Internet for which the clients requested
New Behaviour
ACL will have a knob “-stateful” which if enabled, will create sessions for the traffic hitting the ACL in stateful fashion
Stateful ACL
ACL with DENY action is configured for the packets coming from server for which the clients did not initiate or request, those ACLs will drop the packets (Packet P1’). As P1’ packet is not related to any of the client initiated connections
InternetClients
-
49 © 2018 Citrix | Confidential
• BGP MD5 authentication support added to the NS/ZebOS – to enhance security of BGP• Since BGP uses TCP as its transport, using this option significantly reduces the danger from certain security attacks on BGP.
• Possible to configure md5 passwords for BGP neighbor using NITRO APIs
• BGP md5 password configuration is now synd/propagated between HA nodes.
• BGP md5 password configuration is now synd/propagated between cluster nodes
Routing (BGP MD5) Authentication
-
50 © 2018 Citrix | Confidential
Clustering
-
51 © 2018 Citrix | Confidential
• Allow nodes of different platform but with same number of PEs
• Helps customer to expand cluster with out depending on legacy platforms
Clustering : Heterogeneous Clustering
No. of PEs
MPX Hardware Platforms
Supported MPX Hardware Platforms to form Heterogeneous Cluster
5MPX 11500 MPX 14020
7MPX 11515 MPX 14040
9MPX 11530 MPX 14060
Things to be noted
The extra management CPU setting should be same on all the cluster nodes.
The newly added node should have the same capacity on the data planes and backplane, as that of existing cluster nodes.
Cluster join does not work when there is a mismatch in PE count between CCO and node joining the Cluster
Note: The platforms mentioned in the table are officially validated by us. For other platforms please verify feasibility with PM/Engineering team
-
52 © 2018 Citrix | Confidential
Traffic Management Features in 12.1 49.23 build
Use case: Customers want to independently scale GSLB and LB nodes
• A-A, A-P GSLB already supported in cluster
• From 12.1 49.23 build Parent-child also supported in cluster
Support for parent-child topology in cluster
Use case: Customer wants to gracefully shutdown services on NetScalers in cluster
• TFORS monitors solves the purpose for HTTP services
NetScaler Cluster to support graceful
shutdown of services
-
53 © 2018 Citrix | Confidential
• Take backup on CLIP and Restore on individual NS nodes
To Save Config
>save ns config [To be executed on CLIP]
To create backup
>create system backup -level basic/full [To be executed on CLIP]
To restore the remote package on the Cluster Nodes
1) Copy or upload the backup tar file to /var/ns_sys_backup directory
2) add the tar file using
>add system backup .tgz [To be executed on individual node]
3) then use restore command using
>restore system backup .tgz [To be executed on individual node]
To Reboot the NS appliance [Reboot is required after restore]
>reboot [command to be executed on individual node]
Clustering : Cluster Backup/Restore
NOTE: Cluster Backup/restore doesn’t work with CLAG and SDX deployments
-
54 © 2018 Citrix | Confidential
Traffic Management
-
55 © 2018 Citrix | Confidential
Multi-IP vserver Support
• Support multiple ip address as part of lb vserver and cs vserver configuration
Old Behaviour
• We can mention ip address in vserver configuration to create a vserver entity with single ip address
• We can also mention iprange option to create network vservers in which a single vserver entity will be listening to consecutive range of ip addresses
• We can neither mention non-consecutive ip address nor ipv4/ipv6 combinations as part of vserver configuration
New Behaviour
• Allows creating a single vserver with multiple non-consecutive/consecutive ipv4 and ipv6 addresses
-
56 © 2018 Citrix | Confidential
• Description– In a nutshell, DTLS or Datagram TLS is a protocol which
provides SSL/TLS support for datagram(UDP) based application. So basically DTLS is SSL over UDP.
– Previously NetScaler appliances only supported DTLS as a frontend virtual server(vserver).
• Configuration– CLI: add service DTLS port
– GUI: Navigate to Traffic Management > Load Balancing > Services
DTLS Backend Service Support
-
57 © 2018 Citrix | Confidential
• Introduction– NetScaler appliance allows you to add external name servers to which it can forward the name resolution queries that cannot be
resolved locally.
– A name server can be configured by specifying its IP address or by configuring an existing LB virtual server as the name server.
• The Challenge– Presently NetScaler Nameserver does not support DNS resolution over TCP.
– Cannot use a DNS_TCP type LB vserver as a Nameserver.
– NetScaler is unable to support scenarios where the response size greater than 512 bytes or where the ‘Truncated Bit’ is set in response.
• The Solution– NetScaler Nameserver support DNS resolution over TCP.
– Support for two modes:• IP based Nameserver support (TCP and UDP_TCP type)
– A TCP type nameserver will use only TCP for DNS resolution.
– A UDP_TCP types nameserver will use UDP by default and fall back to TCP if size of response exceeds 512 bytes
• Configure an existing DNS_TCP LB vserver as a Nameserver
NetScaler Nameserver TCP Support
-
58 © 2018 Citrix | Confidential
• CASE 1: Explicitly Specified Name of the DNS virtual server for the user session.– Default nameserver will retry over TCP if response size exceeds 512 bytes.
– Presently cannot specify DNS_TCP vserver in vpn parameter.
• add service s1 10.102.81.173 DNS 53
• add lb vserver v1 DNS 1.1.1.1 53
• bind lb vserver v1 s1
• set vpn parameter -dnsVserverName v1
• add dns nameServer 10.102.81.173 -type TCP
• CASE 2: Use Default Nameserver Type UDP_TCP– Use UDP first and if the response exceeds more than 512 bytes retry over TCP.
• add dns nameServer 10.102.81.173 -type UDP_TCP
• CASE 3: Use Default Nameserver Type TCP– Always use TCP for name resolution.
