Successfully reported this slideshow.

SYN207: Newest and coolest NetScaler features you should be jazzed about


Published on

Citrix NetScaler engineering continues to deliver new enhancements and cool features. This technical session will highlight five recent NetScaler innovations in virtual application, desktop and server availability and security that can improve your datacenter network and make applications run better and faster. Topics will include faster app acceleration and why developers are building apps to leverage advanced ADC capabilities.

Published in: Technology
  • Be the first to comment

SYN207: Newest and coolest NetScaler features you should be jazzed about

  1. 1. © 2014 Citrix. Confidential.1
  2. 2. © 2014 Citrix. Confidential.2 •  As  a  tradi)on,  every  Synergy,  we  highlight  the  coolest  NetScaler  features  in  this  session.  My  name  is   Anoop  Reddy.  Along  with  me  I  have  Tushar  Kanekar,  Anoop  Agarwal,  Minoo  Gupta  and  Sanjay  Gupta.     •  This  year  we  have  really  cool  things  to  discuss.  Given  the  overall  Citrix  focus  on  Mobile,  we  will  talk   about  the  new  NetScaler  features  that  op)mize  mobile  access  and  Mobile  Security.  We  will  then  talk   about  our  innova)ons  for  the  Next  Gen  Data  Centers.       •  We  will  finish  off  with  some  of  the  exci)ng  User  Experience  and  automa)on  enhancements   •  We  have  a  lot  of  stuff  to  cover.  We  will  have  5  mins  for  Q&A  at  the  very  end.  
  3. 3. © 2014 Citrix. Confidential.3 •  Please  tweet/blog  about  this  session  with  hashtags  SYN207  and  citrixsynergy.  For  those  of  you  who   tweet/blog,  we  have  giveaways  at  the  end  of  this  session.  
  4. 4. © 2014 Citrix. Confidential.4 Mobile  is  different.       Mobile  networks  are  characterized  by  high  latency  lossy  pipes,  last  mile  bandwidth/capacity/connec)on   constraints,  connec)on  breaks  when  switching  between  cell  towers  and  even  device  contraints  -­‐  baYery   life  is  important  and  the  viewport  is  smaller.     This  year  we  introduce  a  bunch  of  NetScaler  op)miza)on  features  specifically  geared  towards  op)mizing   applica)on  delivery  in  the  mobile  context  not  just  at  the  tcp/hYp  level  but  also  by  moving  deeper  into   the  applica)on  and  op)mizing  html  content.  
  5. 5. © 2014 Citrix. Confidential.5 •  Let’s  just  cut  to  the  chase  and  first  see  a  demo.    On  the  le]  hand  side  you  will  see  the  details  of  directly   accessing  an  applica)on  while  on  the  right  hand  side  with  NetScaler  in  the  path  with  our  Front  End   Op)miza)ons  turned  on.   •  You  will  see  a  100%  improvement  in  page  load  )me,  with  a  40%  reduc)on  in  the  number  of  bytes   downloaded  and  a  30%  reduc)on  in  the  number  of  requests  made  to  the  server.     5
  6. 6. © 2014 Citrix. Confidential.6 •  Now,  let’s  analyze  the  top  1000  sites  as  reported  by  /*which  tracks  web  trends,  stats   and  performance  */  and  see  what  kind  of  op)miza)ons  are  possible.  As  you  can  see,  javascript  and   images  dominate  the  content  in  a  scenario  where  individual  pages  are  becoming  heavier.  So,  any   op)miza)ons  for  javascript  and  images  can  be  very  effec)ve.  Only  25%  of  the  images  are  op)mized   and  more  than  50%  of  the  content  doesn’t  leverage  browser  cache.   •  So,  there  is  a  lot  of  scope  for  op)miza)on.   6
  7. 7. © 2014 Citrix. Confidential.7 •  Now,  let’s  see  how  we  achieve  these  amazing  results.  Most  of  the  techniques  for  Front  End   Op)miza)ons  are  fairly  well  known  that  either  require  changes  in  your  web  server  config,  applica)on   code  or  get  the  app  server  to  talk  to  new  processes  and/or  setup  extra  proxies  in  the  path.  Instead  you   can  achieve  all  of  these  op)miza)ons  by  applying  a  simple  config  on  NetScaler.   •  A  typical  web  page  access  can  be  broken  down  into  ini)al  connec)on  setup  stage,  the  page  content,   embedded  object  downloads  followed  by  rendering  the  page.  We  op)mize  each  of  these  stages.     •  Before  we  go  into  the  details  I  would  like  to  emphasize  that  it  is  important  to  not  be  very  aggressive   with  op)miza)ons  that  might  break  apps/browser  compa)libitliy  etc.  We  have  chosen  middle  path  by   op)ng  for  the  least  intrusive  features  that  give  us  the  maximum  performance  boost.   7
