NetScaler 10

Overview

NetScaler 10.5 delivers a high quality mobile experience inservice provide and enterprise cloud environments.

NetScaler 10.5

2

Desktops

Daten

BYO

Mobility

Unternehmens-

Apps

SaaS Apps

Mobility und Cloud Services verändern die

Datacenter Netzwerke

10.5 – Cloud Services und Mobility Support

Cloud-fähige

Services PlatformVerteilte Apps sorgen für

Bruch beim App

Monitoring Cloud-

fähige Visibility Tools

BYOD verändert die

Client Anforderungen

Optimierung für

mobile Geräte

Layer 4 Load Balancing

• Source IP

• Cookie

• SSL Session ID

• Server-ID in URL Query

• Customer Server-ID

• Token (header or body)

Maintaining UserSessions

Distributing Traffic

• Least Connections

• Lowest Response Time

• SNMP-based

• IBM SASP

• Hash-based

• Many more…

Monitoring Server Health and Availability

• TCP Connection

• HTTPS Connection

• Extended Content Verification

• Scriptable Health Checks

TCP and UDP Client Requests

Content Switching: Load Balancing on Steroids

HTTP Requests

•Anything in request body

•Device Type

•Language

•Cookie

•Browser Capability

Client Attributes

• Any TCP Request

• HTTP Get

• HTTP Post

Request Protocol

Request Method

•Any TCP payload value

•Any HTTP payload value

•Domain

•Wildcard URL

B2C

B2B

Global Application Availability

P2P

Site B

Site A

InternetWeb App Users

Legitimate traffic allowed through

Application Attacks Blocked

Citrix NetScalerApplicationInfrastructure

Network Firewalls

Integrated Application Firewall

Blocks dozens of day zero attack vectors

Includes CSRF, xPath Injection, XML attachment checks

Bi-directional inspection: advanced attack prevention

SSL traffic supported

Sustained protection to 12 Gbps

ICSA certified

NetScaler TriScale Technologie

Scal

e U

p

Scale Out

Elastisch mit „Pay-As-You-Grow“

Einfach mit„Many-In-One“

Erweiterbar mit„Add-and-Go“ Clustering

“Kapazität bis zu 5x steigern. Ohne zusätzliche Hardware.“

“Megabits zu Terabits. Ohne Downtime.”

“Bis zu 40 Instanzen auf einer Box.“

NetScaler mit TriScale Technology

Scale In: NetScaler SDX

• Instanzen, keine Partitionen

ᵒ Memory, CPU, SSL Isolation

ᵒ Version/Lifecycle Unabhängigkeit

ᵒ Vollständige Isolation

ᵒ Separate Routing Domain

ᵒ Unabhängiges Routing, IP Stack

ᵒ Unabhängige Connection Table, ACLs, etc.

• Netzwerk Isolation

• Separate Lizensierung und Versionierung

• Integrierte Service VM

• 3-40 Instanzen auf einer Plattform

3rd Party Support

Hosting von 3rd Party Services

3rd-Party Support auf NetScaler SDX

Clustering

Hohe Skalierung:Management + Performance

Jeder Form-Faktor:

Cluster VPX, MPX, oder SDXEchtes Clustering:

Data und Management Plane

1 App

Sehr schnell

Viele Apps

Einfach zu

managen

App App

App

App

App App

AppApp

App

App

AppApp

AppApp

App

App

App

App

App

App

App

App

App

AppApp

AppApp

App

App

App

App

App

VirtualAppliance

HardwareAppliance

Multi-tenantAppliance

14

Clusters within a single SDX Clusters across instances One large system across multiple boxes (up to 32).

• Kapazität kann nach Bedarf erweitert werden• Hohe Effizienz durch Active/Active Betrieb• Ein Image für Konfiguration und Management• Healthcheck Framework / Response sharing• Ein VIP kann mehrere Boxen umfassen

Scale Out – Clustering jetzt auch für SDX

Cluster auf einer einzelnen SDX

Cluster über Instanzen hinweg

Ein großes System über versch. Boxen (bis zu 32)

