Citrix adc technical overview

1 © 20177Citrix | Confidential
Citrix ADC TDM
JULY 1, 2020
© 2017 Citrix | Confidential

Citrix is unifying our portfolio
Throughout 2018, you will see exciting changes as we unify our product portfolio. As we make it easier to use Citrix products, we're also making it
easier to understand the value of our solutions with new names. We’re devoted to simplifying the way you experience Citrix Digital Workspace,
Citrix Networking, and Citrix Analytics solutions to deliver secure and personalized experiences with the choice and flexibility that fit your business
needs. Content may contain both former and new names in key locations, in an effort to familiarize you with the new portfolio.
To learn more about name and product transitions, visit this product guide on Citrix.com.
Our Goal
Create awareness and understanding of portfolio changes to gain adoption of our new solutions, while preserving the equity of old names as long
as necessary.
Strategy
Connect new names to the new experience, using old names as reassurance and touchstone, until the new map of Citrix is so compelling we’ve
moved beyond the old names.
Key changes:
Citrix ADC
transitioning from NetScaler ADC
Citrix SD-WAN
transitioning from NetScaler SD-WAN
Citrix Application Delivery Management
transitioning from NetScaler Management and
Analytics System (MAS)
Citrix Secure Web Gateway
transitioning from NetScaler Secure Web
Gateway
Citrix Web App Firewall
transitioning from NetScaler App Security and
NetScaler App Firewall.
Citrix Gateway
transitioning from NetScaler Unified Gateway and
NetScaler Access Gateway
Citrix Workspace app
a new mobile, web, and desktop
experience bringing together all the apps
and files you need to work
Citrix Virtual Apps
transitioning from XenApp
Citrix Virtual Desktops
transitioning from XenDesktop
Citrix Content Collaboration
transitioning from ShareFile
Citrix Endpoint Management
transitioning from XenMobile

Agenda
• Introduction
• HA and Clustering
• SDX
• Admin Partitions
• Traffic Management
• SSL
• Networking
• Optimization
• Action Analytics

Performance Offload SecurityAvailability
What is Citrix ADC
Citrix ADC has been powering Enterprise and
Ecommerce applications since 2002.
Load Balancing  Acceleration  Security  SSL  Optimization  Availability  Performance

The Details
Platforms
Pay-As-You-Grow
Editions
Standard, Advanced, Premium
SDX
MPX
VPX
CPX
BLX
Citrix ADC
IAAS
VIP
SAAS
gateway
S1
S2
S3Citrix ADC
CG CB
FTP
SQL
HTTP
HTTPS
DNS TCP
UDP
AD
Es
PwO
A1
A2
A3
Citrix ADC
Optimization
SSL Offload
TCP Offload
TCP Buffering
Surge Protection
Compression
Caching
Web Logging
HTTP 2.0
Client Keep-Alive
SACK/Nagles
TCP Westwood+
Security
SSL Offload
L4-7 ACL
Network ACLs
DoS Protections
Rewrite + Responder
Rate Limiting
SSL VPN
AAA for App Traffic
Application Firewall
Citrix Gateway
Availability
Load Balancing (SLB)
N+1 Clustering
L4-7 Request Switching
Advanced Health Checks
Content Switching
Cache Redirection
Global Load Balancing (GSLB)
Dynamic Routing / PBR
HTTP Callout
Citrix ADC DataStream
Management & Visibility
CLI/GUI
Nitro REST API
PowerShell
MSSCVMM/MSSCOM
AppFlow
Syslog
SNMP
AppExpert Policies
Citrix ADC DataStream

ScaleUp
Scale Out
Elasticity with
Pay-As-You-Grow
Simplicity with
Many-In –One
Expandability with
Add-and-Go
Clustering
“Grow capacity upto 5x. No New Hardware.”
“Better HA than HA. Scalability toTbps.”
“80:1footprint reduction. No Compromises.”

High Availability & Clustering

Clustering for High Availability
“Need to upgrade a server or Citrix ADC?”
…with no downtime?

Traditional HA
An Active/Passive Pair of Citrix ADC’s
CitrixADC
CitrixADC
Primary
Secondary
External
Network
Internal
Network

Citrix ADC High Availability (HA) Essentials
• HA is only Active/Standby
– The Citrix ADC GUI and CLI refers to this as Primary/Secondary
• Citrix ADC supports 2 Modes
– Configuration Synchronization. Configs are synched at device start and prior to state change.
– Command Propagation. Commands are synchronized at time of execution from Primary to
Secondary unit
• Communication
– HA communication is on UDP port 3003 and 5 UDP packets are sent every second
– Communication ONLY happens between the NSIPs of both Citrix ADC’s
– Both Citrix ADC’s must be of same build (both Major and Minor) for Synchronization and
Propagation
– HA communication is on all Enabled Interfaces. Turn -hamon OFF on all unused Interfaces

Citrix ADC HA Tips and Tricks
• HA Selection Criteria
– If state is the same, select lower IP address as Primary
– If state is different (i.e. UP vs Not UP) go with UP as Primary
– Best Practice: Add secondary node as Not Up (i.e. have unconnected interfaces Enabled with
HAMON ON)
• Layer 2 on a Failover
– In the event of a fail-over the new Primary will send a Gratuitous ARP
– Virtual MACs can be configured on the Citrix ADC
– Best Practice: Use Virtual-Macs (VMACs), a floating MAC between both devices
• Other Useful Information
– A command can be used to force a preemption, or, to mark a unit primary or secondary
– Additionally, a failover or synchronization can be force with a command from a Citrix ADC

Why Clustering?
• Efficient utilization
• Elegant solution to scale up traffic
• Dynamic capacity
• Ease of management and configuration
• Satisfies same requirements as HA
– Configuration replication
– Fault tolerance
0010010001110100100100010001110101001001
ACTIVE
PASSIVE
32X
ACTIVE

Citrix ADC Cluster
Facts
Cluster of Citrix ADC nodes
Can be formed with 2 to 32 nodes
Single system image for end user
Built on Citrix ADC nCore architecture
No Chassis or new hardware required
Dynamic changes permitted
Benefits
Provides Linear Scalability
Higher Throughput
Configuration Scalability
Built-in Fault Tolerance
Active-Active Support
Active-Standby Support

Clustering
Scale:
Performance + Redundancy
Any Form-factor:
Cluster VPX, MPX, or SDX
True Clustering:
Data and Management Plane
Scale for Speed
Scale for
Redundancy
App App
App
App
App App
App
App
App
App
App
App
App
App
App App
App
App
App
App App
App
App
App
App
App
App
App
App
App
App
App
App
App
Virtual
Appliance
Hardware
Appliance
Multi-tenant
Appliance

Cluster logical topology

CCO: Configuration coordinator
• Syncs configuration
• Propagates commands
• Syncs files
CCO
• Owned by CCO
• Used for management
Cluster IP

17 © 2017 Citrix | Confidential
Clustering Deployment
Types

ECMP
VIP/32: Node0
VIP/32: Node1
VIP/32: Node2
VIP/32: Node3
Flow
receiver Flow
processor

CLAG
ARP request:
CIP:CMAC ->
VIP:broadcast
ARP reply:
VIP:CLAGMAC -
> CIP:CMAC
CLAG MAC:
02-00-6f-<cluster ID>-00-00

CLAG cont.

