netscaler10 overview - skm- · pdf filenetscaler 10.5 delivers a high quality mobile...
TRANSCRIPT
NetScaler 10
Overview
NetScaler 10.5 delivers a high quality mobile experience inservice provide and enterprise cloud environments.
NetScaler 10.5
2
Desktops
Daten
BYO
Mobility
Unternehmens-
Apps
SaaS Apps
Mobility und Cloud Services verändern die
Datacenter Netzwerke
10.5 – Cloud Services und Mobility Support
Cloud-fähige
Services PlatformVerteilte Apps sorgen für
Bruch beim App
Monitoring Cloud-
fähige Visibility Tools
BYOD verändert die
Client Anforderungen
Optimierung für
mobile Geräte
Layer 4 Load Balancing
• Source IP
• Cookie
• SSL Session ID
• Server-ID in URL Query
• Customer Server-ID
• Token (header or body)
Maintaining UserSessions
Distributing Traffic
• Least Connections
• Lowest Response Time
• SNMP-based
• IBM SASP
• Hash-based
• Many more…
Monitoring Server Health and Availability
• TCP Connection
• HTTPS Connection
• Extended Content Verification
• Scriptable Health Checks
TCP and UDP Client Requests
Content Switching: Load Balancing on Steroids
HTTP Requests
•Anything in request body
•Device Type
•Language
•Cookie
•Browser Capability
Client Attributes
• Any TCP Request
• HTTP Get
• HTTP Post
Request Protocol
Request Method
•Any TCP payload value
•Any HTTP payload value
•Domain
•Wildcard URL
B2C
B2B
Global Application Availability
P2P
Site B
Site A
InternetWeb App Users
Legitimate traffic allowed through
Application Attacks Blocked
Citrix NetScalerApplicationInfrastructure
Network Firewalls
Integrated Application Firewall
Blocks dozens of day zero attack vectors
Includes CSRF, xPath Injection, XML attachment checks
Bi-directional inspection: advanced attack prevention
SSL traffic supported
Sustained protection to 12 Gbps
ICSA certified
NetScaler TriScale Technologie
Scal
e U
p
Scale Out
Elastisch mit „Pay-As-You-Grow“
Einfach mit„Many-In-One“
Erweiterbar mit„Add-and-Go“ Clustering
“Kapazität bis zu 5x steigern. Ohne zusätzliche Hardware.“
“Megabits zu Terabits. Ohne Downtime.”
“Bis zu 40 Instanzen auf einer Box.“
NetScaler mit TriScale Technology
Scale In: NetScaler SDX
• Instanzen, keine Partitionen
ᵒ Memory, CPU, SSL Isolation
ᵒ Version/Lifecycle Unabhängigkeit
ᵒ Vollständige Isolation
ᵒ Separate Routing Domain
ᵒ Unabhängiges Routing, IP Stack
ᵒ Unabhängige Connection Table, ACLs, etc.
• Netzwerk Isolation
• Separate Lizensierung und Versionierung
• Integrierte Service VM
• 3-40 Instanzen auf einer Plattform
3rd Party Support
Hosting von 3rd Party Services
3rd-Party Support auf NetScaler SDX
Clustering
Hohe Skalierung:Management + Performance
Jeder Form-Faktor:
Cluster VPX, MPX, oder SDXEchtes Clustering:
Data und Management Plane
1 App
Sehr schnell
Viele Apps
Einfach zu
managen
App App
App
App
App App
AppApp
App
App
AppApp
AppApp
App
App
App
App
App
App
App
App
App
AppApp
AppApp
App
App
App
App
App
VirtualAppliance
HardwareAppliance
Multi-tenantAppliance
14
Clusters within a single SDX Clusters across instances One large system across multiple boxes (up to 32).