Citrix NetScaler – die Multifunktionslösung

NetScaler hat immer die gleiche Funktionalität –unabhängig von der Plattform

Überall einsetzbar

VirtuelleMulti-Mandanten

PlattformPreis-Performance

Physische

Hardware Software Software auf Hardware

Große Server Farm

Server

Server

Server

Server

Server

Server

Internet Clients

400 Gbps400 Gbps

N+1 NetScaler Cluster S

trip

ed V

IP• Striped VIPS: funktionale Module auf jedem Knoten

• Spotted VIPs: spez. Funktion auf spez. Knoten laufen lassen

• Nicht jedes Modul braucht Skalierbarkeit

Spotted VIPAction

Analytics

Spotted VIPApp Firewall

VIP Support: Striped & Spotted

Erweiterte TriScale Cluster Funktionen

• Basic Networking

• OSPF

• RIP

• BGP

• VLAN

• ICMP

• Fragmentation

• MAC-Based

Forwarding

• RNAT

• ACL

• Simple ACL

• PBR

• MSR

• Policy-based RNAT

• Content Switching

• DataStream

• DNS Load balancing

• Rate Limiting

• ActionAnalytics

• HTTP Callout

• HTTPS Callout

• AAA-TM

• Transparent LB

• GSLB

• FTP

• RTSP

• Compression Control

• Content Filtering

• TCP Buffering

• DDoS

• Client Keep-alive

• HDOSP/PQ/SC support

• Surge protection

• Policy Infrastructure (PE/PI)

• Rewrite

• Responder

• Integrated Caching

• Application Firewall

• XML XSM

• syslog and nsauditlog

• Path MTU Discovery

• IPv6 support

• Cache Redirection

• Web logging

• INAT

• IP-ID

• SNMP

• IP-IP tunneling

• IS-IS Routing

• Basic Load Balancing

• Load Balancing

Persistency

• SIP

• Spillover

• SSL (PI policy)

Optimize Mobile Client ExperienceMulti-path TCP

Using an app over a 3G

link is great. App access

is done over standard

TCP connections.

Until the access point

changes. The TCP

connection must reset

leading to access delays.

Multi-path TCP solves

this by using two TCP

connections. NetScaler

can then unite the data.

Optimizing XenMobile

with NetScaler

Citrix — The Most Complete Mobile Portfolio

Mobile Device

Management

Sandboxed

Mail and Web

Mobile App

Security

Mobile Data

Control

Mobile Network

Control

SSO and Identity

Management

Desktop

and App

Virtualization

Collaboration

Value on Investment (VOI)

Requirements of the Mobile Enterprise

Netscaler with XenMobile Integration

XenMobile Deployment Scenarios

1 2 3

Bastion Host

w/ Simple Config(LB, SSL, GUI)

Access Control to

Mobile Email(ActiveSync Filter)

MDX / CloudGateway

Solution(CG + StoreFront + AG +

XM)

23

Front-end Security

24

XenMobile Device Managers (XDMs)

NetScaler provides High Availability, Security with built in ScalabilityHow?

Provide complete security against external threats – scalable to over 100,000 concurrently connected usersWhy?

Allow Secured Mobile devices

Block Jailbroken devices

Help corporate compliance

Email Access

Policy Controls with

NetScaler and XNC

XenMobile MDM w/

XenMobile NetScaler Connector (XNC)

Protects In-line Exchange ActiveSync access against unauthorized and/or compromised access to the enterprise mail servers, with seamless blacklist/ whitelist control

Why?

With tight XenMobile integration, NetScaler filter access to Microsoft Exchange based on DeviceIDHow?

25

Scalable and Secure Access to Mobile Applications

XenMobile MDM

AppController

Full SSL VPN tunnel with NetScaler Gateway and MicroVPN for app-level policy controlled tunneling for mobile apps and browseHow?

Policy-driven access to corporate resources are essential especially in BYOD Why?

26

Analytics: NetScaler Insight

Center

Mobile Devices

Virtual desktops

Web apps

Cloud services

Data services

Action Analytics

NetScaler App

Delivery Fabric

Netscaler Command CenterManagement and Orchestration

NetScaler Insight CenterVisibility and Control

Achieving Application Visibility with NetScaler

Cloud

Enterprise

Desktop

Combining NetScaler with Analysis Tools

NetScaler generates a wealth of application visibility data by way of AppFlow™

NetScaler Insight Center is the best way to view Citrix-specific data

NetScaler Insight

Center

3rd Party

Analysis Tools

NetScaler Insight Center

HDX

Insight

Web

Insight

Analytics for XenApp and XenDesktop

Analytics for enterprise applications

NetScaler Insight Center

• Break down detailed reporting on enterprise application

use, even for SSL encrypted traffic

• Correlate network metrics with application behavior

• Determine end user experience without agents

NetScaler Insight Center

AppFlow

Web

Insight Analytics for Enterprise Applications

Analytics for XenApp and XenDesktopHDX

Insight

NetScaler Insight Center

• Gain visibility into end user experience for virtual

desktops, applications, and users for XenDesktop

• Correlate network data with application data with

real-time metrics for effective troubleshooting

• Integrated with XenDesktop management tools

AppFlow

Integration with XenApp/XenDesktop Management

33

NetScaler Insight Center Visibility, Correlation & Analysis

Director

NetScaler

XenDesktop Traffic

Single Infrastructure ViewDirector

Network VisibilityDrill Down

HDX Insight

Real-time visibility into the end-userexperience from the packet to the application.