LinkSet
ARP request:
CIP:CMAC ->
VIP:broadcast
ARP reply:
VIP:ARP_OWNER_MAC
-> CIP:CMAC

ECMP Link Sets CLAG
Upstream device
connectivity
All nodes must be
connected. It can be used
in combination with Link
Sets
Does not require all
nodes to be connected
All nodes must be
connected. It can be used
in combination with Link
Sets
Upstream device
configuration
YES NO YES
Pros Best traffic distribution
Transparent to upstream
device
Better traffic distribution
Cons
Routes are limited to
maximum number
supported by router
Potential bottleneck.
Each VIP is initially
handled by only one node
Number of switch ports
used can be a limitation
Distribution Mechanisms Comparisons

Upgrading the Cluster
How is that possible?
• Upgrade one node at
a time
Wouldn’t that take down the
cluster?
• No. Different versions can
join the cluster
• Node reboots – sessions
redistributed
• Command propagation
disabled
Is this documented?
• Yes.
http://bit.ly/1QBqbp0

• Graceful Handling
– Remove a node without affecting the existing connections
– Take a node out of the cluster for operational purposes
– Add a new node to the cluster. Without impacting existing connections.
• Forwarding Session process-local Support & Additional Process-local
– configuration
– add/set forwardingSession <name> [-processLocal ( ENABLED | DISABLED )]
– Traffic hitting particular forwarding session will *NOT* be steered
– Deployment guarantees that return traffic lands on the same node
• IPv6readylogo
• VRRP6
Clustering: Graceful Handling – Node Leave & Join

SDX

Citrix ADC SDX
• Multi-tenant Citrix ADC
– Up to 115 instances
– Version independent
– Zero performance loss
• Customer Value
– Network consolidation
– Hardware sensibilities; virtualization benefits
– Support for 3rd party components

PCI DSS validation
“When properly deployed… Citrix
ADC SDX will meet the following
PCI DSS version 2.0 requirements,
including deployments with in-scope
and out-of-scope VPX instances
running on the same SDX
appliance.”

Citrix ADC SDX
• Complete appliance instance
per tenant
– Complete CPU, memory, and SSL
isolation
– Independent entity spaces
– Independent versioning
– Independent maintenance schedule
• Complete Network Isolation
• No performance degradation

SDX Device-level Resource Pools
• Define SDX device resource pools
– Set CPU, SSL, Memory, Network
– Create pool administrators
• Pool administrators
– Only have access to their pools
– Can create/delete instances as they see fit
– Can allocate pool resources as they see fit
– Have visibility only into their pools

Details
Full ADC Functionality – Citrix ADC SDX supports 100 percent of the ADC functionality available with
both hardware-based Citrix ADC MPX appliances and software-based Citrix ADC VPX virtual appliances.
This enables Citrix ADC SDX to consolidate all existing ADC deployments without any policy constraints.
Complete ADC Isolation – All critical system resources, including memory, CPU and SSL processing
capacity are assigned to individual Citrix ADC instances. This ensures resource demands made by one
tenant does not negatively impact other tenants’ performance running on the same physical system. It
also provides greater security for each ADC instance by providing full separation of traffic flows.
Each Citrix ADC instance on SDX has its isolation provided by virtualization technologies – We use Citrix
Hypervisor, which isolates CPU, Memory…
For hardware acceleration for both Networking and for crypto, we use SRIOV technology that provide
similar isolation in hardware. Cavium N3 Devices, don’t have Standard Mailbox for VF-PF communication
but use Cavium proprietary mailbox method which implements randomly generated 15 bit signature unique
per VF, thus making VF-PF communication highly secure.
Pay-As-You-Grow – The Pay-As-You-Grow option delivers on-demand elasticity enabling organizations to
easily scale ADC capacity to keep pace with application traffic growth. And because it leverages a software-
based architecture, Citrix ADC SDX can scale performance and capacity with a simple software key,
eliminating expensive hardware purchases and upgrades.

Simplified Image Upgrade

User Experience - Initial Configuration

User Experience - New Dashboard

User Experience - Provision Citrix ADC

Comparative summary of Citrix ADC Solutions
Citrix ADC
MPX
Citrix ADC
VPX
Citrix ADC
SDX
Form Factor Hardened
network
appliance
Software-base
virtual appliance
Hardened
network
appliance
ADC Density 1 1 Up to 115
Performance Up to 200 Gbps Up to 100 Gbps Up to 200 Gbps
Full ADC
Functionality
✔ ✔ ✔
Pay-As-You-
Grow
✔ ✔ ✔

VPX Scaling
• Motivation
– Enable HW RSS for Fortville interfaces
– Enable users to provision VPX using maximum resources from SDX
• Solution
– SVM allows VPX with 16 and 10 cores on 25xxx 40G and 14xxx 40G
appliances
– SVM enables VPX to use cores from both the sockets

Admin Partitions

Key Use Cases
Enterprise
• IP overlapping
• Virtual Routing
• Entity space
separation
• 1 admin – multiple
Partitions
• Inter partition access
• Authentication
Service Provider
• GUI/CLI/API/Mon
Separation
• Config/SNMP/Logs
Separation
• Conn/Tput/Mem
Separation
• Entity space
Separation
• RBAC within Partition
• IP overlapping
Cloud
• Most Others
• API driven definition
• Integration with
Orchestration layer

Citrix ADC Without Partition

Citrix ADC With Partition
App No
512

User Plane
Data Plane
Network Plane
Citrix Confidential - Do Not
Complete Separation
AdminPart
Citrix ADC.conf
Auditlogs
SNMP
Debugging
File System

Traffic Management

• High availability
• Geographical failover for disaster recovery
• Secure remote access
• Increased performance and efficiency through server
offload, caching and compression
Citrix ADC – Meets traditional ADC needs