  8. 8. © 2014 Citrix. Confidential.8 •  Browsers  enforce  a  limit  on  how  many  connec)ons  can  be  open  for  a  single  domain.  To  improve   parallel  downloads  we  split  the  requests  across  mul)ple  domains  and  also  insert  html  direc)ves  to   prefetch  domain  dns.   8
  9. 9. © 2014 Citrix. Confidential.9 •  We  improve  browser  content  caching  (basically  avoid  unnecessary  304  not  modified)  by  1)  versioning   image  urls  instead  of  ar)ficial  and  inaccurate  cache  )meouts  2)    we  can  insert  etags  to  signal  content   changes  and  leverage  NetScaler  compression.   9
  10. 10. © 2014 Citrix. Confidential.10 •  A  lot  of  op)miza)ons  are  possible  in  embedded  object  sec)ons.  We  do  javascript/css  minifica)on  to   compress  the  objects,  we  can  inline  smaller  css/javascript/images  and  combine  css  to  reduce  #  of   requests.   10
  11. 11. © 2014 Citrix. Confidential.11 •  We  improve  page  rendering  by  defering  javascript  loading  and  moving  objects  such  as  css  that  affect   the  visible  por)on  and  parallel  downloads  to  the  top.  We  also  only  load  images  in  the  current  viewport   –  this  is  especially  significant  for  mobile  devices  where  content  not  in  the  current  view  doesn’t  need  to   be  loaded.   11
  12. 12. © 2014 Citrix. Confidential.12 •  To  summarize,  we  op)mize  at  every  stage  of  the  page  load  process.  
  13. 13. © 2014 Citrix. Confidential.13 •  Now,  going  down  the  stack  to  op)mize  at  the  lower  layers  taking  into  account  mobile  network   characteris)cs.  In  the  past  we  have  talked  about  NetScaler  as  a  speedy  gateway.  This  is  extremely   relevant  in  mobile  networks  for  performance.  We  have  also  talked  about  MPTCP  support  in  NetScaler   that  can  leverage  mul)ple  available  networks  parallelly  while  also  smoothening  out  cell  tower  to  wifi   transi)ons.   •  Packet  losses  in  the  mobile  context  are  not  just  because  of  conges)on  but  due  to  losses  in  the  medium   and  also  due  to  transi)ons  between  cell  towers.   •  This  year,  we  announce  Cubi/Bic  which  are    mobile  specific  tcp  conges)on  and  flow  control  protocols   that  take  into  account  such  characteris)cs  and  op)mize  delivery  in  mobile  networks.  
  14. 14. © 2014 Citrix. Confidential.14 •  NetScaler  can  now  op)mize  at  a  much  deeper  level  in  the  html  content  for  mobile  networks.  Most   important  to  note  -­‐      we  chose  the  least  intrusive  features  that  do  not  break  browser  compa)bility  or   apps  while  giving  us  the  maximum  op)miza)on.   •  We  con)nued  to  op)mize  TCP  for  mobile  by  introducing  support  for  mobile  specific  conges)on/flow   control  TCP  protocols  such  as  Cubic/Bic.   •  If  your  apps  are  used  on  mobile  devices  and  delivered  through  mobile  networks  –  you  have  to  try  the   latest  version  of  NetScaler!!   •  With  that  I  hand  the  presenta)on  over  to  Tushar  Kanekar.  
  15. 15. © 2014 Citrix. Confidential.15
  16. 16. © 2014 Citrix. Confidential.16 •  NetScaler  –  industry  leader  in  secure,  op)mized  and  reliable  delivery  of  web-­‐apps  and  is  also  best  in   class  Mobile-­‐apps.   •  Security imperatives to address – -  SSL everywhere, you cannot have few pages over SSL and others in clear. -  Need per App micro-VPN, for isolation and per-app access control, security. -  Support for 2048bit RSA key, the new guidelines from NIST. -  Device efficient crypto - to conserve precious battery of handheld device. -  To top this off, you need protection from the every changing threat landscape – with Beast, Crime and latest Heartbleed to name a few. Given this, you need a very robust delivery mechanism to protect your apps and your infrastructure – that’s where NetScaler ADC device come to the rescue. How NetScaler helps to meet the imperatives?    
