netscaler 11 update

NetScaler 11 Update

NetScaler Application Delivery ControllerWhat is NetScaler?

NetScaler is an enterprise grade application delivery controller, or ADC. So, what does that mean?

NetScaler is the appliance that sits between external users and your back-end resources. The list of features and use cases for the NetScaler is so long, it would be easier to explain what it doesn’t do. But where’s the fun in that?

Let’s start off with the basics.

The primary features of the appliance are load balancing, AAA traffic management, traffic optimization, SSL offload and security.

Load BalancingWhat is NetScaler?

Load balancing is the primary function of the NetScaler.

NetScaler routes traffic to back end resources using a designated set of rules so that those back end servers are not overloaded.

Several methods of load balancing available, including:• Least Connection• Least Response time• Round Robin• SNMP based• Hash based• ….

AAA Traffic ManagementWhat is NetScaler?

AAA provides security for a distributed Internet environment by allowing any client with the proper credentials to connect securely to protected application servers from anywhere on the Internet.

This feature incorporates the three security features of authentication, authorization, and auditing.

Traffic OptimizationWhat is NetScaler?

Traffic optimization is a feature set on the NetScaler that includes:

• Integrated Caching• HTTP Compression• Front End Optimization• TCP Optimization

SSL Offload and AccelerationWhat is NetScaler?

A Citrix NetScaler appliance configured for SSL acceleration transparently accelerates SSL transactions by offloading SSL processing from the server.

To configure SSL offloading, you configure a virtual server to intercept and process SSL transactions, and send the decrypted traffic to the server (unless you configure end-to-end encryption, in which case the traffic is re-encrypted).

Upon receiving the response from the server, the appliance completes the secure transaction with the client.

From the client's perspective, the transaction seems to be directly with the server. A NetScaler configured for SSL acceleration also performs other configured functions, such as load balancing.

InternetWeb App Users

Legitimate traffic allowed through

Application Attacks Blocked

Citrix NetScalerApplicationInfrastructure

Network Firewalls

• Blocks dozens of day zero attack vectorso Includes CSRF, xPath Injection, XML attachment checks

• Bi-directional inspection: advanced attack prevention • SSL traffic supported• Sustained protection to 40 Gbps• ICSA certified• OWASP 10

Web Application Firewall

NetScaler TriScale TechnologyWhat is NetScaler?

Citrix TriScale technology revolutionizes enterprise cloud networks by providing unrivaled capabilities that smartly and affordably scale application and service delivery infrastructures without additional complexity.

NetScaler ADC Use CasesWhat is NetScaler

Use cases for the NetScaler ADC include:• Web application management• Load balancing• Web application security• Server offloading• Remote access• Data Base optimization• Traffic optimization• Web Application Firewall• DOS/DDOS protection• ……

NetScaler Flexible Deployment Options

NetScaler OfferingsLicensing

Comprehensive L4-7 load balancing and optimizes

expensive server and network resources to reduce

cost

Web application delivery solution providing advanced

traffic management and powerful application

acceleration

Web application delivery solution designed to deliver mission-critical applications with web application firewall

security, fastest performance, and lowest cost

StandardEdition

EnterpriseEdition

PlatinumEdition

VirtualRun

Anywhere

VPX

Platform

SDX

PhysicalPrice-Performance

MPX

Multi-TenantMulti-Service

80

40

15

5

1 20 80Maximum Tenants per Platform

1

Multi-tenant Capable

FIPS Platforms

Single-tenant

MPX/SDX 22040-2212040Gbps – 120Gbps

80 Instances

160

Platform Lineup: NetScaler

MPX 5550-5650500Mbps-1 Gbps

120

5

MPX/SDX 24100-24150100Gbps – 150Gbps

80 Instances

40

Per

form

ance

(HTT

P)/

Gbp

s

MPX 9700-15500 FIPS3Gbps – 15Gbps

VPX10Mbps –

3Gbps

MPX/SDX 8005-80155Gbps – 15Gbps

5 Instances

MPX/SDX11515-1154215Gbps – 42Gbps

20 Instances

MPX 25100T-25160T100Gbps – 160Gbps

No HW SSL

MPX 14060-14080 (40G)60Gbps – 80Gbps

180MPX 25160-25180 (40G)

160Gbps – 180Gbps

What’s new

© 2015 Citrix | Confidential

Graphical User Interface

New in 11.0• No Java, completely on HTML5

• Visualizers • Networking• Load Balancing• Content Switching• App Firewall• Application Templates

• Customer experience program

• Authentication Dashboard• Single Pane to Configure-Monitor-Maintain

• Unified Gateway• CSV Server for Unified Gateway• Portal customization• Smart Access

• Admin Partitioning

• Diagnostics using web-sockets

Visualizers

Authentication GUI Enhancements


NetScaler Admin Partitions

New Features – Admin Partitioning

User Plane

Data Plane

Network Plane

Logical Partitioning

Adm

in Part 1

Adm

in Part 2

Adm

in Part 3

Adm

in Part 4

Adm

in Part 5

Adm

in Part N

User Plane

Data Plane

Network Plane

Complete Separation

Adm

in Part

Ns.conf

Auditlogs

SNMP

Debugging

File System


SDX Platform Improvements

Simplified Image Upgrade

Instance Back up and Restore

New Dashboard


NetScaler Unified Gateway

Consolidation(& Flexibility)Experience Security

• Full SSL VPN tunnel and per app VPN tunnel for iOS and Android improves security

• SmartCompliance allows centralized management

• Support for iOS, Android and Linux VPN Clients

• Highly customizable portal• GUI – Usability Simplification

and Dashboard

Future-proof architecture Granular and Dynamic security policies One click access to all apps