Load balancing and GSLB with
Citrix ADC
45
• Load Balancing
– Smooths out demand across all available
servers
– Health monitoring of local resources
– Provides high availability if a server fails
– Sessions seamlessly transferred to alternative
server
• Global Server Load Balancing
– Allows for disaster recovery - provides HA
between sites
– Load balancing across geo locations
– Optimizes performance across locations
sending users to best-performing source
Requests
Requests

• Provides the intelligence to always direct each
request to the right server resource
• Continuously monitors the health of application
and web servers
Layer 7 load balancing
Present different content to different users
Can be based on IP range, geographical area,
language, or device used
Balancing
Switching
Citrix ADC
“Airgap”
Citrix ADC

Load Balancing
• Source IP
• Cookie
• SSL Session ID
• Server-ID in URL Query
• Customer Server-ID
• Token (header or body)
Maintaining User
Sessions
Distributing Traffic
• Least Connections
• Lowest Response Time
• SNMP-based
• IBM SASP
• Hash-based
• Many more…
Monitoring Server
Health and Availability
• TCP Connection
• HTTPS Connection
• Extended Content Verification
• Scriptable Health Checks
TCP and UDP Client Requests

L7 Content Switching
HTTP Requests
• Anything in request body
• Device Type
• Language
• Cookie
• Browser Capability
• XML XPath support
Client Attributes
• Any TCP Request
• HTTP Get
• HTTP Post
Request
Protocol
Request Method
• Any TCP payload
value
• Any HTTP payload
value
• Domain
• Wildcard URL

• Operates under same general principles as Load
Balancing
• Load balance traffic between multiple data centers
• Evaluate server health to distribute traffic
• Works via DNS
Global Server
Use Case: Maintain business continuity during site level disasters
Citrix ADC

Remote
Public or
Private
B2B
Global Server Load Balancing
P2P
Site B
Site A
Site B
Site A
B2C

Content Switching Virtual Server Support for GSLB
Introduction
• Current GSLB Deployment Limitations:
– Cannot limit the number of GSLB service for selection
– Limited support for Selecting service on basis of traffic
– Separate GSLB backupVserver for subset of GSLB service
• Feature Support:
– Limiting number of service on the basis of CS policy/traffic type
– Can defined separate backup vserver for every GSLB vserver

Citrix ADC and SQL
• Citrix ADC allows better scalability – Scale-out rather than
Scale-up
• Lower costs by using more, smaller servers
• Improved availability of data
• Intelligent load balancing and content switching – Citrix ADC can parse
SQL
• Reduced CPU usage = lower license costs
• Citrix ADC reduces CPU usage of SQL Servers
• Caching means fewer requests need to go to the SQL Servers
• Citrix ADC handles the encryption, taking load off the servers
• Improved user experience from reduced data retrieval
latency

DataStream
App
Server
App
Server
App
Server
App
Server
App
Server
App
Server
App
Server
App
Server
App
Server
App
Server
App
Server
App
Server
SQL
Server
SQL
Server
SQL
Server
SQL
Server
SQL
Server
SQL
Server
SQL
Server
SQL
Server
SQL
Server
SQL
Server
1. SQL-intelligent load balancing
2. Offloads database connections
3. Up to 20x increase in performance
4. HA and Disaster Recovery
5. MS SQL Server and MySQL support
Citrix Exclusive. Competition offer no policy controls, no performance
improvements.
SQL Server

Delivering Microsoft Applications
• Business critical applications
• Availability is enhanced through load balancing
• ‘Improved security
• Secure access required over SSL – often internally
as well
• Application firewall protection
• Simple deployment via templates, including
Hyper-V
• Small deployments benefit from VPX
• Mobile access to email via native apps
• Reduced load on server – do more with existing
servers

Why Citrix ADC for Exchange 2013?
Availability Performance User ExperienceSecurity

Reduced Load on Servers
Supports greater user capacity and more apps with minimal investment
SSL
EMPLOYEES
PARTNERS
CUSTOMERS
• SSL Offload
• TCP Multiplexing and Buffering
• Static and Dynamic Caching
• HTTP Compression

• Protocol Extensions - the feature to
provide custom protocol support on Citrix
ADC using extensions.
• Extensions on Citrix ADC refers to the
high level scripting infrastructure available
on Citrix ADC.
• Support for TCP based protocols
• To add a custom protocol to Citrix ADC,
users need to write extension code to
implement the applicable behaviors.
L7 SLB Extensions
Citrix
ADC.se
nd()
Citrix
ADC.pi
pe()
Citrix
ADC.tc
p.strea
m()
Sample
Code
API Commands

w/ MQTT
Citrix ADC

Message Based Load Balancing
– Parse the first MQTT Connect
packet/message and do LB based on
– Client ID
– Token based LB
– Session Persistence
– User defined session persistence
SSL
– Acceleration/Offloading
– Backend re-encryption or end-to-end
encryption
– Client authentication, certificate status
check (revocation lists, OCSP)
Features In Citrix ADC
Deployment Models

MQTT Example Topology

SSL

Auto Detection of CertKey Encoding
• Citrix ADC can now auto-detect the encoding type and load the certificate and
key.
– No need to figure out and give the “–inform” option.
• Supported Formats: PEM, DER, PFX/PKCS#12
• For PFX, with “–bundle” option of “add certkey” command.
– Citrix ADC will parse the PFX file.
– Load the server-cert and server-key
– Load all the Intermediate-CA certs present in the PFX file
– Link the certificates.

• SSL Handshake
reset by server when
SHA 384/512 server
or intermediate cert
used on Microsoft IIS
servers
• Earlier added
signature extensions
(11.0 65.31)
– RSA-MD5
– RSA-SHA1
– RSA-SHA256
SSL Signature Extension

SSL OCSP Stapling
Use Case: Certificate Revocation Status Check
OCSP Responder Server
Clients connects to
secure SSL VIP
Citrix ADC checks
revocation status of
server certificate
Citrix ADC staple
OCSP response
along with certificate
• Improve the overall TLS handshake
performance by offloading clients from
finding certificate revocation status.