• add dns nameServer 10.102.81.173 -type TCP
Use Cases: Name Resolution in VPN
-
59 © 2018 Citrix | Confidential
• Customer can configure responder policy, which will invoke the stream Identifier, to collect statistics at packet level and limit the number of packets flowing through a connection.
• Responder policy can be configured for Burst and Smooth mode of traffic.
• Configured Action(DROP/RESET) is applied if number of packet per second exceeds the configured threshold value.
• Supports SNMP traps and event messages in SYSLOG.
• Packets of all types are considered, irrespective of packet size.
• ‘trackAckOnlyPackets’ parameter can be enabled in stream identifier to prevent attack with zero payload packets.
PPS Rate Limit For DSR VServers
-
60 © 2018 Citrix | Confidential
PPS Rate Limit : CLI Configs(contd.)
-
61 © 2018 Citrix | Confidential
PPS Rate Limit : GUI Configs
-
62 © 2018 Citrix | Confidential
SSL
-
63 © 2018 Citrix | Confidential
Secure SSL Profile for GradeEases getting A+ grade from SSL Labs
Before 12.1 From 12.1
Disable SSL3, Enable TLS 1.2
Bind AEAD ciphers
Remove CBC and RC4 ciphers
Implement HSTS
Bind SHA2 signed server certificate
and intermediate certificates
Prefer ECDHE/DHE
Bind SECURE Profile
Bind SHA2 signed server certificate
and intermediate certificates
-
64 © 2018 Citrix | Confidential
• SECURE cipher alias include only ECDHE KyEx AEAD ciphers.– > sh ssl cipher SECURE
– Cipher Name: TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 Priority : 1
– Cipher Name: TLS1.2-ECDHE-RSA-AES128-GCM-SHA256 Priority : 2
– Cipher Name: TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384 Priority : 3
– Cipher Name: TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256 Priority : 4
– 1) Profile Name: ns_default_ssl_profile_secure_frontend
– Done
Secure Cipher Alias
-
65 © 2018 Citrix | Confidential
Hybrid ECDSA on N3-MPX/SDX Models
Hyb
rid
EC
DSA
ECDSA is advanced signature algorithm based on Elliptic Curves
From 12.1, ECDSA computation can be done in both CPU and SSL chips (Hybrid ECDHE computation support available since Q4 2016)
Increases the performance (TPS) significantly. Performance tests in progress
-
66 © 2018 Citrix | Confidential
Protocol Updates
DTLS
Required for EDT
Supported on VPX and Cavium MPX
FIPS support released in 12.1 49.23
TLS 1.3
TLS 1.3 released in 12.1 49.23 GA build
Supported in VPX and N3 based MPX
FIPS support is dependent on NIST approval
-
67 © 2018 Citrix | Confidential
• 1. Faster Connections
– Handshake requires only one round trip time(1 RTT)
– Resumption is Zero RTT
– Allows clients to open multiple parallel connections with fresh session ticket for each connection.
• 2. Improved Security
– Over padding oracle, protocol downgrade, etc.
TLSv1.3 Cipher group
Hex Code OpenSSL Name
0x13,0x01 TLS13-AES-128-GCM-SHA256
0x13,0x02 TLS13-AES-256-GCM-SHA384
0x13,0x03 TLS13-CHACHA20-POLY1305-SHA256
TLS 1.3 Delivers Considerable Improvements Over TLS 1.2
-
68 © 2018 Citrix | Confidential
• Platforms and entities supportedVPX and MPX
Front end entities
• CLI Commands to enable TLS 1.3– > set ssl profile ns_default_ssl_profile_frontend -tls13 ENABLED
> sh cipher TLSv1.3
– > set ssl profile ns_default_ssl_profile_frontend -sessionticket ENABLED
– > set ssl profile ns_default_ssl_profile_frontend -zeroRttEarlyData ENABLE
– > set ssl profile ns_default_ssl_profile_frontend -dheKeyExchangeWithPsk YES
– > set ssl profile ns_default_ssl_profile_frontend -tls13SessionTicketsPerAuthContext [1-10]
• GA dateTargeted Q3 for support on VPX and software MPX
Available in Beta currently. Register – https://podio.com/webforms/19812471/1342437
TLS 1.3 (continued)
https://podio.com/webforms/19812471/1342437https://podio.com/webforms/19812471/1342437
-
69 © 2018 Citrix | Confidential
GUI CLI
-
70 © 2018 Citrix | Confidential
Cipher Support Matrix
Cipher/Protocol Platforms
N3 MPX/SDX
ColetoMPX/SDX
VPX Frontend
FIPS 14000 series
TLS 1.1/1.2 Frontend ✓ ✓ ✓ ✓
TLS 1.1/1.2 Backend ✓ ✓ ✓ ✓
ECDHE Frontend ✓ ✓ ✓ ✓
ECDHE Backend ✓ ✓ ✓ ✓
GCM, SHA2 Frontend ✓ ✓ ✓ ✓
GCM, SHA2 Backend ✓ ✓ ✓ ✓
ECDSA Frontend ✓ ✓ ✓ ✓
ECDSA Backend ✓ ✓ ✓ ✓
Chacha-Poly Frontend ✓ ✓ ✓
Chacha-Poly Backend ✓ ✓
Updated with 12.1 49.23 build release
-
71 © 2018 Citrix | Confidential
• IETF RFC6176 SSLv2 does not provide sufficiently high level of security
• DeficienciesMessage Authentication uses MD5
Handshake Messages not protected
Message Integrity and Message Encryption use the same key
Sessions can be easily Terminated
• CLI Behaviour – show warning and remain disabled.> set ssl vserver v1 –ssl2 enabled
Warning: SSLv2 not supported in this release
Done
> show ssl vserver v1
. . . . . . .