• Kapazität kann nach Bedarf erweitert werden• Hohe Effizienz durch Active/Active Betrieb• Ein Image für Konfiguration und Management• Healthcheck Framework / Response sharing• Ein VIP kann mehrere Boxen umfassen
Scale Out – Clustering jetzt auch für SDX
Cluster auf einer einzelnen SDX
Cluster über Instanzen hinweg
Ein großes System über versch. Boxen (bis zu 32)
Citrix NetScaler – die Multifunktionslösung
NetScaler hat immer die gleiche Funktionalität –unabhängig von der Plattform
Überall einsetzbar
VirtuelleMulti-Mandanten
PlattformPreis-Performance
Physische
Hardware Software Software auf Hardware
Große Server Farm
Server
Server
Server
Server
Server
Server
Internet Clients
400 Gbps400 Gbps
N+1 NetScaler Cluster S
trip
ed V
IP• Striped VIPS: funktionale Module auf jedem Knoten
• Spotted VIPs: spez. Funktion auf spez. Knoten laufen lassen
• Nicht jedes Modul braucht Skalierbarkeit
Spotted VIPAction
Analytics
Spotted VIPApp Firewall
VIP Support: Striped & Spotted
Erweiterte TriScale Cluster Funktionen
• Basic Networking
• OSPF
• RIP
• BGP
• VLAN
• ICMP
• Fragmentation
• MAC-Based
Forwarding
• RNAT
• ACL
• Simple ACL
• PBR
• MSR
• Policy-based RNAT
• Content Switching
• DataStream
• DNS Load balancing
• Rate Limiting
• ActionAnalytics
• HTTP Callout
• HTTPS Callout
• AAA-TM
• Transparent LB
• GSLB
• FTP
• RTSP
• Compression Control
• Content Filtering
• TCP Buffering
• DDoS
• Client Keep-alive
• HDOSP/PQ/SC support
• Surge protection
• Policy Infrastructure (PE/PI)
• Rewrite
• Responder
• Integrated Caching
• Application Firewall
• XML XSM
• syslog and nsauditlog
• Path MTU Discovery
• IPv6 support
• Cache Redirection
• Web logging
• INAT
• IP-ID
• SNMP
• IP-IP tunneling
• IS-IS Routing
• Basic Load Balancing
• Load Balancing
Persistency
• SIP
• Spillover
• SSL (PI policy)
Optimize Mobile Client ExperienceMulti-path TCP
Using an app over a 3G
link is great. App access
is done over standard
TCP connections.
Until the access point
changes. The TCP
connection must reset
leading to access delays.
Multi-path TCP solves
this by using two TCP
connections. NetScaler
can then unite the data.
Optimizing XenMobile
with NetScaler
Citrix — The Most Complete Mobile Portfolio
Mobile Device
Management
Sandboxed
Mail and Web
Mobile App
Security
Mobile Data
Control
Mobile Network
Control
SSO and Identity
Management
Desktop
and App
Virtualization
Collaboration
Value on Investment (VOI)
Requirements of the Mobile Enterprise
Netscaler with XenMobile Integration
XenMobile Deployment Scenarios
1 2 3
Bastion Host
w/ Simple Config(LB, SSL, GUI)
Access Control to
Mobile Email(ActiveSync Filter)
MDX / CloudGateway
Solution(CG + StoreFront + AG +
XM)
23
Front-end Security
24
XenMobile Device Managers (XDMs)
NetScaler provides High Availability, Security with built in ScalabilityHow?
Provide complete security against external threats – scalable to over 100,000 concurrently connected usersWhy?
Allow Secured Mobile devices
Block Jailbroken devices
Help corporate compliance
Email Access
Policy Controls with
NetScaler and XNC
XenMobile MDM w/
XenMobile NetScaler Connector (XNC)
Protects In-line Exchange ActiveSync access against unauthorized and/or compromised access to the enterprise mail servers, with seamless blacklist/ whitelist control
Why?
With tight XenMobile integration, NetScaler filter access to Microsoft Exchange based on DeviceIDHow?
25
Scalable and Secure Access to Mobile Applications
XenMobile MDM
AppController
Full SSL VPN tunnel with NetScaler Gateway and MicroVPN for app-level policy controlled tunneling for mobile apps and browseHow?
Policy-driven access to corporate resources are essential especially in BYOD Why?
26
Analytics: NetScaler Insight
Center
Mobile Devices
Virtual desktops
Web apps
Cloud services
Data services
Action Analytics
NetScaler App
Delivery Fabric
Netscaler Command CenterManagement and Orchestration
NetScaler Insight CenterVisibility and Control
Achieving Application Visibility with NetScaler
Cloud
Enterprise
Desktop
Combining NetScaler with Analysis Tools
NetScaler generates a wealth of application visibility data by way of AppFlow™
NetScaler Insight Center is the best way to view Citrix-specific data
NetScaler Insight
Center
3rd Party
Analysis Tools
NetScaler Insight Center
HDX
Insight
Web
Insight
Analytics for XenApp and XenDesktop
Analytics for enterprise applications
NetScaler Insight Center
• Break down detailed reporting on enterprise application
use, even for SSL encrypted traffic
• Correlate network metrics with application behavior
• Determine end user experience without agents
NetScaler Insight Center
AppFlow
Web
Insight Analytics for Enterprise Applications
Analytics for XenApp and XenDesktopHDX
Insight
NetScaler Insight Center
• Gain visibility into end user experience for virtual
desktops, applications, and users for XenDesktop
• Correlate network data with application data with
real-time metrics for effective troubleshooting
• Integrated with XenDesktop management tools
AppFlow
Integration with XenApp/XenDesktop Management
33
NetScaler Insight Center Visibility, Correlation & Analysis
Director
NetScaler
XenDesktop Traffic
Single Infrastructure ViewDirector
Network VisibilityDrill Down
HDX Insight
Real-time visibility into the end-userexperience from the packet to the application.