• Improve TLS session resumption by
offloading servers from storing
session details in its memory
• With TLS session ticket, clients store
session details. In client hello, they
send the session ticket which is
used for session resumption.
Session Tickets
Use Case
Client Random
TLS Session Ticket
Client and Citrix ADC have
same session key and thus
encrypted session can
begin
Shortened SSL handshake
System  Profiles  SSL Profile 
ns_default_ssl_profile_frontend

• Missing ciphers are prioritized for H2 ‘17.
Cipher support matrix
Cipher/Protocol Near Future
MPX/SD
X
VPX FIPS
9700
series
FIPS
14000
series
TLS 1.1/1.2 Frontend
TLS 1.1/1.2 Backend
ECDHE Frontend
ECDHE Backend
GCM, SHA2 Frontend
GCM, SHA2 Backend
ECDSA Frontend
ECDSA Backend
Legends
Supported
In 12.0
For complete details, see -
http://docs.citrix.com/en-
us/netscaler/11-
1/ssl/cipher_protocl_support_matri
x.html

DEFAULT Cipher Alias Re-ordering (Front-end)
• Give preference to AES/AES-GCM/ECDHE ciphers.
• De-prioritize RC4 ciphers.
• No ciphers dropped.
New Cipher Re-Order List
TLS1-AES-256-CBC-SHA (0x0035)
TLS1-AES-128-CBC-SHA (0x002f)
TLS1.2-AES-256-SHA256 (0x003d)
TLS1.2-AES-128-SHA256 (0x003c)
TLS1.2-AES256-GCM-SHA384 (0x009d)
TLS1.2-AES128-GCM-SHA256 (0x009c)
TLS1-ECDHE-RSA-AES256-SHA (0xc014)
TLS1-ECDHE-RSA-AES128-SHA (0xc013)
…………......
………………
……………… 28 ciphers…
Old Cipher Re-Order List
SSL3-RC4-MD5 (0x0004)
SSL3-RC4-SHA (0x0005)
SSL3-DES-CBC3-SHA (0x000a)
TLS1-AES-256-CBC-SHA (0x0035)
TLS1-AES-128-CBC-SHA (0x002f)
SSL3-EDH-DSS-DES-CBC3-SHA (0x0013)
TLS1-DHE-DSS-RC4-SHA (0x0066)
TLS1-DHE-DSS-AES-256-CBC-SHA (0x0038)
…………......
………………
………………28 ciphers…

Cipher Re-ordering (Back-end)
• Give preference to AES/AES-GCM/ECDHE ciphers.
• RC4-SHA still on top.
– Internal network.
– Legacy servers.
• No ciphers dropped. New Cipher Re-Order List
TLS_RSA_WITH_RC4_128_SHA (0x0005)
TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
TLS_RSA_WITH_RC4_128_MD5 (0x0004)
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
TLS_DHE_DSS_WITH_RC4_128_SHA (0x0066)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
(0x0039)
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
(0x0033)
…………......
………………
………………
55 ciphers…
Old Cipher Re-Order List
TLS_RSA_WITH_RC4_128_MD5 (0x0004)
TLS_RSA_WITH_RC4_128_SHA (0x0005)
TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x0003)
TLS_RSA_WITH_DES_CBC_SHA (0x0009)
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0008)
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA (0x0064)
TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 (0x0060)
……………….
………………
………………
55 ciphers…

© 2019 Citrix | Confidential69
SSL Manageability Improvement
• Default SSL Profile
– Convenient adding/removing/reordering ciphers and cipher
groups
– Better control over SSL parameters
• SSL Certificate management improvement
– Minimum steps; maximum usecase coverage
– Least possibility of error
Reporting and Debugging Improvements
• SSL N3 chip utilization reporting on MPX
appliances
• TLS 1.1/1.2 session and connection reporting
• Client authentication counter at VIP level
Citrix ADC

SSL Profile *
• Profile – container object which represents a combination of several SSL attribute objects.
• All settings on SSL vserver, global SSL parameters (*)– are available on profile.
• Changes to a profile is directly reflected to all vserver it is bound to.
• New Changes:
• Global and per vserver SSL profile.
• Global Default Profile.
• Enabled via “set ssl parameter” command
• Newly created SSL vserver inherits the default profile.
• Only one profile bound to a vserver.

ECDHE Rocks
Elliptic Curve
Cipher
DH Key Exchange
Perfect Forward
Secrecy
• Uses smaller keys
• Requires less CPU
and memory
• ECC is faster
• ECC is more secure
• Best key exchange
mechanism
• No exchange of pre-
master secret
• Future protection of
data
• ECC compensates
the cost of PFS in
ECDHE

SNI
Host multiple domains on a single IP
• Server Name Indication allows multiple
applications to run on one IP address and
port
• Bind multiple certificates to one server; one
for each application
• Enables a server to host a group of domain
names
• Client indicates which hostname to connect
in client hello
• Most browsers support SNI; its time for
servers now
Client hello
Requesting site1.com
Server hello
Site1 Certificate
Site1 cert
Site2 cert
Site3 cert

SAN
One certificate, multiple domains
• Subject Alternative Names allows various values for
fields within a certificate
• More powerful than wildcard certificates
• Great when protecting alternate domains with the
same website
• Ex. site1.com and site1.org
• Improves certificate management across multiple
servers

Citrix ADC FIPS Solutions
MPX
SDX
MPX/SDX 14000 FIPS

Thales nShield
SDX
VPX
MPX
Tamper response mechanisms - mechanisms that wipe out
keys and “critical security parameters” if the cover is
opened or if physical probing is detected
• Network-attached hardware security module
(HSM)
• FIPS 140-2 Level 3 and Common Criteria EAL 4+
certified
• Protects and manages private keys
• Identity-based authentication mechanisms
• Strong separation of duties
FIPS 140-2 Level 3

• HSTS can now be enabled in both SSL Profiles & in VServers
– HSTS is how web servers inform clients to always use SSL
– Uses HTTP response header field "Strict-Transport-Security“
https://tools.ietf.org/html/rfc6797
HSTS (HTTP Strict Transport Security)
C
L
I
E
N
T
SERVER
HTTP GET
/
Redirect HTTPS://
GET /
HTTPS
GET /
HTTP GET
/
Redirect HTTPS://
GET /
HTTPS
GET /
C
L
I
E
N
T
SERVER
Redirect
HTTPS:// GET /
HTTPS
GET /
HTTP
GET /
HTTPS
GET /
HTTPS
GET /
Without HSTS
With HSTS

Qualys SSL Labs Report: Citrix ADC MPX/SDX/VPX
http://blogs.citrix.com/2015/05/22/scoring-an-a-at-ssllabs-com-with-citrix-netscaler-the-sequel/

How to get that “Awesomeness”
Disable SSL 3.0 TLS 1.2 must be enabled
RC4 ciphers must be removed
Implement Strict Transport Security
Both server certificate and intermediate
certificates should be SHA2 signed
Cipher list to prefer ECDHE
Servers should support
TLS_FALLBACK_SCSV
http://blogs.citrix.com/?p=174211630