SSLv2 : DISABLED
Deprecated SSLv2Why SSLv2 Support Removed
-
72 © 2018 Citrix | Confidential
• Removed RC2, DES(40), DES(56), EXPORT Ciphers from DEFAULT_BACKEND
• ciphers list removed from DEFAULT_BACKEND group:– SSL3-DES-CBC-SHA
– SSL3-EXP-DES-CBC-SHA
– SSL3-EXP-RC2-CBC-MD5
– SSL3-EDH-DSS-DES-CBC-SHA
– TLS1-EXP1024-DHE-DSS-DES-CBC-SHA
– SSL3-EXP-EDH-DSS-DES-CBC-SHA
– SSL3-EDH-RSA-DES-CBC-SHA
– SSL3-EXP-EDH-RSA-DES-CBC-SHA
– TLS1-EXP1024-RC2-CBC-MD5
– SSL3-ADH-DES-CBC-SHA
– SSL3-EXP-ADH-DES-CBC-SHA
Removal of Weak ciphers From DEFAULT_BACKEND
-
73 © 2018 Citrix | Confidential
• What is Session Ticket ?
• Session Ticket is an information of the Session State issued in the form of an Encrypted Ticket ( NewSessionTicket TLS Handshake Message ) by server to client.
• Client and Server both should support the Session Ticket by sending empty Session Ticket extension
• Sever issues Session Ticket as NewSessionTicket Handshake message before the ChangeCipherSpec.
• Client can subsequently resume the session using the obtained Session Ticket
• Why Session Ticket ?
• Avoid the burden of keeping per client session state on TLS server.
Secure Session Tickets
-
74 © 2018 Citrix | Confidential
SourceIP As Backup Persistence For SSL SESSIONID
• Client/Server Renegotiations breaks the SSLSESSION ID Persistence which is a known limitation.
• When the Netscaler is not able to match SSLSESSION ID from the persistence table it falls back to SOURCEIP persistence
• Applicable for SSL-Bridge vserver.
-
75 © 2018 Citrix | Confidential
• With the SSL log profile, you can log SSL-related information, such as client authentication and SSL handshake failures, for only a specific virtual server or group of virtual servers.
• Configuration– Depending on where you use an SSL log profile, you can configure it to log a combination of the following for a virtual
server or a group of virtual servers:
• Only client authentication success and failures
• Only client authentication failures
• Only SSL handshake success and failures
• Only SSL handshake failures.
• An SSL log profile can be attached to an SSL profile or to an SSL action
Selective SSL Logging
-
76 © 2018 Citrix | Confidential
• To add an SSL log profile by using the NetScaler command lineadd ssl logprofile [-ssllogClAuth ( ENABLED | DISABLED
)] [-ssllogClAuthFailures ( ENABLED | DISABLED )] [-ssllogHS ( ENABLED
| DISABLED )] [-ssllogHSfailures ( ENABLED | DISABLED )]
Configuration Steps Through CLI & GUI
-
77 © 2018 Citrix | Confidential
• To attach an SSL log profile to an SSL profile by using the NetScaler command line
add ssl profile [-sslProfileType ( BackEnd | FrontEnd )]
[-ssllogProfile ]
Example:
add ssl profile fron-1 –ssllogprofile ssllog10
set ssl profile fron-2 -ssllogProfile ssllog10
• Navigate to System > Profiles > SSL Profile
Attaching an SSL Log Profile to an SSL Profile
-
78 © 2018 Citrix | Confidential
• To attach an SSL log Profile to SSL action by using the NetScaler command line
add ssl action [-ssllogProfile ] [-clientAuth (
DOCLIENTAUTH | NOCLIENTAUTH )]
Example :
add ssl action act1 -clientAuth DoCLIENTAUTH -ssllogProfile ssllog10
add ssl policy pol1 -rule true -action act1
Attaching an SSL Log Profile to an SSL Action
-
79 © 2018 Citrix | Confidential
Hybrid ECC on Cavium N3 based NetScaler
• Enable the hybrid model by using the NetScaler GUI or CLI
set ssl parameter -softwareCryptoThreshold
• NetScaler CPU utilization threshold (as a percentage) beyond which crypto operations are not done in software. A value of zero implies that CPU is not utilized for doing crypto in software.
Default = 0
Min = 0
Max = 100
-
80 © 2018 Citrix | Confidential
• SSL policies now support actions based on client hello details. Example – SNI, client hello ciphers, etc.
• Use case: Customer in Russia wants to block clients coming with a particular cipher
• Use case: Customer wants to save IP address and use a single VIP for multiple applications. Also, customer wants to send traffic to appropriate backend server for client authentication.
Unlocking New Use Cases with SSL Policies
New policy execution point
Client HelloNew SSL policy
actionForward
From 12.1 49.23
-
81 © 2018 Citrix | Confidential
• LB Vserver v1; Type SSL; Service s1 (HTTP/SSL)
• Dummy vserver d1; Type SSL_Bridge, Service s2 (SSL_Bridge)
• Dummy vserver d2; Type SSL_Bridge, Service s3 (SSL_Bridge)
• add ssl action act1 -forward d1
• add ssl action act2 -forward d2
• add ssl policy pol1 -rule ‘client.ssl.client_hello.sni.contains(“abc”)’ -action act1
• add ssl policy pol2 -rule ‘client.ssl.client_hello.sni.contains(“xyz”)’ -action act2
• bind ssl vs v1 -policyname pol1 -type CLIENTHELLO_REQ priority 1
• bind ssl vs v1 -policyname pol2 -type CLIENTHELLO_REQ priority 2
Sample config of new policiesFrom 12.1 49.23
-
82 © 2018 Citrix | Confidential
DTLS Support Updates12.1 49.23 Build updates
DTLS support on MPX 14000 FIPS models (Q3)
PFS (ECDHE) support on DTLS MPX, VPX, FIPS (Q3)
Frontend SNI support on DTLS (Q3)
-
83 © 2018 Citrix | Confidential
AAA
-
84 © 2018 Citrix | Confidential
Under AAA top level, there would be USER and LOGIN entries in addition to current one
• LOGIN would represent pre-login aka login request.