  17. 17. © 2014 Citrix. Confidential.17 •  NetScaler+XenMobile deployment, note NS is in DMZ providing all the protection.
  18. 18. © 2014 Citrix. Confidential.18 •  Security: - NetScaler provides protection from various L2-7 attacks, including but not limited to – Syn Attack, DDoS, HTTP DoS like Slowloris, Slowpost. - SSL – hardened SSL/TLS engine with HW acceleration to do SSL termination and offload. Not affected by the latest openssl Heartbleed bug -  Support for FIPS and new ciphers like AES-GCM/SHA-2, part of NIST’s Suite-B list of algorithms. - Ext. HSM – we are working to integrate NetScaler with external HSM vendors like Thales. This will enable a non-FIPS device (VPX, MPX, SDX instances) to utilize the security of a FIPS 140-2 Level-2/3 certified HSM device.   - ECC cipher suite, this provides same level of security as RSA, but at lower key size. It can be efficiently done on low-powered handhelds and thus helps to conserve precious battery life. To give an example 224 bit ECC == 2048bit RSA - Strong access control – a critical piece of mobile app with single sign-on and multi factor authentication including client/device level certificate checks. - Various protections for your app and backend servers – Application Firewall for protecting against sql injection and XSS attacks. ActiveSync filtering to prevent  
  19. 19. © 2014 Citrix. Confidential.19 •  ActiveSync Filtering – NS does a call out to XNC server, asking for the managed status of the incoming device, based on the ActiveSync ID present in the header. XNC provides a managed / unmanaged response, and NS acts on it.  
  20. 20. © 2014 Citrix. Confidential.20 •  Reliable  =  capacity  to  grow.   •  We talked about security features, but what the use if you cannot reliably deliver your apps? NetScaler provides the capacity to handle different work-loads. •  Remember the per App micro-VPN, each of this will open a isolated SSL connection, now imagine each handheld has 3-4 apps and 1000s of such handhelds connecting to an enterprise at any given time. •  NetScaler has best in class TPS and throughput numbers. The numbers quoted here are for the 22120 MPX system. •  Note: TPS here, stands for transactions per sec, which are new handshakes per sec without any reuse thrown in. •  HA support to protect against system failure and GSLB for site-failures.
  21. 21. © 2014 Citrix. Confidential.21 •  Perfect forward Secrecy: In this new snowden era, many companies are investing in PFS to secure user-data. PFS provides the security of protecting old/ existing data even if the private-key is compromised. You need ECDHE or EDH to achieve this and not RSA. •  Support for RFC 5746 for secure renegotiation – to mitigate different MITM attacks. •  DTLS – Datagram TLS to secure your application over UDP. For example, Voice, Video.
  22. 22. © 2014 Citrix. Confidential.22 •  NetScaler Application Firewall (AppFW) wins Best of Web Application Firewalls 2013 (By the Essential Guide – Security Readers’ Choice Awards) This award is based on vote from the Security Readers on what they think is the top Web application firewalls in 2013: Standalone WAFs and products that are part of application acceleration/delivery systems. Criteria are based on essential security features and at same time ease of use, configuration and administration. •  Link:  hYp://­‐of-­‐Web-­‐applica)on-­‐firewalls-­‐2013  
  23. 23. © 2014 Citrix. Confidential.23
  24. 24. © 2014 Citrix. Confidential.24 •  Light  weight  mul)-­‐tenancy  solu)on   •  Each  tenant  gets  the  experience  of  a  logical  NetScaler  while  actually  sharing  the  same  instance.    
  25. 25. © 2014 Citrix. Confidential.25 •  To  appreciate  Par))ons,  let  us  walk  through  the  NetScaler  architecture  evolu)on   •  First  we  had  what  today  we  call  Classic  Architecture   •  Then  with  9.2  we  introduced  nCore.   •  With  10.0,  we  introduced  cluster   •  Now  in  2014,  we  are  planning  to  introduce  Par))ons.  