SSL ECC Optimization
–On MPX - Observed 2x to 9x improvements** for
ECDHE-RSA2K
• Depending on the MPX Platform configurations (No. of
Cores and No. Of Cavium Cards)
• Refer to official specs for ECDHE numbers on various
platforms
–On VPX – 2x-6x improvements** over current
ECDHE-RSA2K numbers
–Available in Oban (12.0); Also released in 11.1-
MR/Q4 2016
–* Refer to official specs for per-core numbers
–On MPX/SDX Platforms* (ECDHE-RSA2K)
• Hybrid ECDH Approach (CPU + Card processing)
• Offload ECC operations* to Software/ CPU (to configured
CPU quota)
• Additional ECC operations* done on card
• RSA Operations done on card
• Hybrid ECC Feature - DISABLED by default
• ENABLE by configuring “Software Crypto acceleration
CPU Threshold” SSL Parameter
• E.g. “set ssl parameter -softwareCryptoThreshold 90”
–On VPX Platforms (ECDHE-RSA2K)
• 64bit Optimized ECC in 32bit PE (via far-call) and 64bit PE
(native)
SSL TPS (VPX) 1 PE (12.0/Oban) 1PE (11.0)
ECDHE-RSA2K
(256 Curve)
1100*
* - with AVX2 support
on Citrix Hypervisor
7.0
180

– More Optimizations on VPX Platforms for RSA
– Integrated substantial improvements (algorithmic
and processor specific optimizations) for RSA
operations from latest OpenSSL (contributed by
Intel)
– Observed 2x-3.5x improvements in RSA per-core
TPS numbers compared to 11.x numbers.
– Refer to official specs for per-core numbers
SSL RSA Optimization for Citrix ADC VPX
– For RSA-2K more optimization available
on processors supporting AVX2 instruction
set (Haswell onwards)
– NSPPE determines at run-time if AVX2 is
supported by underlying processor/hardware
– Requires underlying Hypervisor support to
determine AVX2 support
– Citrix Hypervisor 7.0 and VMWare VSphere
6.5
SSL TPS 1PE (12.0/Oban) 1 PE (11.0)
RSA-2K 1300*
* - with AVX2 support on
Citrix Hypervisor 7.0
370*
* base 64bit farcall
optimization only

Networking

Highlights
Full proxy IPv6-IPv4
Server Load
Balancing
Full featured WAF for
IPv6
Static and Dynamic
Routing support
Best IPv6 / IPv4
performance ratio
Feature parity with
IPv4
NAT64, NAT46,
DNS64
ACL, RNAT, INAT
Full featured WAF
for IPv6
Static and Dynamic
Routing support
No additional license
fee for IPv6
IPv6 management

Citrix Confidential – For NDA
IPv6 Features Summary
• Routing
• Dynamic (OSPF,
RIP, BGP) & Static
• Neighbor Discovery
• Address Resolution,
DAD, Neighbor
Unreachability,
Router Discovery
• Path MTU discovery
• VLANs
• Port Based
• Prefix Based
• VMACs
• DNS
Networking
• ACLs
• RNAT
• PBR
• Application Firewall
• DDoS Protection
• HDOSP
• Surge Protection
• Sure Connect
• Priority queuing
Security
• Mixed mode
deployments
• IPv4 and IPv6
coexistence
• Layer 4/7 Load
Balancing
• SSL Offload
• IPv6 monitors
• DSR and USIP
• LLB
Load Balancing /
Performance
• Dual-Stack support
• IPv4-IPv6 and IPv6-
IPv4 NAT
• Prefix Based
Translation
• Host Header
Modification
Migration
IPv6 addresses for NSIPs (SNIPs, VIPs)
IPv6 Protocols (TCP6, UDP6, ICMP6)
Ping6, Telnet6, SSH6
SNMP and CVPN for IPv6
HA
Management
• Integrated Caching
• Compression
• Rewrite
• Responder
• Rate Limiting
• AAA-TM
Application Layer
Support

• Clients Migration
– Mix of IPv4 and IPv6 clients
– IPv6 clients access IPv4 servers
• Slow Server Migration
– Mix of IPv4 and IPv6 servers
– IPv4 clients access IPv6 servers
• Test IPv6 Ready Applications without upgrading the entire infrastructure to
IPv6
Use Cases

• Make your IPv4 web applications available to external IPv6 users
• No changes to existing server infrastructure
• Performance, Availability, Reliability and Security of application
preserved
SLB64 – Internet Edge
IPv6
Internet
IPv4
Internet
IPv4
Network
IPv6 VIPs exposed to
IPv6 users

• SLB for IPv6 applications (e.g. Microsoft DA / UAG)
• Make IPv6 applications available to IPv4 and IPv6 clients
• Feature parity with IPv4 for advanced ADC functions
IPv6 Application Load Balancing
IPv6
Internet
IPv4
Internet
IPv6
Network
IPv4
Network

Client facing
(Virtual IP)
Server facing
(SNIP)
IPv4 IPv4
IPv6 IPv4
IPv4 IPv6
IPv6 IPv6
Support matrix

IPv6 Connection Mirroring
• An active Citrix ADC vserver can now sync
its IPv6 connection table to the standby
Primary
Active
Secondary
Stand-by
Primary
Active

NAT
• SLB NAT
• Layer 3 NAT
• INAT
• RNAT
• Prefix based IPv6-IPv4 NAT

–SLB NAT is used when server responses don't
automatically pass through the Citrix ADC
 One-Arm mode
 Servers and the Citrix ADC are in different subnets
–SLB NAT is performed only when USIP is DISABLED
SLB NAT
10.102.1.21
10.102.1.25 - 30
10.102.1.11
10.102.1.15 – 20
10.102.1.1
10.102.1.5 – 10
Sales
Server
Server
Eng
Server
Server
Manf
Server
Server
Citrix ADC
performing SLB
NAT

–SNIP/MIP used as source IP for backend communication
–Network profiles used for selecting source IP (SNIP/MIP)
–Network profiles can be associated with service/vserver
SLB NAT – Network profile
10.102.1.21
10.102.1.25 - 30
10.102.1.11
10.102.1.15 – 20
10.102.1.1
10.102.1.5 – 10
Sales
Server
Server
Eng
Server
Server
Manf
Server
Server
Network Profiles for
selecting source IP

• Use Source IP (USIP) Enabled
– Client IP is always used for backend communication
• Network Profile and USIP disabled
– Network Profile bound to service is used
– Network Profile bound to servicegroup is used
– Network Profile bound to vserver is used
• Network Profile and Monitoring
– Network Profile bound to monitor is used
– Network Profile bound to service is used
– Network Profile bound to servicegroup is used
Network Profile – order of selecting source IP