• It could be regular gateway login or samlidp login or oauth login. AAA module will abstract that from policy configuration.
• AAA module will abstract that from policy configuration.
AAA
Pre authentication – aaa.login Post authentication – aaa.user
-
85 © 2018 Citrix | Confidential
Enhancements
• SAML ServiceProvider– Metadata export of samlAction
• https:///metadata/samlsp/
• Querying this public link will generate metadata file.
– Metadata import of SAML IDP
• SAML IdentityProvider– Metadata export for SAML IDP
• Add samlaction testapp –metadata
– Metadata import for SAML SP
• SaaS App Simplification– SAML/SaaS App catalogue
– Simplified addition of apps
SAML Enhancements
-
86 © 2018 Citrix | Confidential
SAML/SaaS App Catalogue
-
87 © 2018 Citrix | Confidential
AAA enhancements
• Persistent Login Attempts
• OpenID Connect IDP - oAuth increasingly popular in Mobile app environment because of it’s lightweight nature compared to SAML– Authorization grant, implicit grant, hybrid grants
– Resource owner client credential grant
– Service to service APIs – for access tokens
– Encryption of OpenID tokens
Other AAA Enhancements
-
88 © 2018 Citrix | Confidential
RP
NS IDP
3. GET /oauth/idp/login4. Validate source
1.GET /
5. Present Login Form
2. 302 redirect to
https://ngs.com/oauth/idp/login
6. Send Login Creds.
7. Validate Login Creds.Construct Oauth code.
8. 302 to
https://athena/oauth/login?code=ZZZ
9. GET /oauth/login?code=ZZZ
Oauth –OpenID Connect Flow
10. Is code proper?
11. YES
12. Verify token
-
89 © 2018 Citrix | Confidential
• RDP Connection redirection
• RDP auto population of links using AD attributes
RDP Enhancements
-
90 © 2018 Citrix | Confidential
Configuration for enabling RDP Redirection
Citrix Confidential - Do Not Distribute
RDP Redirection support in presence of connection broker or session directory can be enabled through rdpserverprofile
• add rdpserverprofile -psk -rdpRedirection ( ENABLE | DISABLE )
Note:
• Redirection is supported only when SSO is enabled and is supported in both single Gateway and Stateless/Dual Gateway mode along with enforcement(smart access).
• Currently redirection is not supported when SSO is disabled.
• RDPProxy feature is supported only with token based IP Cookies• http://www.jasonfilley.com/rdpcookies.html
• We can have dedicated redirectors for RDPProxy connection. Please refer to the below link for more details• https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc772418(v=ws.10)
http://www.jasonfilley.com/rdpcookies.htmlhttps://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc772418(v=ws.10)
-
91 © 2018 Citrix | Confidential
Traffic Flow (RDP-Proxy-LB)– RDP Bookmark pointed to RDP-LB
Terminal Server 1
Session Directory/CB
Terminal Server 2
RDPProxy
RDPProxy cookie
RDPLB
Final connection
-
92 © 2018 Citrix | Confidential
Traffic Flow (RDP-Proxy-LB for Existing connection) RDP Bookmark pointed to RDP-LB
Terminal Server 1
Session Directory/CB
Terminal Server 2
RDPProxy
RDPProxy cookie
RDPLB
RDPLB cookieModify to RDPProxy cookie
Final connection
-
93 © 2018 Citrix | Confidential
Traffic Flow (RDP-Proxy flow without LB) – Connection Broker Load Balancing Enabled. RDP Bookmark always pointed to Terminal Server-1 (i.e. Terminal Server-1 as redirector)
Terminal Server 1
Session Directory/CB
Terminal Server 2
RDPProxy
RDPProxy cookie
Final connection
-
94 © 2018 Citrix | Confidential
Traffic Flow (RDP-Proxy flow without LB) – Connection Broker Load Balancing Enabled. For session to be created/already existing on Terminal Sever-2 and RDP Bookmark always pointed to Terminal Server-1 (i.e. Terminal Server-1 as redirector)
Terminal Server 1
Session Directory/CB
Terminal Server 2
RDPProxy
RDPProxy cookie
Modify to RDPProxy cookie
Final connection
-
95 © 2018 Citrix | Confidential
• On rdpclientprofile, configuration of ‘rdpUrlLinkAttribute’ parameter is supported, which can be used to fetch a list of RDP servers(IP/FQDN) that a user can access, from an Authentication server attribute(Example: LDAP, SAML).
• Based on the list received, the RDP links will be generated and displayed to the user.
Configuration:
• add rdpclientprofile –rdpUrlLinkAttribute
RDP URL creation through authentication Attribute
-
96 © 2018 Citrix | Confidential
• rdpUrlLinkAttribute = rdpServerNameForUser
• On LDAP Sever: rdpServerNameForUser has Server1, Server2
• Then once the user authenticates to Gateway, following links will be displayed.LinkName: Server1, Link: https:///rdpproxy/Server1
LinkName: Server2, Link: https:///rdpproxy/Server2
Note: The Attribute mentioned in the rdpUrlLinkAttribute should be fetched through corresponding authentication method on Netscaler. Currently this is supported only with LDAP.
Example
-
Manageability
-
98 © 2018 Citrix | Confidential
vCPU Subscription licensing
• From this release customer will be able to consume VPX licenses based on vCPU in addition to bandwidth.
• Similar to pooled capacity licenses and CICO licenses, NetScaler MAS acts as a license server and manages a separate set of virtual CPU licenses.