  26. 26. © 2014 Citrix. Confidential.26 •  This  is  how  the  user  work  flow  will  look  like   •  First  System  admin  will  create  par))ons   •  Expecta)on  will  be  that  the  system  will  enforce  the  set  up  limits,  while  allowing  sharing  of  the   underlying  resources   •  Then  the  Par))on  admin  will  create  work  flows  within  his/her  logical  netscaler   •  Expecta)on  will  be  that  the  system  will  provide  sandboxes  views  for  configura)on,  monitoring,  logs  etc  
  27. 27. © 2014 Citrix. Confidential.27 •  Default  or  system  admin  logs  in  
  28. 28. © 2014 Citrix. Confidential.28 •  He  or  she  works  under  default  par))on.   •  He  creates  par))ons.  Here  for  demo,  we  are  crea)ng  two  par))ons,  one  called  PartUS,  and  another   PartEMEA  
  29. 29. © 2014 Citrix. Confidential.29 •  System  admin  also  creates  two  users  and  associates  them  with  the  par))ons  just  created.  Namely   UserUS  and  UserEMEA  
  30. 30. © 2014 Citrix. Confidential.30
  31. 31. © 2014 Citrix. Confidential.31 •  Then  individual  users  log  in  with  their  creden)als.    
  32. 32. © 2014 Citrix. Confidential.32 •  They  have  their  own  configura)on  screens.    They  create  their  own  workflows  and  applica)ons.   •  In  this  demo,  each  of  our  two  users  create  a  Load  Balancer  service,  namely  LBUS,  and  LBEMEA  
  33. 33. © 2014 Citrix. Confidential.33 •  They  can  monitor  the  state  of  their  service  in  their  respec)ve  configura)on  screens  
  34. 34. © 2014 Citrix. Confidential.34 •  They  also  have  their  separate  dashboards,  which  shows  the  state  of  affairs  for  that  par))on.   •  In  this  demo,  LBUS  is  handling  8  req/sec  and  LBEMEA  is  handling  24  req/sec  
  35. 35. © 2014 Citrix. Confidential.35 •  Some  more  details  about  the  feature   •  We  collect  sta)s)cs  per  par))on  for  metering  and  for  burs)ng   •  Limits  per  par))on  are  enforced   •  However,  transient  burs)ng  is  allowed  beyond  thresholds   •  This  allows  for  sta)s)cal  mul)plexing  and  oversubscrip)on  of  capacity,  without  viola)ng  performance   SLA  
  36. 36. © 2014 Citrix. Confidential.36 •  So  how  does  Par))ons  fit  into  rest  of  the  porpolio?   •  Par))ons  are  created  within  one  instance.    They  can  be  created  on  the  MPX.  They  can  be  created  on   VPX  instance.   •  They  can  also  be  created  on  each  of  the  SDX  instance.  In  fact  this  could  be  a  very  effec)ve  way  of   controlling  the  blast  radius.  
  37. 37. © 2014 Citrix. Confidential.37
  38. 38. © 2014 Citrix. Confidential.38
  39. 39. © 2014 Citrix. Confidential.39 •  Today’s  data  centers  are  big  and  complex  with  many  opera)onal  challenges.  Such  as  one  arm  mode   deployment,  mul)  device  configura)on,    and  dynamic  service  provisioning  and  management.  One  arm   mode  deployments  require  rou)ng  and  service  changes  to  be  updated  manually  on  both  devices.  This   can  be  error  prone,  hence  causing  unplanned  and  poten)ally  costly  down)me.  
  40. 40. © 2014 Citrix. Confidential.40 •  Cisco  Nexus  70000  provides  a  new  protocol  called  RISE,  Remote  Integrated  Service  Engine.  Citrix   NetScaler  integrates  with  Cisco  N7K  and  supports  this  protocol  na)vely.    The  cross  func)onal  teams   with  Citrix  and  Cisco  have  been  working  very  closely  to  deliver  the  feature.     •  RISE  integrated  ADC  devices  appear  as  virtual  blade  on  the  Cisco  N7K  switch.   •  The  deployment  and  configura)on  of  the  devices  can  be  made  plug  and  play.    The  protocol  helps   automate  changes  to  service  and  route  across  the  devices,  further  op)mizing  traffic  flows  within  the   datacenter.     •  NetScaler  is  the  only  ADC  device  which  integrates  with  N7K  RISE  protocol  today.   40
  41. 41. © 2014 Citrix. Confidential.41 •  N7K  can  discover  and  auto  aYach  to  devices  suppor)ng  RISE  protocol.  NetScaler  devices  can  be   bootstrapped  by  retrieving  their  configura)on  from  N7K  via  RISE  protocol.  N7K  support  direct  aYach   and  indirect  aYach  modes  for  bootstrap.     •  Direct  aYach  is  used  for  configuring  MPX  boxes  and  in-­‐direct  aYach  mode  is  used  to  configure  VPXes   running  of  stock  hardware  or  SDX.   •  N7K  and  NS  both  support  high  availability  configura)on  such  as  vPC  and  HA  along  with  RISE.  