• Adding a Network Profile
– add netprofile salesNetPro -srcIp 10.102.1.1
• Adding Network Profile with IPSET
– add netprofile salesNetPro –srcIp rangeIP
• Setting a Network Profile
– set netprofile salesNetPro -srcIp 192.168.1.1
• Binding a Network Profile
– set lb vserver salesVs –netProfile salesNetPro
– set service salesSvc –netProfile salesNetPro
– set servicegroup salesSvcGrp –netProfile salesNetPro
– set monitor sales_mon –netProfile salesNetPro
Network Profile – Configuration

• Apple want to choose source IP for Syslog traffic
• Source IP now can be used to identify syslog traffic
• Firewalls can be configured for the specific source IP
Use case for NetProfile

INAT
Citrix ADC replaces the
destination IP address
1. Types of L3 NAT – INAT

• Destination IP translation
• Supported Scenarios:
 IPv4-IPv4 Mapping
INAT – Destination NAT

INAT – Source IP Selection
Is USIP
Enabled
Use Client IP
Yes
No
Is Proxy IP
Configured
Use Proxy IP
Yes
No
Is USNIP
Enabled
Use SNIP
Yes
No
Is MIP
Configured ?
Use MIP
Yes
No
Error

• add inat <name> <publicIP> <privateIP> [-tcpproxy ( ENABLED | DISABLED )]
[-ftp (ENABLED | DISABLED )] [-usip ( ON | OFF )] [-usnip ( ON | OFF )] [-
proxyIP <ip_addr|ipv6_addr>] [-tftp (ENABLED | DISABLED )] [-mode
(ENABLED | DISABLED )]
– Public IP can be one of the Citrix ADC owned VIPs
– Private IP – Translation IP
– TCP Proxy: Useful for security reasons to mitigate DoS / DDoS attacks
– Enabled: Maintains the TCP session state
– Disabled: Does not maintain the TCP session state
• rm inat <name>
• show inat [<name>]
INAT - Configuration

2. Types of L3 NAT – RNAT
RNAT
Citrix ADC replaces
the source IP address

• Address based translation: NATing is performed for all packets matching the
address
• Extended ACL based translation: NATing is performed for all packets matching
the configured ACL
• NAT IP address used in translation:
– SNIP or MIP
– Unique IP configured as part of the NAT rule (-natip option)
• RNAT takes precedence over USIP mode if configured
RNAT – Source NAT

• NATIP is always used when configured
• If NATIP is not configured
– Based on the destination – source IP is selected from
– VIP – If explicitly configured using NATIP
– SNIP – If USNIP is ON
– MIP – For rest of the cases
• For RNAT in LLB – source IP selection is based on the router (Check LLB
documentation for more details)
RNAT – Source IP Selection

RNAT – Example Scenario
Blue Colored Flow:
1. Packet generated by server: Src =
192.168.2.1; Dst = 100.100.100.1
2. Packet Received by client: Src =
200.200.200.202; Dst = 100.100.100.1
3. Response from client: Src =
100.100.100.1; Dst = 200.200.200.202
4. Response received by server: Src =
100.100.100.1; Dst = 192.168.2.1
Red Colored Flow:
1. Packet generated by server: Src =
192.168.1.1; Dst = 100.100.100.1
2. Packet Received by client: Src =
200.200.200.201; Dst = 100.100.100.1
3. Response from client: Src =
100.100.100.1; Dst = 200.200.200.201
4. Response received by server: Src =
100.100.100.1; Dst = 192.168.1.1

• set rnat <IPAddress> <netmask>
– MIP or SNIP will be used for translation
• set rnat IPAddress <netMask> -natip <NATIPAddress>
– Provide a single IP or a range in < NATIPAddress>
– NATIP will be used for translation
• set rnat <aclname> [-redirectPort <port>]
– MIP or SNIP will be used for translation for packets matching the ACL
– rediectPort – destination port to which traffic is redirected
• set rnat <aclname> [-redirectPort <port>] -natIP <NATIPAddress>
– Provide a single IP or a range in < NATIPAddress>
– NATIP will be used for translation for packets matching the ACL
– rediectPort – destination port to which traffic is redirected
• show rnat
RNAT Configuration

Source: 2001::1
Destination: 3ffe::74.125.91.105
IPv6
Packet
Source:202.12.46.10 [Citrix ADC]
Destination: 74.125.91.105
IPv4
Packet
• IPv6 to IPv4 translation based on the matching prefix
• Destination IP is translated based on the configured prefix – last 32 bits are used
as the IPv4 address
• Configuration
– set ipv6 [-natprefix <ipv6_addr|*>]
– show ipv6
Prefix based IPv6-IPv4 translation
Citrix ADC NS1

NAT Summary
Scenario INAT RNAT SLB NAT
1:1 Provide a Private IP
corresponding to the
public IP
Provide only one IP in
the rule with
configured NATIP
Address
Combination of
Listen rule and Net
Profile with one IP
attached to Vserver
N:1 Provide same
Private IP in
different INAT rules
Provide a subnet in the
RNAT rule
Net Profile with one
IP attached to
Vserver
M:N NA Provide a subnet in the
RNAT rule and a range
in NATIP Addresses
Net Profile with range
/ subnet IP attached
to Vserver

• Protocols Supported
– Routing Information Protocol (RIP) version 2
– Open Shortest Path First (OSPF) version 2
– Border Gateway Protocol (BGP)
– Routing Information Protocol next generation (RIPng) for IPv6
– Open Shortest Path First (OSPF) version 3 for IPv6
– ISIS Protocol
• Protocols uses industry standard ZebOS
Dynamic Routing

Dynamic Routing Protocol Command Reference Guide Unsupported Commands
OSPF OSPF Command Reference •Domain-id command
•Graceful restart related commands
•OSPF-TE related commands
•OSPF-VPN related commands
•CSPF-TE related commands
•ip ospf resync-timeout command
•capability opaque command
•enable ext-ospf-multi-inst command
IPv6 OSPF (OSPFv3) OSPF Command Reference •Graceful restart related commands
•OSPF-TE related commands
BGP BGP Command Reference •VPN/VRF related commands
•Graceful restart related commands
•MPLS related commands
•6PE commands (IPv6 provider edge)
•MD5 authentication related commands
•Multicast options
•set-overload-bit command
IS-IS IS-IS Command Reference •capability cspf command
•enable-cspf command
•mpls traffic-eng command
•mpls traffic-eng router-id command
•multi-topology for ipv6 address family related
commands
RIP and IPv6 RIP (RIPng) - •neighbor command
Dynamic Routing

