Transcript Citrix Presentation Template Guidelines

Snorre Brandt Hansen
Systems Engineer
Citrix
Agenda
0915 – 0930
0930 – 1015
1015 – 1030
1030 – 1115
1115 – 1130
Registrering med frokost og kaffe
Netscaler funksjonalitet
Pause
Demo av Netscaler
Spørsmål
Reference cases, white papers, product information
http://hqfastapps.com
Key take aways
• Offload your servers by up to 80%
•
•
•
•
Fewer servers to purchase
Fewer servers to manage and administrate
Fewer servers to patch
Reduced license cost
• Accelerate client access
• Cacheing
• Compression
• TCP optimization
• Secure your servers and deliver healthy data to
clients
• Protect against attacks such as SQL injection and XSS
• Protect your XML applications
The Impact of Next Generation Web Apps
More apps
More users
1
More formats
More unknowns
RIA agent
Browser
More connections
More verbose content
More protocols
Load Web App Once
2
RIA Agent & Server
exchange data
In the background
XML
Rich Web Apps
SOAP
text
REST
JSON
Atom/RSS
DOM, JavaScript, CSS
HTTP
Frameworks:
AJAX
FLEX
Silverlight
NetScaler Speeds User Application Delivery
0.22
SharePoint
2.04
1.1
SAP
5.22
With NetScaler
1.3
Siebel CRM
Without NetScaler
4
6.41
Oracle Forms
10.1
0
2
4
6
8
Response Time in Seconds
10
12
Netscaler Features
NetScaler and the 4 Feature Buckets
Internet
Clients
Acceleration
• TCP Optimization
• Web Compression
Security
•
•
•
•
DDos Protection
Content Filtering and Redirection
Web Application Firewall
SSL VPN
Server
NS
Offload
Availability
•
•
•
•
Load Balancing Layer 4 and Layer 7
Global Server Load Balancing
Content Rewrite and Redirection
Surge Protection and Sure Connect
•
•
•
•
•
TCP Multiplex and Reuse
SSL Offload
Cache (Static and Dynamic)
Consolidated Web Logging
TCP Buffering
Netscaler Acceleration
• TCP Optimization
• Compression
NetScaler and TCP Connections
Clients
Internet
NS
Client sends TCP SYN to NS
Server
NS sends own SYN to Web Tier
NetScaler is a TCP Proxy
TCP Connection without Citrix NetScaler
Client
Server
SYN
SYN+ACK
ACK
Server allocates
storage for
connection
GET
Server sees
eleven packets
Data
Data
Data
FIN
ACK
FIN
ACK
Server deallocates storage
for the connection
TCP Connection with Citrix NetScaler
Client
NetScaler
Server
SYN
SYN+ACK
ACK
GET
GET
Data
Data
Data
Data
Data
FIN
ACK
FIN
ACK
Data
Server sees
four packets
HTTP compression=
- Less bandwidth used
- Faster respons time, less packets on the wire
Internet
Request
Un-compressed respons
Request
Compressed
Compression
When to consider CMP:
CMP can in many cases improve
application/site performance and
improve the user experience
CMP can vastly improve performance for
hand held devices
CMP is a great benefit for Intranets at
the Enterprise with branch offices and
will improve user experience
CMP can save your organisation money
All public Internet sites
When addressing the mobile market
At the enterprise when a number of locations
are remote or branch offices with limited
bandwidth
When servers already do CMP this should be
offloaded to NetScaler
Why consider CMP:
Improve application performance
Bandwidth saving == money saving
Server offload == money saving
Netscaler Security
NetScaler’s Enhanced Protection Feature
Syn/TCP Attack Protection
NetScaler Stops Bare SYNs,
handles cold connections
DoS Protection
NetScaler Drops/Slows
Suspect Clients
User
Content Filtering
Drops Suspect
Traffic
Access Control Lists
Block Unwanted
Traffic
Surge Protection
NetScaler Smooths
Traffic
(All TCP)
Application Firewall: Deployment
Architecture
Citrix Application Firewall
• The Citrix Application Firewall provides one
product that protects today’s mission-critical web
applications
• The Citrix Application Firewall defends customer
web infrastructures from identity theft, lost
revenue, & brand erosion
Most Common Vulnerabilities
Copyright 2007 WASC, White Hat Security
Network Firewalls vs. Application Firewalls
Network Firewalls
• Manage network traffic
• Protect at network layer (3)
• Manage access to corporate
LANs
• Allow simple forwarding of
approved packets
• Use ports 80 (HTTP) and 443
(HTTPS) for open access
Packet Inspection
Application Firewalls
• Manage web traffic
• Protect at application layer (7)
• Monitor HTTP, HTTPS and XML
Protocols
• Protect application and backend
data from malicious attacks and
unauthorized use
• Perform deep packet inspection
of all traffic to and from the web
servers
Deep Stream Inspection
How does the Citrix Application Firewall provide for
PCI-DSS compliance?