• One URL provides consolidation

• Content Switching allows One URL for all applications

• Flexibility to chose any device type from any location

SaaSGateway

ICA Proxy

SSL VPN

NetworkVisibility+ Control

Threats

Access

QoS Optimized

SLAs

Video

What’s new in NetScaler with Unified GatewayWhat’s new in NetScaler Unified Gateway

Unified Gateway provides One URL to any application

ONE URL

CS V-Server

LB V-Server(Reverse Proxy)

Gateway V-Server

SSO

SSO

SaaS

One URL, Login Once

Citrix Apps OWA SharePointEnterprise

AppsMobileApps

Unified Gateway provides One URL to any application

Web Apps

New homepage for Greenbubble theme

Portal Customization Wizard flow

VPN Plugin EPA Plugin

VPN plug-in upgrade control


Security and Traffic

NetScaler Security Announcements

After the NSS labs report – Code changes in AppFW drove a performance increase of 100-200%

Available now in latest 10.5.e build and 11.0.

Other enhancements include location based detection and protection plus request capturing (trace) for blocked requests.

New Cipher Support

AES-GCM/SHA-2• Front-end on MPX, SDX (PX, N3)• TLSv1.2 only.

ECDHE • Back-end on MPX, SDX (PX, N3)• Note: ECDHE on front-end GA’ed in 10.1, 10.5

Support on other platforms (FIPS, VPX) coming soon.

DEFAULT Cipher Alias Re-ordering (Front-end) Give preference to AES/AES-GCM/ECDHE ciphers.

De-prioritize RC4 ciphers.

No ciphers dropped.

New Cipher Re-Order List

TLS1-AES-256-CBC-SHA (0x0035)TLS1-AES-128-CBC-SHA (0x002f)TLS1.2-AES-256-SHA256 (0x003d)TLS1.2-AES-128-SHA256 (0x003c)TLS1.2-AES256-GCM-SHA384 (0x009d)TLS1.2-AES128-GCM-SHA256 (0x009c)TLS1-ECDHE-RSA-AES256-SHA (0xc014)TLS1-ECDHE-RSA-AES128-SHA (0xc013)…………......……………………………… 28 ciphers…

Old Cipher Re-Order List

SSL3-RC4-MD5 (0x0004)

SSL3-RC4-SHA (0x0005)SSL3-DES-CBC3-SHA (0x000a)TLS1-AES-256-CBC-SHA (0x0035)TLS1-AES-128-CBC-SHA (0x002f)SSL3-EDH-DSS-DES-CBC3-SHA (0x0013)TLS1-DHE-DSS-RC4-SHA (0x0066)TLS1-DHE-DSS-AES-256-CBC-SHA (0x0038)…………......………………………………28 ciphers…

DTLS Enhancement

Support for PFS cipher• DHE

DTLS used for Framehawk support• XA/XD attach.• NS Gateway, TURN protocol.

SSL Profile…

New Changes..• Cipher setting on a profile.

• Cipher Alias, User-defined Cipher Group, Single Cipher.• Default profile will have - “DEFAULT” or “FIPS” cipher-alias on Front-end profile, “ALL” or “FIPS” cipher-

alias on Back-end profile.

• Different ciphers or cipher group/alias with priority settings.•While choosing a cipher suite

a. First the cipher suites in the highest priority cipher group would be checked.b. The cipher suites inside the cipher group would be considered according to their relative priority inside the group

Qualys SSL Labs Report: NetScaler MPX/SDX/VPX

http://blogs.citrix.com/2015/05/22/scoring-an-a-at-ssllabs-com-with-citrix-netscaler-the-sequel/

NS integration with Thales HSM

Thales HSM can be used to provide FIPS solution for Non FIPS MPX/SDX/VPX appliances.

Releases: 11, 10.5.e (rs_105_e 53_9008_e+)

NW SWITCH SWITCH

Thales HSM

Remote File Server(RFS)

BS

Web Server

Web Server

HTTP/2 Gateway

HTTP/2 HTTP/1/1

Web Server

Web Server

Enables L7 optimizationTransitional path for infrastructure

HTTP/2 Gateway

HTTP/2 Configuration in Netscaler

One Step Config to enable HTTP/2

TCP Nile Congestion Control

•We introduce a new congestion control algorithm for high speed networks, called TCP-Nile. •TCP-Nile uses packet loss information to determine whether the window size should be increased or decreased, and uses queueing delay information to determine the amount of increment or decrement. •TCP-Nile achieves high throughput, allocates the network resource fairly, and is incentive compatible with standard TCP


Programmable Traffic Management

Simple and powerful customizations using scripting

Policy is the first NS feature to support NS Extensions

Policy extensions are called Extension Functions

Citrix Confidential - Do Not Distribute

NetScaler Extensions

Citrix Confidential - Do Not Distribute


Cloud & SDN integration

Public Cloud IntegrationAWS

Public Cloud IntegrationAZURE

NetScaler Orchestration in a Cloud

NetScaler Control Center

Per-tenant ADC

Automation

Centralized Visibility.

NetScaler ADCaaSNetScaler ADCaaS

VDC VDC

NetScaler ADCaaS

VDC

1

CISCO ACI - Application Centric Infrastructure

Nexus 9500

Nexus 9300 and 9500

Physical Networking Compute Multi DC WAN and Cloud

L4–L7Services Storage

Integrated WAN Edge

Hypervisors and Virtual Networking

Nexus 2K

Nexus 7K

APIC

Most advanced ADC integration with Cisco ACI

WORK BETTER. LIVE BETTER.