• Use Case
– Ability to send across larger frame size on network which helps with large file transfer and
content download use cases.
• Feature
– Receiving and transmitting jumbo frames containing up to 9216 bytes of IP data
– Jumbo Frames support for following protocols
– TCP
– UDP
– HTTP
– SIP
– Radius
– nCore is being validated in 10.5
Jumbo Frames

Standard Ethernet Frame vs Jumbo Frame
Application Data (8500 bytes)
H
D
R
Application
Data
1500 bytes
H
D
R
Application
Data
1500 bytes
H
D
R
Application
Data
1500 bytes
H
D
R
Application
Data
1500 bytes
H
D
R
Applicati
on Data
<1500
bytes
H
D
R
Application
Data
1500 bytes
H
D
R
Application Data
HDR + 8500 bytes
Say, Transferring a
file of size 8500
bytes
Standard
Ethernet
Frame
Jumbo Frame

Benefits of Ethernet jumbo frames
Big Payloads
Increased
Throughput and
Goodput
Fewer Packets
Less Packet
switching
Reduced
Network I/O
Lowered CPU
Usage
Reduced
Protocol
Processing

VXLAN Support
• Virtualization has placed increased demands on the physical networking
infra
• VMs may be grouped according to their Virtual LAN, limit of 4096 is
inadequate
• Need to host multiple tenants, each with their own isolated networking
domain
• Each tenant may independently assign mac-addresses and VLAN IDs.
• Need for overlay network which is used to carry MAC traffic from
individual VMs in an encapsulated format over logical “tunnel”

Multi-tenancy (Server reachability over VxLAN only)
add partition p1
add partition p2
add vxlan 1000
add vxlan 2000
bind partition p1 –vxlan 1000
bind partition p2 –vxlan 2000
add bridgetable -mac 00:00:00:00:00:00 -vxlan 1000 -vtep 10.216.1.1
Switch partition p1
bind vxlan 1000 –ipAddress 192.168.1.10 255.255.255.0
Switch partition p2
bind vxlan 2000 –ipAddress 192.168.1.10 255.255.255.0
SERVER A
SERVER B
CLIENT A
CLIENT B
Partition1
Partition2
Citrix ADC
CLIENT IP : 123.1.1.1
VIP : 65.1.1.1
SERVER IP :
192.168.1.11
vtep
1
vtep
2
VTEP : 10.216.1.1
VTEP : 10.216.1.2
SERVER IP :
192.168.1.11

Multi-tenancy( Server reachability over VLAN/stretched
VxLAN)
add partition p1
add partition p2
add vxlan 1000 –vlan 100
add vxlan 2000 -vlan 200
bind partition p1 –vlan 100
bind partition p2 –vlan 200
Switch partition p1
bind vlan 100 –ipAddress 192.168.1.10 255.255.255.0
Switch partition p2
bind vlan 200 –ipAddress 192.168.1.10 255.255.255.0
SERVER A
SERVER B
CLIENT A
CLIENT B
Partition1
Partition2
Citrix ADC
CLIENT IP : 123.1.1.1
VIP : 65.1.1.1
SERVER IP :
192.168.1.11
vtep1
vtep2
VTEP : 10.216.1.1
VTEP : 10.216.1.2
SERVER SUBNET
VLAN 100
SERVER SUBNET
VLAN 200
SERVER IP :
192.168.1.11

Bridging between VLAN and VXLAN
VTEP
SERVER 2
VLAN 2
VXLAN 20000
SERVER 1
enable Citrix ADC mode L2
add vxlan 20000 –vlan 2
add ipTunnel tun1 224.0.0.7 255.255.255.255 * -protocol
vxlan
bind vxlan 20000 –tunnel tun1

Citrix ADC VXLAN Capabilities
• Server / client reachability over VXLAN tunnels
• Bridge traffic between VLAN and VXLAN segments
• Two types of VXLANs
– VXLANs that stretch / extend existing VLAN
– VXLANs as independent Layer 3 entities - scale beyond the limit of 4K vlans
• Unicast and Multicast VXLAN tunnels
– No support for IGMP as yet – VTEPs should be one hop away when tunnel is multicast
• VXLAN port configurable (default 4789)
• Identical VXLAN configuration on HA nodes
• Scaling – 4K vlan extensions and 2K layer 3 configurations

• Bridge table learns VNID, VTEP
• VNID, VTEP configurable for static ARP/ND6
• ACL, ACL6, PBR, PBR6 policies to match VXLAN
• Policy expressions to match VXLAN
• VXLANs can be bound to traffic domains
• IPv4 / v6 address can be bound to VXLANs
• VXLAN stat / snmp support
Citrix ADC VXLAN Capabilities

Bidirectional Forwarding Sessions
• BGP Neighbor fall-over feature
• Bidirectional Forwarding Detection (BFD) is a network protocol used to detect faults between two forwarding engines
connected by a link

Optimization

Caching
AppCache
• Reduce Server workloads by removing
repeatable content
• Caching allows content to be held on the Citrix
ADC
• Prepopulation or policy driven should content
become popular
• Improved user experience
• Less strain on server infrastructure

AppCompress
• Advanced compression capability to reduce transmitted data to
user
• Improved user experience combining compression capabilities of
browser
• Reduces server overheads
• Eliminates bandwidth bottlenecks & improves application
performance significantly
Compression

• Use Case: Add support for high speed TCP congestion control algorithms which
can help with:
– Minimizing bandwidth stolen
– Ensure that co-existing flows with different RTT are treated fairly
– Ensure efficient usage of available bandwidth
• Feature: 2 new TCP congestion control algorithm supported
– BIC
– CUBIC
TCP Congestion Control

• BIC:
– Focus is on High Speed Networks, bandwidth up to 10 Gbps
– Ability to transfer large amount of data over long distance in short amount of time
– TCP Fairness – ability to share bandwidth with TCP Connections on low-speed networks
• CUBIC:
– Enhanced BIC
– Maintain BIC’s scalability & stability
– Simplify the window control
– Improve BIC’s friendliness
– Two competing CUBIC flows will converge to fair share windows
– Use real-time, rather than ACK-clocked, updates to window
– The window growth rate is time dependent and RTT Independent, allowing for a fairer sharing
BIC and CUBIC

MobileStreamTM
• Mobile protocol acceleration for best
performance over lossy and high latency links
• Intelligent multi-path networking to seamlessly
leverage wireless and cellular connectivity
• Optimized web content streaming for faster
download and rendering
• Per app and user access management for
end-to-end secure delivery
• Built-in protocol and app visibility for
compliance
• Extensible policies for mobile threat and
malware protection
Multi-layer application optimizations
with granular security and control
Citrix ADC

Citrix ADC MobileStream™
Citrix ADC MobileStream

Content Layout
125
Browser and client
cache can be better
utilized
JS & Image
dominate
page content
PNG is still not
mainstream
Avg Response size is
increasing.
Pages are becoming
heavier.
Top 1000 sites (http://httparchive.org/interesting.php)

Introduction
126
• JS/CSS and images comprise most part of the web content.
• FEO focuses on faster and efficient web content delivery by optimizing these
components.
• Along with this , FEO tries to leverage the client cache.

