Download - NetScaler 11 Update
NetScaler 11 Update
NetScaler Application Delivery ControllerWhat is NetScaler?
NetScaler is an enterprise grade application delivery controller, or ADC. So, what does that mean?
NetScaler is the appliance that sits between external users and your back-end resources. The list of features and use cases for the NetScaler is so long, it would be easier to explain what it doesn’t do. But where’s the fun in that?
Let’s start off with the basics.
The primary features of the appliance are load balancing, AAA traffic management, traffic optimization, SSL offload and security.
Load BalancingWhat is NetScaler?
Load balancing is the primary function of the NetScaler.
NetScaler routes traffic to back end resources using a designated set of rules so that those back end servers are not overloaded.
Several methods of load balancing available, including:• Least Connection• Least Response time• Round Robin• SNMP based• Hash based• ….
AAA Traffic ManagementWhat is NetScaler?
AAA provides security for a distributed Internet environment by allowing any client with the proper credentials to connect securely to protected application servers from anywhere on the Internet.
This feature incorporates the three security features of authentication, authorization, and auditing.
Traffic OptimizationWhat is NetScaler?
Traffic optimization is a feature set on the NetScaler that includes:
• Integrated Caching• HTTP Compression• Front End Optimization• TCP Optimization
SSL Offload and AccelerationWhat is NetScaler?
A Citrix NetScaler appliance configured for SSL acceleration transparently accelerates SSL transactions by offloading SSL processing from the server.
To configure SSL offloading, you configure a virtual server to intercept and process SSL transactions, and send the decrypted traffic to the server (unless you configure end-to-end encryption, in which case the traffic is re-encrypted).
Upon receiving the response from the server, the appliance completes the secure transaction with the client.
From the client's perspective, the transaction seems to be directly with the server. A NetScaler configured for SSL acceleration also performs other configured functions, such as load balancing.
InternetWeb App Users
Legitimate traffic allowed through
Application Attacks Blocked
Citrix NetScalerApplicationInfrastructure
Network Firewalls
• Blocks dozens of day zero attack vectorso Includes CSRF, xPath Injection, XML attachment checks
• Bi-directional inspection: advanced attack prevention • SSL traffic supported• Sustained protection to 40 Gbps• ICSA certified• OWASP 10
Web Application Firewall
NetScaler TriScale TechnologyWhat is NetScaler?
Citrix TriScale technology revolutionizes enterprise cloud networks by providing unrivaled capabilities that smartly and affordably scale application and service delivery infrastructures without additional complexity.
NetScaler ADC Use CasesWhat is NetScaler
Use cases for the NetScaler ADC include:• Web application management• Load balancing• Web application security• Server offloading• Remote access• Data Base optimization• Traffic optimization• Web Application Firewall• DOS/DDOS protection• ……
NetScaler Flexible Deployment Options
NetScaler OfferingsLicensing
Comprehensive L4-7 load balancing and optimizes
expensive server and network resources to reduce
cost
Web application delivery solution providing advanced
traffic management and powerful application
acceleration
Web application delivery solution designed to deliver mission-critical applications with web application firewall
security, fastest performance, and lowest cost
StandardEdition
EnterpriseEdition
PlatinumEdition
VirtualRun
Anywhere
VPX
Platform
SDX
PhysicalPrice-Performance
MPX
Multi-TenantMulti-Service
80
40
15
5
1 20 80Maximum Tenants per Platform
1
Multi-tenant Capable
FIPS Platforms
Single-tenant
MPX/SDX 22040-2212040Gbps – 120Gbps
80 Instances
160
Platform Lineup: NetScaler
MPX 5550-5650500Mbps-1 Gbps
120
5
MPX/SDX 24100-24150100Gbps – 150Gbps
80 Instances
40
Per
form
ance
(HTT
P)/
Gbp
s
MPX 9700-15500 FIPS3Gbps – 15Gbps
VPX10Mbps –
3Gbps
MPX/SDX 8005-80155Gbps – 15Gbps
5 Instances
MPX/SDX11515-1154215Gbps – 42Gbps
20 Instances
MPX 25100T-25160T100Gbps – 160Gbps
No HW SSL
MPX 14060-14080 (40G)60Gbps – 80Gbps
180MPX 25160-25180 (40G)
160Gbps – 180Gbps
What’s new
© 2015 Citrix | Confidential
Graphical User Interface
New in 11.0• No Java, completely on HTML5
• Visualizers • Networking• Load Balancing• Content Switching• App Firewall• Application Templates
• Customer experience program
• Authentication Dashboard• Single Pane to Configure-Monitor-Maintain
• Unified Gateway• CSV Server for Unified Gateway• Portal customization• Smart Access
• Admin Partitioning
• Diagnostics using web-sockets
Visualizers
Authentication GUI Enhancements
Logs
© 2015 Citrix | Confidential
NetScaler Admin Partitions
New Features – Admin Partitioning
User Plane
Data Plane
Network Plane
Logical Partitioning
Adm
in Part 1
Adm
in Part 2
Adm
in Part 3
Adm
in Part 4
Adm
in Part 5
Adm
in Part N
User Plane
Data Plane
Network Plane
Complete Separation
Adm
in Part
Ns.conf
Auditlogs
SNMP
Debugging
File System
© 2015 Citrix | Confidential
SDX Platform Improvements
Simplified Image Upgrade
Instance Back up and Restore
New Dashboard
© 2015 Citrix | Confidential
NetScaler Unified Gateway
Consolidation(& Flexibility)Experience Security
• Full SSL VPN tunnel and per app VPN tunnel for iOS and Android improves security
• SmartCompliance allows centralized management
• Support for iOS, Android and Linux VPN Clients
• Highly customizable portal• GUI – Usability Simplification
and Dashboard
Future-proof architecture Granular and Dynamic security policies One click access to all apps
• One URL provides consolidation
• Content Switching allows One URL for all applications
• Flexibility to chose any device type from any location
SaaSGateway
ICA Proxy
SSL VPN
NetworkVisibility+ Control
Threats
Access
QoS Optimized
SLAs
Video
What’s new in NetScaler with Unified GatewayWhat’s new in NetScaler Unified Gateway
Unified Gateway provides One URL to any application
ONE URL
CS V-Server
LB V-Server(Reverse Proxy)
Gateway V-Server
SSO
SSO
SaaS
One URL, Login Once
Citrix Apps OWA SharePointEnterprise
AppsMobileApps
Unified Gateway provides One URL to any application
Web Apps
New homepage for Greenbubble theme
Portal Customization Wizard flow
VPN Plugin EPA Plugin
VPN plug-in upgrade control
© 2015 Citrix | Confidential
Security and Traffic
NetScaler Security Announcements
After the NSS labs report – Code changes in AppFW drove a performance increase of 100-200%
Available now in latest 10.5.e build and 11.0.