• VPX instances will be able to checkout number of vCPU’s required from the license pool on MAS
https://docs.citrix.com/en-us/netscaler-mas/12-1/license-server/netscaler-virtual-cpu-licensing.htmlPND Launch Kit: https://citrix.savoinspire.com/nsacdvpxvcpupndlk/
https://docs.citrix.com/en-us/netscaler-mas/12-1/license-server/netscaler-virtual-cpu-licensing.htmlhttps://citrix.savoinspire.com/nsacdvpxvcpupndlk/
-
99 © 2018 Citrix | Confidential
License Expiry enforcement (Local licenses)
• For local licenses/evaluation licenses ie for licenses that reside on VPX, license expiry enforcement is applied from this release. Before 12.1 release the behavior is until the VPX is rebooted license expiry enforcement is not applied.
• For non-CSP, When days to expiration hits 0– SNMP alarm is generated (NS-LICENSE-EXPIRY).
– NetScaler appliance automatically restarts to revoke the license
• No enforcement if NetScaler is licensed using CSP licenses.– SNMP alarm is generated every 24 hours.
– No forced reboot.
https://docs.citrix.com/en-us/netscaler/12-1/licensing/netscaler-licensing-overview.html
https://docs.citrix.com/en-us/netscaler/12-1/licensing/netscaler-licensing-overview.html
-
100 © 2018 Citrix | Confidential
Expiry enforcement (Local licenses)
• “sh ns license”
…Model Number ID: xxx
License Type: Platinum License
Licensing mode: Local
Days to expiration: 2
• “Days to expiration” is updated every 24 hours.
• For non-CSP, when days to expiration hits 0– SNMP alarm is generated (NS-LICENSE-EXPIRY).
– System initiates warm reboot to revoke the licenses.
•No enforcement if NetScaler is licensed using CSP licenses.– SNMP alarm is generated every 24 hours.
– No forced reboot.
-
101 © 2018 Citrix | Confidential
StyleBook Automation• Seamless App analytics post
Stylebook creation.
• Stylebook Usability Improvements
• RBA for Stylebook
• Moving App Config across instances:
– VPX on SDX to VPX on Cloud
– Dev to Prod
-
102 © 2018 Citrix | Confidential
• Default StyleBooks published on Github:
https://github.com/citrix/MAS-StyleBooks
• Open to contribution and sharing from community
StyleBook - Github Repository
https://github.com/citrix/MAS-StyleBooks
-
103 © 2018 Citrix | Confidential
Telco
-
104 © 2018 Citrix | Confidential
• NetScaler Cluster refers to a group ofNetScalers that can be configured andmanaged as a single system. It providesscalability and availability.
• Each NetScaler in Cluster acts as an independent CGNAT entity and is managed as single system.
• In cluster mode, LSN pool-IP/NAT-IP is owned by only one node at any point in time. (i.e spotted behaviour)
Large Scale NAT(LSN) in ClusterIntroduction
-
105 © 2018 Citrix | Confidential
• In LSN cluster deployments, PBS with src-ip based hash is used to maintain stickiness of subscriber traffic to a given node.
• LSN Features In Cluster Mode– NAT44 and NAT64 are available in cluster mode of operation.
– Most of the LSN features that are supported prior to r12.1, are available in LSN Cluster
– All combinations of Mapping and Filtering are supported in cluster, as available earlier.
– Syslog, Compact Logging and IPFIX logging are supported.
– The log format are similar across HA & cluster mode.
– All profiles are supported i.e application-profile, transport-profile, log-profile.
• ALGs available in Cluster Mode– FTP
– TFTP
– ICMP
– PPTP
Policy Based Steering for LSN Cluster deployments
-
106 © 2018 Citrix | Confidential
Traffic Flow When Flow Receiver Is Different Than Flow Processor
ECMP
Public
Network
Private Client
Network
Node-1 (10.102.53.14)
Node 2
192.168.1.1
192.168.1.2 Node -2 (10.102.53.11) PBS
applied and
owner node 1
-
107 © 2018 Citrix | Confidential
Traffic Flow When Flow Receiver And Flow Processor Are SamePBS
applied and
owner node 1
ECMPPublic
Network
Private Client
Network
192.168.1.1
192.168.1.2
Node-1 (10.102.53.14)
Node-2 (10.102.53.11)
-
108 © 2018 Citrix | Confidential
Pool configuration:add lsn pool poolV4
bind lsn pool poolV4 -ownerNode 1 20.20.20.1-20.20.20.2
bind lsn pool poolV4 -ownerNode 2 20.20.20.3-20.20.20.4
Client network configuration:add lsn client clientV4
bind lsn client clientV4 -network 192.168.1.0 -netmask 255.255.255.0
Group configuration:add lsn group grpV4 -clientname clientV4
bind lsn group grpV4 -poolname poolV4
DFD-ACL(PBS) configuration:add ns acl b1 ALLOW -srcIP = 192.168.1.0-192.168.1.255 -type DFD -dfdhash SIP
apply ns acls -type DFD
Sample Configuration (NAT44)
-
109 © 2018 Citrix | Confidential
Pool configuration:
add lsn pool poolV6
bind lsn pool poolV6 -ownerNode 1 40.40.40.1-40.40.40.2
bind lsn pool poolV6 -ownerNode 2 40.40.40.3-40.40.40.4
Client network configuration:
add lsn client clientV6
bind lsn client clientV6 -network6 2222::/64
Group configuration:
add lsn ip6profile ip6prfl_nat64 -type NAT64 -natprefix 2003::/96
add lsn group grpV6 -clientname clientV6 -ip6profile ip6prfl_nat64
bind lsn group grpV6 -poolname poolV6
DFD-ACL(PBS) configuration:
add ns acl6 nat64_dfd ALLOW -srcIPv6 = 2222:: -type DFD -dfdhash SIP -dfdprefix 64
apply ns acls6 -type DFD
Sample Configuration (NAT64)
-
110 © 2018 Citrix | Confidential
• Session and port quota configured at the LSN group level, are applied on each node.