Optimization Techniques
12
• External Script/stylesheet minification
• CSS & JS inlining
• Small image inlining
• Combine CSS
• Image GifToPNG
• Image Resizing
• Jpeg Image Weakening
• Image to Jxr/Webp
• Moving CSS in front/Convert import to link
• Defer JS loading
• Lazy loading of images
Embedded object
download
Content Generation
Page Rendering
• Domain sharding
• Cache extension
Initial connection
setup
Stages in Web Page Delivery

How does FEO work?
First Request:
1. Citrix ADC receives the response from the server and forwards it to the client.
2. Client parses the info, and sends a request for the first embedded object.
3. Citrix ADC sends the request to the server, server sends the processed content.
4. Citrix ADC optimizes the content, saves it in cache.
5. Citrix ADC sends the original image to client.
Subsequent Requests:
1. Citrix ADC receives the response from the server.
2. Citrix ADC parses the HTML page and checks for the optimized content and sends the
optimized content to the client.
3. Client sends a request to the optimized content.
4. Citrix ADC fetches the content from the cache and sends the optimized content to the
client.

Demo COP No- COP

FEO –Video Optimization for Mobile Networks
• Citrix ADC Video Optimization feature detects
and optimizes Adaptive Bit Rate (ABR) traffic
over mobile networks
• Ability to present an insight of video traffic &
apply a an optimization rate control to ABR
video
• Supported in Admin Partitions

HTTP 2.0

Problem with HTTP/1.1
• Suboptimal use of TCP
– Average number of TCP connections per page used in popular sites: 37
– Slow Start
– Good for Network, Bad for Client experience
– TCP connections per domain : 6 (common in most of the browsers)

• Protocol overhead
– Duplicate headers
– No header compression
GET /frameworks/barlesque/2.83.4/orb/4/script/orb/api.min.js HTTP/1.1
Host: static.bbci.co.uk
Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118
Safari/537.36
DNT: 1
Referer: http://www.bbc.co.uk/
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8,ne;q=0.6
GET /locator/0.119.7/script/locator.js HTTP/1.1
Host: static.bbci.co.uk
Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118
Safari/537.36
DNT: 1
Referer: http://www.bbc.co.uk/
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8,ne;q=0.6

• Spriting
• Inlining
• Concatenation
• Sharding
HTTP/1.1 Solutions

HTTP/2: HTTP/1.1 Protocol Fix
• HTTP/2 Goals
– Backward compatibility
– Header compression
– Server push
– Substantially and measurably improve end-user perceived
latency
– Address the "head of line blocking" problem
– Not require multiple connections to a server to enable parallelism
– improving its use of TCP, especially regarding congestion control

HTTP/2 summary
• Binary Protocol
• Opens single TCP Connection per domain
• Multiple requests are streamed into one connection
• Streams are
– Multiplexed
– Prioritized
– flow controlled
• Header Compression
• Change in wire format, no change in semantics
Transport
TLS
Binary Framing
Physical
Network
HTTP/2 Application

Citrix ADC HTTP/2 Architecture
– ION Release: Citrix ADC supports HTTP/2 Gateway
– Front-End HTTP/2, Back-End HTTP/1.1
HTTP/2 Browser
Single TCP connection
with Request Multiplexing
Citrix ADC HTTP/2 Gateway
HTTP/1.1 Server Farm
Caching
AGEE/VPN
AppFirewall
TCP Optimization
Compression
Content Optimization
Cache Redirection
Persistency

Citrix ADC HTTP/2 Architecture
HTTP/2 Browser
Single TCP connection
with Request Multiplexing
Citrix ADC HTTP/2 Proxy
HTTP/1.1
Server Farm
Client PCB
Stream Session 1 Server PCB

Action Analytics

How do Action Analytics Impact the Network?
Dynamic
Configuration
&
Flexibility

• Framework to collect statistics of run time objects
• Statistics collected can be used to take run-time
decisions
• Statistics collected per object include
– Total No. of Requests
– Bandwidth
– Response Time
– Current Connections
Action Analytics
142
Citrix ADC (Citrix ADCMPX-15000)

Action Analytics
143
• Uses rate limiting framework & structures to measure traffic.
• Counter results are exposed to the Policy Engine.
• Two components to measuring traffic objects:
1. Selector
2. Stream Identifier
• Selector: Defines a ‘click’.
• Stream Identifier: Measurement intervals.

Action Analytics – Stream Selector
144
• Citrix ADC comes with some pre-defined selectors
Citrix ADC

Action Analytics – Stream Identifier
145
• Citrix ADC comes with predefined
Identifiers
• Defines the selector used.
• Time interval in minutes
• Sample Rate

Action Analytics – Stream Identifier
146
• To start counting, a “No Operation” responder policy must be bound.
• These are also predefined.
• Stream Analytics will now start counting

Action Analytics - Requirements
147
• Stream Selector
• Stream Identifier
• Feature Policy configured & bound e.g.
add cache policy Cache-Top-URLS -rule
"ANALYTICS.STREAM("Top_URL").IS_TOP(10)" -action CACHE -
storeInGroup top-requests
• Responder Policy Configured and bound





Action Analytics Use Case
• Online retailer wants to ensure availability
of most frequently viewed items on sale
• Ability to cache data objects on Citrix ADC
for faster access and free up server
resources for processing transactional
data

Ensure the highest availability with live clusters – zero downtime,
even during upgrades
Provide intelligent optimization for superior performance
Protect business logic with responsive, dynamic configurations
Resiliency + Performance + Flexibility = Invincible
Your Invincible Network

Work better. Live better.Work better. Live better.

Citrix adc technical overview

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Citrix adc technical overview

Similar to Citrix adc technical overview (20)

Recently uploaded

Recently uploaded (20)

Citrix adc technical overview