Simplifies the transition from Web Interface toStoreFront from a single point of access.

Secures XenDesktop from data leaks with tightintegration and proper authentication of users.

Single point of configuration to deploy NetScaler solution for XenDesktop Infrastructure

NAT46NAT64 / DNS64 IPv6 Ready

Übergang zur IPv6 Infrastruktur

Adress Umsetzung (stateful) von IPv6 zu Ipv

• Konvertierung von Paket Headern

• Nutzt IP/ICMP Algorithmus mittels RFC6154

• Übersetzt Unicast-Pakete mit TCP, UDP und ICMP

Web Server

IPv6 IPv4

IPv4IPv6 IPv4 NetzwerkIPv6 Netzwerk DNS64 NAT64

Umsetzung (stateless) von IPv4 zu IPv6

• Integrierte INAT Tabelle

• Umsetzung der IPv4 Clients zu IPv6

• Responses von IPv6 Ressourcen werden auf Pv4

umgesetzt

WebServer

INAT Table

IPv4 IPv6

IPv6IPv4IPv4 NetzwerkIPv6 Netzwerk

NetScaler als

Authentifizierungsstelle

XenApp & XenDesktop

Exchange

SharePoint

DNSRADIUS

LDAP

Web Services

Licensing

NetScaler Access Control

NetScaler ist Authentisierungspunkt in der DMZ• Benutzer Autentifizierung (ReverseProxy) mittels Zertifikat, OTP, LDAP

• Terminierung von HTTP, ICA, SQL und SSL VPN Tunnel

• Überprüfung von HTTP Traffic mittels Web App Firewall Regeln

• Kerberos Constrained Delegation (KCD) basierend auf Client Zertifikaten

• SAML 2.0

• Dynamic CRL checking und Issuer Validierung

Fileserver

SQL

AAA ModuleSingle

Sign On

D M Z

NetScaler Access Control

Client Side Authentication Server Side

AuthenticationKerberos

HTTP – Basic,

Digest, NTLM

Constrained

Delegation

Non-Kerberos SAML X

NTLMVersion 1 X

Version 2 X

CAC (Smart Card): at SSL/TLS

Layer

X

HTTP Basic X X

Form-based X X

Kerberos Kerberos X

Cloud Infrastructure

Enterprise Datacenter

Application Delivery Controllers Powering Cloud, Mobile and Data Networks

Availability &

Performance

Infinite Flexibility

Any User

Any Device

Any Location

Any Application

Any Data / Information

Security &

AnalyticsCloud Scale

Work better. Live better.

Application Layer Security

Automatic Signature Updates for App Firewall

Enable Signature Protection

1.

Tune/Auto Updated

Signatures

2.

Enable Advanced Security

3.

Tune Security Policies

4.

Comprehensive Application Protection

• Auto update of signatures from cloud-based services

• Simplifies detection against known application vulnerabilities

• Shortens Application Firewall deployment cycle

• Signatures based on public vulnerability databases (e.g. Snort, CVE, Bugtraq, etc.)

Vulnerability Scanner IntegrationIBM AppScan and Whitehat

Protected website

Run periodic scans

Import files into NetScaler

NAT46NAT64 / DNS64 IPv6 Ready

Übergang zur IPv6 Infrastruktur

Adress Umsetzung (stateful) von IPv6 zu Ipv

• Konvertierung von Paket Headern

• Nutzt IP/ICMP Algorithmus mittels RFC6154

• Übersetzt Unicast-Pakete mit TCP, UDP und ICMP

Web Server

IPv6 IPv4

IPv4IPv6 IPv4 NetzwerkIPv6 Netzwerk DNS64 NAT64

Umsetzung (stateless) von IPv4 zu IPv6

• Integrierte INAT Tabelle

• Umsetzung der IPv4 Clients zu IPv6

• Responses von IPv6 Ressourcen werden auf Pv4

umgesetzt

WebServer

INAT Table

IPv4 IPv6

IPv6IPv4IPv4 NetzwerkIPv6 Netzwerk

Front End Optimierung

Optimierung Optimierung

Caching

Stream OptImage

Optimierung

Payload

ReduzierungMobile

Video

• XML based standard for exchanging auth information

• Better security as compared to cookie based approach

• Treated as authentication protocol for the Cloud

• Solves the SSO problem at Web browser layer

• Logical security domain• Identity provider (producer of assertions)

• Service provider (consumer of assertions)