• Session synchronization across nodes isn’t supported.
• DS-Lite cannot be configured in cluster mode.
• IPsec-alg.
• Deterministic NAT.
• Static NAT.
• Hair-pinning.
• L3-Cluster.
• SIP ( target for r12.1-FR1)
• RTSP( target for r12.1-FR1)
LSN Limitations
-
111 © 2018 Citrix | Confidential
• In the current NS cluster deployments internal traffic distribution (DFD) is based on the 4 tuple hash.
• Traffic from the same subscriber (client IP) can be distributed across the nodes.
• Use case 1– In telco deployments, the external server (PCRF) maintains the mapping of node to the subscriber ID for a specific
client.
– If multiple nodes process traffic from the same client ,external server (PCRF) has to maintain multiple sessions with different nodes for same client.
• Use case 2– Cluster aware LSN deployments will require PBS feature for source IP stickiness.
Policy based backplane steering (PBS)Use Cases
-
112 © 2018 Citrix | Confidential
• Identify the traffic using the user defined policy based on parameters like source mac, source vlan, Source IP, Destination IP, Source port and destination port.
• Identify the flow processor for this specific flow using the user defined policy hash methods and steer the flow to the target node (flow processor).
• For the same subscriber (client IP), always one node will FP and external sever can maintain one session mapping for the one subscriber.
Policy based backplane steering (PBS)How It Works
-
113 © 2018 Citrix | Confidential
PBS Packet Flow Illustration
Server
Client
-
114 © 2018 Citrix | Confidential
Cluster Support For Subscribers• Use Case: This enhancement aims at
extending Gx interface support to cluster deployments.
• GUI Changes:
-
115 © 2018 Citrix | Confidential
• Use Case: Default subscriber lookup method is IP only. With this enhancement, IPVLAN can be added as an additional lookup method.
• Only supported with GxOnly interface type.
IPVLAN As Key Type For Subscribers
-
116 © 2018 Citrix | Confidential
IPFIX LOGGING
4 APRIL 2018
-
117 © 2018 Citrix | Confidential
LSN uses the existing APPFLOW framework for logging purpose.
Logging can be controlled at two levels:
Global
LSN Group Level
New argument for appflow parameter has been introduced at global level for LSN logging purpose
set appflow param –lsnLogging ENABLED
LOGGING
-
118 © 2018 Citrix | Confidential
Group level logging can be enabled/disabled by add/set command.add lsn logprofile 2 -logipfix enabled
If both syslog and IPFIX are enabled, IPFIX takes precedence over syslog.
LOGGING
-
119 © 2018 Citrix | Confidential
Field Name Size (in bits) Tag-value ( as per RFC
definition)observationPointId 64 138
exportingProcessId 32 144
timeStamp 64 323
natEvent 8 230
sourceIPv4Address 32 8
postNATSourceIPv4Address 32 225
protocolIdentifier 8 4
sourceTransportPort 16 7
postNAPTsourceTransportPort 16 227
destinationIPv4Address 32 12
TEMPLATE FOR NAT44 SESSION CREATION/DELETION
-
120 © 2018 Citrix | Confidential
Field Name Size (in bits) Tag-value ( as per RFC
definition)observationPointId 64 138
exportingProcessId 32 144
timeStamp 64 323
natEvent 8 230
sourceIPv6Address 128 27
postNATSourceIPv4Address 32 225
protocolIdentifier 8 4
sourceTransportPort 16 7
postNAPTsourceTransportPort 16 227
destinationIPv4Address 32 12
destinationTransportPort 16 11
TEMPLATE FOR NAT64 SESSION CREATION/DELETION
-
121 © 2018 Citrix | Confidential
enable ns feature AppFlow LSN
set appflow param -templateRefresh 60 -lsnLogging ENABLED
add appflow collector c1 -IPAddress 6.6.6.6 -port 6439 -netProfile net1
set audit nslogParams -logLevel ALL -lsn ENABLED
add lsn pool p1
bind lsn pool p1 50.0.1.1-50.0.15.254
add lsn client c1
bind lsn client c1 -network 12.0.0.0 -netmask 255.0.0.0
add lsn logprofile log1 -logipfix ENABLED
add lsn group g1 -clientname c1 -logging ENABLED -sessionLogging ENABLED
bind lsn group g1 -poolname p1
bind lsn group g1 -logProfileName log1
SAMPLE CONFIGURATION
-
122 © 2018 Citrix | Confidential
Netscaler Video Optimization
Spiros VathisStaff Software Engineer
-
123 © 2018 Citrix | Confidential
• Clear-text PD video
• Clear-text ABR video
• Encrypted ABR video
• QUIC ABR Video
• All clear-text & many top encrypted sites supported
Media Types & Sites SupportVideo Detection
new
-
124 © 2018 Citrix | Confidential
#> enable feature videoOptimization
Done
#> show ns license | grep Video
Video Optimization: YES
#> show ns feature | grep Video
37) Video Optimization VideoOptimization ON
Basics
CBM Txxx & CBM Premium licenses required
Basics
-
125 © 2018 Citrix | Confidential
#> add lb vserver vs-http HTTP * 80 -persistenceType NONE
Done
#> add lb vserver vs-ssl SSL_BRIDGE * 443 -persistenceType NONE
Done