• Protects both web applications and web services
• Enforces secure use of applications and protocols
• Ensures authentication of users and processes
• Blocks or masks credit cards from being displayed
• Provides for centralized policy configuration
• Detailed logging, alerting, and reporting
SSL VPN (Access Gateway)
• Hardened appliance replaces
Secure Gateway
• Single logon experience to
XenApp Web Interface
• Support for all applications
and protocols
• Right-sized solution
• Market leading performance & scalability
• Business Continuity options available
• Application access and action
control with SmartAccess
Multiple SSL VPN Instances per Appliance
Each appliance supports up to thousands of
instances
A virtual server defines an SSL VPN instance
Every company /department can now have their own point of entry
Each virtual server has a unique:
IP address and FQDN with SSL certificate
Authentication configuration
Policy set
employee.company.com (10.10.10.1)
partner.company.com (10.10.10.2)
vpn.subsidiary.com (10.10.10.3)
Netscaler Availability
• L4- L7 Loadbalancing
• GSLB
• Content Rewrite & Redirection
• Surge Protection & Sure Connect
Load Balancing
Overview: Load Balancing Methods
Depending on the application type, there are
different ways of splitting the load between
services, the most commonly used being
Round Robin
Least Response Time
Least Connections (default)
Least Bandwidth
URL Hashing
Source and/or Destination IP hashing
Custom Load (SNMP based)
If in doubt, use Round Robin. It is the safest and prevents a single
malfunctioning server serving “500” errors from taking all the traffic.
Load Balancing
Overview: Persistence Methods
Most application servers depend on an individual
user persist to one back-end server. As such,
vservers have persistence methods including
HTTP Cookie insertion
Source IP
SSL Session ID (useful for Access Gateway Balancing)
When balancing HTTP or doing SSL offload, cookie
insertion is recommended if persistence is needed
When balancing other protocols like SMTP or LDAP,
Source IP persistence is generally your best bet
Load Balancing
User’s
Request
Vserver Object
Service and Vserver Relationship
Vserver
IP:port+
protocol
The flow of traffic is dictated by the vserver
and service relationship, which is called
“binding.”
1. A request comes from a user.
2. It is received by the vserver object and is
processed based on the vserver attributes.
3. When a load-balancing decision occurs, the
request is passed to the appropriate service
object.
4. Based on the service attributes, the request
is sent to a server’s IP and port.
LB Processing
Service Objects
Service 1
Ip:port+
protocol
Service 2
IP:port+
protocol
Server 1
IP:port
Server 2
IP:port
What is GSLB?
Distributes network traffic across multiple sites
Reduces application latency
Distributes server load across multiple sites
Disaster recovery
NetScaler GSLB
Site A
B2C
B2B
Site B
P2P
Different GSLB Site Selection Methods
Round Robin
Weighted or unweighted
Geographic Proximity
Static or dynamic
Load Based
User-Defined Policies
Disaster Recovery
Includes auto and manual fallback
Persistence Based
How Does GSLB Work?
1. Client makes a DNS Request
What site should I go to?
2. NetScaler returns the IP of the most available site
Go to site number 3.
3. Client makes network connection to the specific IP
Site 1
Site 2
Site 3
Content Rewrite & Redirection
•
Minimizes “ripple effect” of changed
URLS
•
Simplifies change management
from:
http://AbCo/finance/default.asp
• App changes
• Infrastructure changes
• M&A activity
•
http://mktg/default.asp
Increases security by obfuscating
internal info
http://www.abco.com/corpinfo/
http://www.abco.com/products/
http://www.abco.com/empl/...
32
http://OldCo/cgi-bin/...
Netscaler Offload
TCP Connection Multiplexing
Application
Requests
Client
Server Connection
Client
Connection
Web Server
Application Requests
1.
NetScaler terminates connection
4.
NetScaler transmits client requests
2.
Client transmits requests
5.
Other clients follow same procedure
3.
NetScaler establishes server connection
6.
Multiple client requests are transmitted across common
server connection
SSL Offload: With the NetScaler System
TCP
The NetScaler system pre-establishes persistent
server connections in some cases
1. Client establishes TCP connection to the NetScaler system
2. The NetScaler and client negotiate encryption and generate secret using SSL cert
3. Client and the NetScaler system encryps the traffic (HTTPS);
Connection between the NetScaler system and the server is clear text
Integrated Caching
Customers
Cached Copy
Original Content
Suppliers/Partners
Mobile Users
Remote
Employees
Additional
Requests
Initial
Request
Flash Cache
Expire After Full Response Received
Customers
Cached Copy
Original Content
Suppliers/Partners
Mobile Users
Remote
Employees
Additional
Requests
Initial
Request
Successful Web Application Delivery with NetScaler
B2C
Availability
Acceleration
Offload
Security
• Access Gateway
SSL VPN
B2B
P2P
• World-class L4L7 load
balancing
• TCP
Optimization
• TCP Multiplexing
• Caching
• Intelligent
service health
monitoring
• Cache
• Compression
• TCP Buffering
• SSL Offload
• Application
firewall
• DDoS
• Content Filtering
Netscaler 9.x New Features
NetScaler 9.x: Over 350 New Features
Simplified application deployment
Simplified application operation
Simplified application change
Expert-in-a-box Templates Cut Deployment Times
from Days to Minutes
• AppExpert Templates cut
deployment times from days to
minutes
• Comprehensively defines
applications
• Consolidates app-specific
configuration in one place
• Simplifies ongoing lifecycle
management
AppExpert Templates Built to be Shared
AppExpert Templates
•
•
AppExpert Templates can be
imported/exported
Easiest way to share/distribute app-specific
configurations
community.citrix.com
•
•
AppExpertTemplates posted and shared
Community encouraged to post
extensions to AppExpert Templates
http://community.citrix.com/appexpert
Ensure SLA’s are Met with Rate-based Policy
Enforcement
• Ensures the right users are given
appropriate capacity
Partners
• Ensures the wrong users are not given
appropriate capacity
Lines of Business
• Ensures no single user/application
overwhelms a shared infrastructure
• Integrated with all NetScaler functions
Customers
Spiders, botnets,
scrapers, etc.