  42. 42. © 2014 Citrix. Confidential.42 •  The  N7K  admin  starts  by  crea)ng  a  rise  service  with  Netscaler  IP,  assigning  port-­‐channel  and   configuring  VLANs  for  the  NetScaler  to  be  configured.     •  Auto-­‐discovery  allows  configura)on  on  the  Nexus  7000.    It  then  pushes  the  seungs  to  the  NetScaler.     •   Simplifies  provisioning  significantly,  by  reducing  config  steps  from  30  to  8  in  some  use  cases.   42
  43. 43. © 2014 Citrix. Confidential.43 •  RISE  allows  automa)on  of  service  changes  on  NetScaler,  by  propaga)ng  the  associated  routes  to  N7K   programma)cally.  Hence  elimina)ng  the  need  for  N7K  admin  to  manually  add  or  delete  corresponding   routes.   •  This  preserves  the  client  IP  as  well  for  the  traffic  flow.  
  44. 44. © 2014 Citrix. Confidential.44 •  Auto  PBR  is  needed  to  eliminate  the  need  for  Source-­‐NAT  or  manual  PBR  configura)on  in  an  one-­‐arm   mode  design   •  APBR  feature  allows  the  NS  to  program  policies  on  the  N7k  server-­‐facing  interfaces  to  redirect  return   traffic  to  the  NS  appliance  set  up  in  one-­‐arm  mode.   •  NS  passes  IP  address,  port  #  ,  protocol  etc  of  the  real  servers  on  to  N7K  in  an  Auto  PBR  message  and  a   route  map  is  applied  on  the  N7K  interface  through  which  the  real  server  can  be  best  reached.     •  Since  it  is  desirable  to  change  the  src  ip  to  VIP  for  the  return  traffic,  the  APBR  policies  set  the  nexthop   ip  of  the  traffic  reaching  the  N7K  interface  to  the  NS  ip  without  modifying  the  packet.     •  The  NS  appliance  will  then  direct  the  packet  to  the  client  by  changing  the  source  IP  to  VIP   •   In  case  of  mul)ple  NS  connected  to  N7K  ,  RISE  Manager  on  N7K  will  create  an  ACL  for  each  NS’s  next   hop  ip  and  incorporates  it  into  a  route  map.     44
  45. 45. © 2014 Citrix. Confidential.45
  46. 46. © 2014 Citrix. Confidential.46 •  Significantly  simplified  deployment  as  administrators  do  not  need  to  configure  complex  VLAN  and   route  seungs  to  enable  rich  availability  and  rou)ng  features.  Na)vely  integrated  with  Nexus  7000  vDC   and  vPC  architecture.     46
  47. 47. © 2014 Citrix. Confidential.48
  48. 48. © 2014 Citrix. Confidential.49
  49. 49. © 2014 Citrix. Confidential.50
  50. 50. © 2014 Citrix. Confidential.51
  51. 51. © 2014 Citrix. Confidential.52
  52. 52. © 2014 Citrix. Confidential.53
  53. 53. © 2014 Citrix. Confidential.54
  54. 54. © 2014 Citrix. Confidential.55
  55. 55. © 2014 Citrix. Confidential.56
  56. 56. © 2014 Citrix. Confidential.57
  57. 57. © 2014 Citrix. Confidential.59
  58. 58. © 2014 Citrix. Confidential.60
  59. 59. © 2014 Citrix. Confidential.61
  60. 60. © 2014 Citrix. Confidential.62
  61. 61. © 2014 Citrix. Confidential.63
  62. 62. © 2014 Citrix. Confidential.64
  63. 63. © 2014 Citrix. Confidential.65