#> add lb vserver vs-quic QUIC * 443 -persistenceType NONE -m MAC
Done
#> add service svc-quic QUIC *
Done
#> bind lb vserver vs-quic svc-quic
Done
LB vServersBasics
LB vServers
-
126 © 2018 Citrix | Confidential
#> show videooptimization detectionpolicy | grep Name
1) Name: ns_videoopt_http_body_detection
2) Name: ns_videoopt_http_abr_netflix
3) Name: ns_videoopt_http_abr_netflix2
4) Name: ns_videoopt_http_abr_youtube
5) Name: ns_videoopt_http_pd_youtube
6) Name: ns_videoopt_http_pd_youtube2
7) Name: ns_videoopt_http_pd_youtube3
8) Name: ns_videoopt_https_abr_netflix
9) Name: ns_videoopt_https_abr_youtube
10) Name: ns_videoopt_http_abr_generic
11) Name: ns_videoopt_https_abr_generic
Detection policiesBasics
LB vServers
Detection Policies
Facebook video detection added in generic detection policies
-
127 © 2018 Citrix | Confidential
#> add videooptimization pacingaction myOptENCAction -rate 2000
Done
#> add videooptimization pacingpolicy myOptENCPolicy -rule TRUE -action myOptENCAction
Done
#> bind lb vserver vs-ssl -policyName myOptENCPolicy -priority 100 -type REQUEST
Done
Optimization policiesEncrypted
Basics LB vServersDetection
PoliciesOptimization
Policies
-
128 © 2018 Citrix | Confidential
#> add videooptimization pacingaction myOptQUICAction -rate 1500
Done
#> add videooptimization pacingpolicy myOptQUICPolicy -rule TRUE -action myOptQUICAction
Done
#> bind lb vserver vs-quic -policyName myOptQUICPolicy -priority 100 -type REQUEST
Done
Optimization policiesQUIC
Basics LB vServersDetection
PoliciesOptimization
Policies
new
-
129 © 2018 Citrix | Confidential
#> shell
root@ns# nsapimgr -ys mediac_debug=1
Changing mediac_debug from 0 to 1 Done.
root@ns# cat /var/log/ns.log
Aug 22 10:15:39 T1100-PH-1 nsppe: PE:2:ns_mediaclassification.c:ns_mc_log_trans:899:Transaction log: session_type 100, Client IP:Port[VLAN] 172.31.100.10:49866[101], Server IP:Port[VLAN] 10.78.79.80:80[200], trans_id 2, ssl_domain_src 0, domain 10.78.79.80, start_time_sec 1503386131, start_time_usec 77743, last_data_time_sec 1503386139, last_data_time_usec 219215, end_time_sec 1503386139, end_time_usec219215, app_req_bytes 419, app_rsp_bytes 2581280, tot_req_bytes 419, tot_rsp_bytes 2581280, video_session_id 0x00030001, media_type 31, is_session_resume 0, opt_bit_rate 2000, is_rand_sampled 0, sessionization_status 2
Aug 22 10:16:40 T1100-PH-1 nsppe: PE:3:ns_mediac_sessionization.c:ns_mc_vs_generate_sess_summary:1636:vs[0x184d6100] client_ip[vlan]:172.31.100.10[101] video_session_id:0x00030001 transaction_count:2 media_type:31start_time_sec_abs:1503386129 start_time:273799 last_data_time:283179 (duration:9380) app_req_bytes:868 app_rsp_bytes:3374359 tot_req_bytes:868 tot_rsp_bytes:3374359 is_rand_sampled:0 opt_bit_rate:2000
LoggingBasics
LB vServers
Detection Policies
Opt Policies
Logging
-
130 © 2018 Citrix | Confidential
> stat videooptimization -dVideo Optimization Statistics - detailVideo Optimization Transaction Statistics - summary
Rate (/s) TotalClearText PD Video 0 0ClearText ABR Video 0 12Encrypted ABR Video 0 0QUIC Video 40 230Other 0 8Video Optimization Session statistics
Rate (/s) TotalClearText ABR Video Sessions 0 4Encrypted ABR Video Sessions 0 0QUIC Video Sessions 2 2
Video Optimization Transaction Bytes ServedRate (/s) Total
ClearText PD Bytes 0 0ClearText ABR Bytes 0 16194022Encrypted ABR Bytes 0 0QUIC Bytes 47473 3400394Other 0 2965349
CountersCLI
BasicsLB
vServersDetection
PoliciesOpt
PoliciesLogging Counters
-
131 © 2018 Citrix | Confidential
Connection Quality Analytics & AdaptiveTCP - Intro
AvailabilityBoth features introduced in 12.0 FR3
LicensingBoth features require a Premium (on T1 platform) or aPlatinum (on MPX platform - 12.0 FR4+) telco licenseinstalled.
Depedencies• AdaptiveTCP depends on CQA• Appflow Logstream reporting is required for CQA
reporting• Both HTTP and TCP LB Vservers are supported
-
132 © 2018 Citrix | Confidential
Connection Quality Analytics & AdaptiveTCP - Overview
Objective• Enable mobile operators to analyze the overall behavior of their network, tracking network characteristics on a per
subscriber basis:• Network Type (2G, 3G, 4G)• Signal Quality (Poor, Fair, Good, Excellent)• Congestion Level (None, Low, Medium, High)
• Allow the adaptation of TCP optimization parameters of each connection, based on the current network conditionsthat the mobile subscriber is experiencing.
Use case
1. Analyze the overall behavior of the network, in terms of the conditions experienced by mobile subscribers.
• Network Analysis (Primary): Leverage analytics for forward planning.
• Market Analysis (Secondary): Track success in user adoption or churn for users with different devices andnetwork types.
