Understanding the NetScaler Features that will Help You Optimise the Services You Take to Market.
I’m conscious that there is a lot of information in this blog, however I’ve consolidated much of it to help make it clearer, and hopefully easier for you to understand the fundamentals. It is worth learning these NetScaler Features as it will help you maximise the benefits and optimise the services you take to market.
For example, you may supply your services to market verticals that would benefit from remote access but also benefit from being able to prevent anyone from using their personal device to access sensitive accounting or HR information. This can be achieved using SmartAccess, which I provide some insight into below.
NetScaler Gateway Enterprise VPX Features
ICA Proxy facilitates basic remote access connections in to a XenApp or XenDesktop platform using SSL, usually over a public internet connection for users of devices including smartphones, tablets, Linux and Windows devices, thin clients including Raspberry Pi and Apple Macs.* If your customer requires remote access to XenApp or XenDesktop applications over the internet or using NAT’d networks, you need the ICA Proxy feature. Adding XenApp and/ or XenDesktop along with NetScaler to a typical RDS DaaS solution will provide you with the Citrix Mobile Workspace benefits and the industries best user experience.
If you need additional security, high availability and visibility of the end user experience on your platform then you need NetScaler VPX and its market leading ADC features.
Deploying ICA Proxy is straight forward and Citrix have created this excellent deployment guide for you to use: https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/deploying-netscaler-gateway-in-ica-proxy-mode.pdf
Incidentally, if you don’t know about Carl Stalhood already then check out his web page - www.carlstalhood.com - Carl is a Citrix Technology Professional (CTP) and globally recognised for his outstanding “filling the gaps” configuration and deployment content across the core Citrix products. He is also on Twitter and I would strongly recommend following him, his tweets are extremely informative! While you’re at it, you should also follow me! @darrenbennett76
If you still have questions about deploying ICA Proxy or NetScaler generally, please don’t hesitate to contact me.
*To connect to XenApp and XenDesktop a user device requires either an HTML5 or native OS based client, the Citrix Receiver. Citrix Receiver is available for Windows, Linux, Apple Mac OS, iOS, Android, Windows Phone and is pre-installed on Citrix HDX Ready thin client vendor terminals including the Raspberry Pi, WYSE, HP and iGel.
Full SSL VPN is of course a traditional SSL VPN including IPSEC, L2TP, PPTP and requires a software VPN client or browser plugin. The VPN client is available for Windows, Mac OSX and iOS.
SmartAccess is a contextually aware security feature that provides comprehensive policy driven control of access to resources via the NetScaler platform. With SmartAccess you can restrict access to content based on many filters including the users’ location, device type or network. This is a really powerful feature and I’ll provide more detail in the next blog.
Clientless Access is specific to web based resources, and as it suggests, provides access to web resources without the requirement for any additional client software (only a web browser is required). Typical Clientless Access web applications include Web Mail, Intranet applications and web based SaaS applications.
MicroVPN is used for VPN access at the application layer. Typical MicroVPN applications include XenMobile and ShareFile.
NetScaler VPX Features
The NetScaler VPX includes all of the features of NetScaler Gateway Enterprise VPX plus the comprehensive list of ADC features below. Some of these are more likely to help meet your requirements than others, so I’ll go in to those in more detail in part four.
Cache Redirection Analyses incoming requests and forwards the requests for already cached data to cache servers. Dynamic HTTP requests and non-cacheable requests are forwarded to the origin servers. Cache redirection is a policy-based feature and is generally deployed in platforms with high volumes of web content.
Content Switching analyses client requests and redirects the requests to specific servers on the basis of geographical area, authorisation credentials, and the device from which the request was initiated. Content Switching is useful for directing traffic to multiple back-end servers from a single public IP address and helps facilitate both service availability and efficient compute resource utilisation - I have often found that this feature can be used more often than originally thought.