Other enhancements include location based detection and protection plus request capturing (trace) for blocked requests.
New Cipher Support
AES-GCM/SHA-2• Front-end on MPX, SDX (PX, N3)• TLSv1.2 only.
ECDHE • Back-end on MPX, SDX (PX, N3)• Note: ECDHE on front-end GA’ed in 10.1, 10.5
Support on other platforms (FIPS, VPX) coming soon.
DEFAULT Cipher Alias Re-ordering (Front-end) Give preference to AES/AES-GCM/ECDHE ciphers.
De-prioritize RC4 ciphers.
No ciphers dropped.
New Cipher Re-Order List
TLS1-AES-256-CBC-SHA (0x0035)TLS1-AES-128-CBC-SHA (0x002f)TLS1.2-AES-256-SHA256 (0x003d)TLS1.2-AES-128-SHA256 (0x003c)TLS1.2-AES256-GCM-SHA384 (0x009d)TLS1.2-AES128-GCM-SHA256 (0x009c)TLS1-ECDHE-RSA-AES256-SHA (0xc014)TLS1-ECDHE-RSA-AES128-SHA (0xc013)…………......……………………………… 28 ciphers…
Old Cipher Re-Order List
SSL3-RC4-MD5 (0x0004)
SSL3-RC4-SHA (0x0005)SSL3-DES-CBC3-SHA (0x000a)TLS1-AES-256-CBC-SHA (0x0035)TLS1-AES-128-CBC-SHA (0x002f)SSL3-EDH-DSS-DES-CBC3-SHA (0x0013)TLS1-DHE-DSS-RC4-SHA (0x0066)TLS1-DHE-DSS-AES-256-CBC-SHA (0x0038)…………......………………………………28 ciphers…
DTLS Enhancement
Support for PFS cipher• DHE
DTLS used for Framehawk support• XA/XD attach.• NS Gateway, TURN protocol.
SSL Profile…
New Changes..• Cipher setting on a profile.
• Cipher Alias, User-defined Cipher Group, Single Cipher.• Default profile will have - “DEFAULT” or “FIPS” cipher-alias on Front-end profile, “ALL” or “FIPS” cipher-
alias on Back-end profile.
• Different ciphers or cipher group/alias with priority settings.•While choosing a cipher suite
a. First the cipher suites in the highest priority cipher group would be checked.b. The cipher suites inside the cipher group would be considered according to their relative priority inside the group
Qualys SSL Labs Report: NetScaler MPX/SDX/VPX
http://blogs.citrix.com/2015/05/22/scoring-an-a-at-ssllabs-com-with-citrix-netscaler-the-sequel/
NS integration with Thales HSM
Thales HSM can be used to provide FIPS solution for Non FIPS MPX/SDX/VPX appliances.
Releases: 11, 10.5.e (rs_105_e 53_9008_e+)
NW SWITCH SWITCH
Thales HSM
Remote File Server(RFS)
BS
Web Server
Web Server
HTTP/2 Gateway
HTTP/2 HTTP/1/1
Web Server
Web Server
Enables L7 optimizationTransitional path for infrastructure
HTTP/2 Gateway
HTTP/2 Configuration in Netscaler
One Step Config to enable HTTP/2
TCP Nile Congestion Control
•We introduce a new congestion control algorithm for high speed networks, called TCP-Nile. •TCP-Nile uses packet loss information to determine whether the window size should be increased or decreased, and uses queueing delay information to determine the amount of increment or decrement. •TCP-Nile achieves high throughput, allocates the network resource fairly, and is incentive compatible with standard TCP
© 2015 Citrix | Confidential
Programmable Traffic Management
Simple and powerful customizations using scripting
Policy is the first NS feature to support NS Extensions
Policy extensions are called Extension Functions
Citrix Confidential - Do Not Distribute
NetScaler Extensions
Citrix Confidential - Do Not Distribute
© 2015 Citrix | Confidential
Cloud & SDN integration
Public Cloud IntegrationAWS
Public Cloud IntegrationAZURE
NetScaler Orchestration in a Cloud
NetScaler Control Center
Per-tenant ADC
Automation
Centralized Visibility.
NetScaler ADCaaSNetScaler ADCaaS
VDC VDC
NetScaler ADCaaS
VDC
1
CISCO ACI - Application Centric Infrastructure
Nexus 9500
Nexus 9300 and 9500
Physical Networking Compute Multi DC WAN and Cloud
L4–L7Services Storage
Integrated WAN Edge
Hypervisors and Virtual Networking
Nexus 2K
Nexus 7K
APIC
Most advanced ADC integration with Cisco ACI
WORK BETTER. LIVE BETTER.