2. Improve User Experience and/or Network Utilization
-
133 © 2018 Citrix | Confidential
Connection Quality Analytics & AdaptiveTCP – Overview 2
Mobile
Network Internet
Distributed
User Experience Storage
(UXStore)
CQA Detection LogicAdaptive-TCP Logic
Lostream Collector
Machine LearningReporting
NetScaler
Classification
Model
CoefficientsAdaptive-TCP
Rules
MAS
SenseOptimise
Logstream
CLI
Nitro-APICLI
-
134 © 2018 Citrix | Confidential
Connection Quality Analytics - Configuration
Enable Feature and configure CQA parametersenable ns feature cqa
set ns cqaparam -harqretxdelay 7 -net1label 2g -minRTTNet1 25 -lr1probthresh 6.00e-01
-net1cclscale "25,50,75" -net1csqscale "25,50,75" -net1logcoef "1.49,3.62,-0.14,1.84,4.83"
-lr1coeflist "intercept=4.95,thruputavg=5.92,iaiavg=-189.48,rttmin=…"
-net2label 3g -minRTTNet2 30 -net2csqscale “…" -net2logcoef “…“ -lr2coeflist "intercept=..."
-lr2probthresh 5.00e-01 -net2cclscale "25,50,75"
-net3label 4g -minRTTNet3 35 -net3cclscale "25,50,75" -net3csqscale "25,50,75" -net3logcoef “…“
Configure AppFlowenable ns feature appflow
enable ns mode ULFD
add appflow collector col1 -IPAddress xx.xx.xx.xx -port 5557 -Transport logstream
set appflow param -tcpBurstReporting 1000 -cqaReporting ENABLED
Note: For 12.1+ you need to configure a tcpinsight analytics profile:add analytics profile apcqa -type tcpinsight -collectors col1 -tcpBurstReporting
bind lb vserver tcplb -analyticsProfile apcqa
-
135 © 2018 Citrix | Confidential
Adaptive TCP – Configuration 1
Setup a set of AdaptiveTCP ProfilesExisting TCP-profile management CLI is used to add AdaptiveTCP profiles. • That is, TCP Profiles that have is_adaptive_tcp parameter enabled.• is_adptive_tcp as well as AdaptiveTCP profiles are not exposed to customer (hidden)• Used as a mechanism to capture capture the TCP optimization parameter values that we want to apply for the
specific conditions. These are the TCP profile parameters that AdaptiveTCP is supposed to tweak are:1. TCP flavor2. TCP Max congestion window 3. Burst Rate Control4. TCP Rate5. TCP Rate Maximum Queue6. Nile parameters (currently hidden)7. Maximum TCP segments allowed in a burst
add ns tcpprofile nstcp_adaptive_tcp_profile_1 -isAdaptiveTcp ENABLED -flavor NILE -maxcwnd 8388608 -
tcprate 0 -rateqmax 0 -burstRateControl DISABLED -maxBurst 2 -nileAlphaMinPercent 100 -nileAlphaMax 64 -
nileBetaMinPercent 0 -nileBetaMaxPercent 25 -nileD1Percent 15 -nileD2Percent 30 -nileD3Percent 70 -
nileRttFactor 3 -nileRttFilter ENABLED
-
136 © 2018 Citrix | Confidential
Adaptive TCP – Configuration 2
Configure cqarulesConfigure a set of cqarules that are used to define a proper AdaptiveTCP lookup table, which maps CQA parameters to AdaptiveTCP profiles. Cqarules are NOT exposed to customer and can be configured using the following hidden CLIs:
(add|set) adaptivetcp cqarule -netType
-signalQuality
-congestionLevel
-adaptiveTcpProfName
-priority
rm adaptivetcp cqarule
• adaptiveTcpProfName parameter is mandatory and should an existing AdaptiveTCP profile• netType, signalQuality and congestionLevel are optional and all default to the value "Any".• priority is optional, defaults to NORMAL, and defines the order by which the rules are applied when constructing
the lookup table (LOWEST gets applied first, whereas HIGHEST gets applied last and thus overrides previously applied rules). For rules with the same priority, the order by which they were added defines the order that will be used when applied.
-
137 © 2018 Citrix | Confidential
Adaptive TCP – Configuration 3
Enable featureenable ns feature adaptivetcp
Configure when AdaptiveTCP logic will be triggeredConfigure a normal TCP profile to have the applyAdaptiveTcp parameter enabled and bind it to a vserver
(add|set) ns tcpProfile nstcp_profile_with_adtcp -tcpmode ENDPOINT -applyAdaptiveTcp ENABLED
set lb vserver tcplb -tcpProfileName nstcp_profile_with_adtcp
Whenever this TCP profile is utilized to handle traffic, the AdaptiveTCP logic will be triggered, i.e. 1. ux-store will be queried to retrieve CQA parameters, 2. AdaptiveTCP table will be looked-up to get an AdaptiveTCP profile, 3. respective TCP-optimization parameters will be applied for the rest of the connection).
It must be clear that when AdaptiveTCP logic selects an AdaptiveTCP profile to be applied there is NOT going to be any actual replacement of the normal TCP profile. Instead the logic will just tweek/adjust specific TCP profile parameters according to how the selected AdaptiveTCP profile is configured.
-
138 © 2018 Citrix | Confidential
Using CQA-based PI Expressions
PI has been extended to support the use of CQA parameters in policy expressions.
NETWORK_TYPE: String value that matches the detected network type configured through cqaparam command
interface.
SIGNAL_QUALITY: Integer value ranging from 0 to 100 and matching the CQA signal quality parameter stored in the
subscriber store (lower values indicate better signal quality).
CONGESTION_LEVEL: Integer value ranging from 0 to 100 and matching CQA raw value of congestion level
parameter stored in the subscriber store (lower values indicate lower congestion).
ANALYTICS.CONNECTION_QUALITY.NETWORK_TYPE.EQ(\"2G\") &&
ANALYTICS.CONNECTION_QUALITY.SIGNAL_QUALITY.GT(60) &&
ANALYTICS.CONNECTION_QUALITY.CONGESTION_LEVEL.GT(80)
-
139 © 2018 Citrix | Confidential