DataStream ensures optimal distribution of traffic from the application and webservers to the database servers. It enables you to segment traffic according to information in the SQL query and on the basis of database names, user names, character sets and packet size.
Domain Name System provides authoritative domain name server (ADNS server) functionality for a domain. The NetScaler appliance functions as a DNS end resolver and forwarder which also helps in name resolution when fully qualified domain names are not configured.
Firewall Load Balancing distributes the traffic across multiple firewalls, providing fault tolerance, increased throughput, and high availability.
AppFirewall is web application firewall used for protecting web applications from known and unknown web attacks including all application layer and zero-day attacks.
SSL Offload and Acceleration offloads SSL processing from a back-end web server to the NetScaler appliance to accelerate SSL transaction times and provide more efficient processing of cryptography. Windows servers in particular are not as efficient at processing SSL traffic as NetScaler and by offloading this processing, the Windows IIS servers can be consolidated and focused on delivering content, rather than processing cryptography.
Single Sign-On via a NetScaler is achieved by leveraging Security Assertion Markup Language (SAML), operating as an Identity Provider (IdP) to federate between service providers (SPs) and a directory containing user objects (LDAP). For example, SAML IdP can be used to federate authentication for Office 365, ShareFile, SalesForce and SAP - I’ll go in to this a bit deeper later in this series.
AAA-TM, or authentication, authorisation and auditing traffic management, is the authentication and access control powerhouse of the NetScaler platform. This is a significant subject that needs much discussion, but as an example, Single Sign-On for ShareFile and other applications uses AAA-TM. Additionally, as mentioned above, Single Sign-On using SAML and nFactor (numerous Factors) authentication can be used across multiple, secure, identity challenges for highly secure access requirements in to platforms or at an individual application level.
NetScaler Insight provides service providers with end-to-end visibility of network performance for HDX and web traffic. With Premium XenApp or XenDesktop, NetScaler Insight HDX data can be integrated with the Citrix Director console for a single pane of glass health monitoring overview of a Citrix mobility workspace platform. Some of the information NetScaler Insight can provide includes RTT for HDX traffic, network latency and jitter. If you’re deploying a near real-time protocol like Citrix ICA over disparate networks, you should serious consider NetScaler Insight!
Traffic Domains are the basis of the underlying NetScaler operating system and can also be used to facilitate multi-tenancy including the use of the same IP addresses for multiple tenants.
RDP Proxy is simply the Microsoft RDP equivalent of ICA Proxy, used for secure reverse proxy connectivity in to RDS server platforms.
IP Reputation uses Webroot Inc. as a service provider and allows NetScaler to preemptively reject requests coming from known bad IP addresses including botnet attacks, spammers, phishing proxies, anonymous proxies etc.
Global Server Load Balancing (GSLB) enables disaster recovery and ensures continuous availability of applications by protecting against points of failure in a wide area network (WAN).
Link Load Balancing load balances outbound traffic across multiple Internet connections to transmit packets seamlessly over the best possible link.
Layer 4-7 Load Balancing distributes user requests for web pages and other protected applications across multiple servers to prevent server overloading and failure. Load balancing also provides fault tolerance.
TCP Optimisation profiles are included in the operating system for common deployment scenarios and can also be created for custom requirements. For example, a pre-configured XenApp and XenDesktop profile is supplied with the NetScaler operating system and is tuned for common XenApp and XenDesktop deployments. To help improve performance and security, the XenApp and XenDesktop TCP optimisation profile settings include the following: Windows Scaling, HTTPv1, Drop invalid HTTP requests, Selective Acknowledgement and use Nagle Algorithm.
Front End Optimisation is used to optimise web content as it leaves the NetScaler. Some examples of this seriously cool feature can be found here – NetScaler Front End Optimisation
Coming up in part four I look at some of these features in a bit more detail in relation to a typical CSP mobility orientated service.
By Darren Bennett, Partner Enablement Specialist (Citrix), rhipe