HTTP Service Callouts
1. Policy sends HTTP request
to an external service
HTTP Callout
Request/Resp
HTTP
Server
2. Result used like any other
policy evaluation result
3. Available in multiple
modules
NS
NS
Policy
NS
Policy
Policy
Users
Citrix NS
Destination
Servers
Invoke external functionality from within NetScaler Policies
HTTP Service Callout Use Cases
• IP blacklisting
• SPAM verification
• Access control
• Identify management integration
• Custom content rewrite
• UDDI access
• Format loading
XML Protections
Fully integrated with Application Firewall Module
XML Security protections – QuickTree integration
XML sytax conformance
XDoS attack prevention
Cross site scripting/SQL injection attacks protection
XML Message attachment inspection
Response side checks
WS-I conformance checks
WSDL/Schema validation
Protect HTML and XML-based applications
Netscaler Products
NetScaler Solutions for Every Market
100Gbps
SERVICE PROVIDER/TELCO/CLOUD + INTERNET CENTRIC
40Gbps
Throughput
20Gbps
MPX 17000
LARGER ENTERPRISE
MPX 15000
MPX12500
18Gb
15Gb
10Gbps
MPX10500
SMB/XenApp
MPX 9500
8 Gb
5 Gb
3Gb
1Gbps
MPX 7500
1Gb
MPX5500
500Mb
1
2
3
10
Applications
100’s Apps / Multi-tenancy
NetScaler MPX-Series Specifications
MPX
Model
Port
Configuration
Power Supply
Default
L7
Throughput
(Gbps)
CMP
(Gbps)
HTTP
RPS
(K)
SSL
TPS
(K)
SSL
(Gbps)
5500
4x10/100/1000
Single Only
0.5
0.5
50
4
0.5
7500
8x10/100/1000
Single w/
Optional 2nd
1.0
1.0
100
8
1
9500
8x10/100/1000
Single w/
Optional 2nd
3.0
2.0
200
16
3
15000
2x10GE +
8x10/100/1000
Redundant
15.0
3.5
900
60
6
17000
2x10GE +
8x10/100/1000 or
4x10GE
Redundant
18.0
5.5
1500
80
6.5
MPX: Promoting Green Computing
Low Power Operation:
20-50% under competitive offerings on power/throughput ratings
Increased functional integration
Maximum feature concurrency at high loads
Integrate point products: Load balancers, Caching, SSL VPN, Application Firewalls, etc.
Server farms reduced in excess of 50-80%
Minimized network segmentation
Maintain 10GE links
Fewer switches required
Three New MPX-Series Application Delivery Controllers
MPX 5500
MPX 7500 and MPX 9500
 Full concurrent use of all NetScaler functional modules-including Platinum Edition
 Granular throughput offerings: from 500 Mbps to 3 Gbps
 Maximum scalability with multi-core architectural design
 Lowest ADC total cost of ownership
MPX: Industry Firsts
Highest feature concurrency: no module usage limitations
Most fully integrated ADC including SSL VPN and app firewall
Unique “Pay as you grow” option
Smallest form factor with compact 1U designs to 3 Gbps
Fastest stand-alone appliance form factor with 18 Gbps
Only entry level model with 500 Mbps for SMB and XenApp users
Best throughput/power ratio available
Fully supports server auto provisioning with XenServer and WorkFlow Studio
MPX Hardware Specifications
MPX 5500
MPX 7500/9500
Processor (CPU)
Dual-core 1.86 GHz,
6MB L2 Cache
Quad-core 2.33 GHz,
6MB L2 cache
Memory
4 GB
8 GB
Ports
4x10/100/1000M copper
8x10/100/1000M copper
Hard Drive
250GB
250GB
Power Supplies
Single 300W
1 + optional 2nd 450W (redundant)
SSL
Single Core
Quad Core
Editions
Standard, Enterprise, Platinum
Standard, Enterprise, Platinum
NetScaler MPX-Series Summary
Only ADC solution offering complete advanced ADC functionality
Application firewall
Global Server Load Balancing
Advanced acceleration
SSL VPN
Provides the maximum feature concurrency in the industry with no
simultaneous module use limitations
Scalability and flexibility next generation dynamic data centers will
require MPX
Offers best performance/price ratio across the sprectum
Supports workload virtualization for realization of dynamic data centers