Simplifies the transition from Web Interface toStoreFront from a single point of access.
Secures XenDesktop from data leaks with tightintegration and proper authentication of users.
Single point of configuration to deploy NetScaler solution for XenDesktop Infrastructure
NAT46NAT64 / DNS64 IPv6 Ready
Übergang zur IPv6 Infrastruktur
Adress Umsetzung (stateful) von IPv6 zu Ipv
• Konvertierung von Paket Headern
• Nutzt IP/ICMP Algorithmus mittels RFC6154
• Übersetzt Unicast-Pakete mit TCP, UDP und ICMP
Web Server
IPv6 IPv4
IPv4IPv6 IPv4 NetzwerkIPv6 Netzwerk DNS64 NAT64
Umsetzung (stateless) von IPv4 zu IPv6
• Integrierte INAT Tabelle
• Umsetzung der IPv4 Clients zu IPv6
• Responses von IPv6 Ressourcen werden auf Pv4
umgesetzt
WebServer
INAT Table
IPv4 IPv6
IPv6IPv4IPv4 NetzwerkIPv6 Netzwerk
NetScaler als
Authentifizierungsstelle
XenApp & XenDesktop
Exchange
SharePoint
DNSRADIUS
LDAP
Web Services
Licensing
NetScaler Access Control
NetScaler ist Authentisierungspunkt in der DMZ• Benutzer Autentifizierung (ReverseProxy) mittels Zertifikat, OTP, LDAP
• Terminierung von HTTP, ICA, SQL und SSL VPN Tunnel
• Überprüfung von HTTP Traffic mittels Web App Firewall Regeln
• Kerberos Constrained Delegation (KCD) basierend auf Client Zertifikaten
• SAML 2.0
• Dynamic CRL checking und Issuer Validierung
Fileserver
SQL
AAA ModuleSingle
Sign On
D M Z
NetScaler Access Control
Client Side Authentication Server Side
AuthenticationKerberos
HTTP – Basic,
Digest, NTLM
Constrained
Delegation
Non-Kerberos SAML X
NTLMVersion 1 X
Version 2 X
CAC (Smart Card): at SSL/TLS
Layer
X
HTTP Basic X X
Form-based X X
Kerberos Kerberos X
Cloud Infrastructure
Enterprise Datacenter
Application Delivery Controllers Powering Cloud, Mobile and Data Networks
Availability &
Performance
Infinite Flexibility
Any User
Any Device
Any Location
Any Application
Any Data / Information
Security &
AnalyticsCloud Scale
Work better. Live better.
Application Layer Security
Automatic Signature Updates for App Firewall
Enable Signature Protection
1.
Tune/Auto Updated
Signatures
2.
Enable Advanced Security
3.
Tune Security Policies
4.
Comprehensive Application Protection
• Auto update of signatures from cloud-based services
• Simplifies detection against known application vulnerabilities
• Shortens Application Firewall deployment cycle
• Signatures based on public vulnerability databases (e.g. Snort, CVE, Bugtraq, etc.)
Vulnerability Scanner IntegrationIBM AppScan and Whitehat
Protected website
Run periodic scans
Import files into NetScaler
NAT46NAT64 / DNS64 IPv6 Ready
Übergang zur IPv6 Infrastruktur
Adress Umsetzung (stateful) von IPv6 zu Ipv
• Konvertierung von Paket Headern
• Nutzt IP/ICMP Algorithmus mittels RFC6154
• Übersetzt Unicast-Pakete mit TCP, UDP und ICMP
Web Server
IPv6 IPv4
IPv4IPv6 IPv4 NetzwerkIPv6 Netzwerk DNS64 NAT64
Umsetzung (stateless) von IPv4 zu IPv6
• Integrierte INAT Tabelle
• Umsetzung der IPv4 Clients zu IPv6
• Responses von IPv6 Ressourcen werden auf Pv4
umgesetzt
WebServer
INAT Table
IPv4 IPv6
IPv6IPv4IPv4 NetzwerkIPv6 Netzwerk
Front End Optimierung
Optimierung Optimierung
Caching
Stream OptImage
Optimierung
Payload
ReduzierungMobile
Video
• XML based standard for exchanging auth information
• Better security as compared to cookie based approach
• Treated as authentication protocol for the Cloud
• Solves the SSO problem at Web browser layer
• Logical security domain• Identity provider (producer of assertions)
• Service provider (consumer of assertions)