5 Cool things you can do with

Citrix NetScaler

NetScaler is the Coolest Networking product Ever

AppFlow Insight

AutoScale

SPDY Gateway

Diameter Load Balancing

Kerberos Constrained Delegation

App Visibility

End User

Web

Front

App

Server

Tap Agent

Agent

DB

Server Agent

Instrumentation Limiting

Ubiquitous App Visibility

Tap

Tap

Limited,

Expensive

Tools

Costly | Intrusive | No Standards

Getting it Right

End User

Web

Front

App

Server

Tap Agent

Agent

DB

Server Agent

In-Place Real Estate

Tap

Tap

Limited,

Expensive

Tools

Non-Instrusive| App Aware| Standardized

ADC

ADC

WOC

ADC

AppFlow

Simple

Tool AppFlow

Simple

Tool AppFlow

Simple

Tool AppFlow

• Actual flow records that follow a given templates Template

• Unidirectional IP packets identified by five tuples: sourceIP, sourcePort, destIP, destPort, and protocol Flow

• Data points on traffic streams passing through the device Record

• Device which generates flows sent to the collector Exporter

• Third-party tools aggregating records for reporting purposes Collector

• Standard based on IPFIX

• Transaction level visibility for HTTP, SSL, TCP and SQL

• Ability to sample and filter desired flow types

• Flow records transmitted to external collectors

• Collectors aggregate the flow records for real-time reporting

• Collector for AppFlow records

• NetScaler driven consumer and analytic module

• Built-in analytic for ᵒ End to end Application performance

ᵒ Analytic data from Layer 2 to Layer 7

ᵒ Application Debugging

ᵒ Client and Server side analytic

• Built-in specialized reports for Application

• Easy setup and simple to use with multiple NetScalers

AppFlow Insight Architecture

NetScaler AppFlow Client

AppFlow Analytics • Application

High Performance Collector • IPFIX

AppFlow Client Stack

• Clients

• RESTful

NITRO API • Pluggable

UI • Mobile

High Performance data store

• Object based Reporting module

• Intuitive Navigation with multiple starting points

• Each Navigation leads to one or more Reports

• Client Side Monitoring features integrated seamlessly

• Helpful in drilling down on specific Objects like ᵒ URL

ᵒ Client

ᵒ Server

ᵒ Form Factor

ᵒ Operating System

• Data movement across various components

• Access visibility through Application and Data

• Details of Request and Response parameters

• Different client types access

• Details of the client form factor

• Applications are key and we help define ᵒ Top Apps by Hits

ᵒ Bandwidth

ᵒ Response Time

• HTTP monitoring stats ᵒ Client Network Latency

ᵒ Server Network Latency

ᵒ Server Processing Time

• Client side stats ᵒ Page load time

ᵒ Page render time

• Deep dive into HTTP req/res streams

• Reports on: ᵒ Form factor

ᵒ Operating System

ᵒ Request Methods

ᵒ Response Status

• Client and Server association

• Waterfall Chart

• Ability to analyze the Syslogs

• Efficient reporting on Syslogs ᵒ Enables better visibility

ᵒ Provides Security related data

ᵒ Provides access and audit info

• Reports to be built on need and use case basis

• NITRO APIs are available for all objects ᵒ Device

ᵒ Application

ᵒ Server

ᵒ Client

ᵒ Form factor etc…

• SDK is available for Java and C#

• Sample REST API request/response http://10.102.31.209/nitro/v1/appflow/app_unit?duration=last_1_day&args=device_ip_address:10.102.126.205

Response : { "errorcode": 0, "message": "Done", "app_unit": [ { "name": "iis2", "rpt_sample_time": "-1", "total_bytes": "396867",

"network_latency_client_side": "430", "device_ip_address": "10.102.126.205",

"server_response_time": "9730", "network_latency_server_side": "1338",

"application_response_time": "10161", "ip_address": "10.102.126.164", "total_requests": "7" } ] }

Load Balancer provides High Availability for Server farm

Internet

Spike in traffic overloads the server farm

M

M

M

M

M

M

Less powerful servers start to fail Snowball effect, load shifts to other servers Application responsiveness suffers, pages time out

Solution

• Over provision to handle peak load

• Idle resources

• Higher Capex and Opex

CloudStack

NetScaler provides Load Balancing and High Availability for Server farm

M

M

M

M

NetScaler monitors servers for CPU, Memory, Latency, Throughput … NetScaler monitoring engine auto-detects run time issues with servers

M

M

NetScaler triggers AutoScale capability in CloudStack CloudStack “auto-provisions” new server instances based on AutoScale policy On successful AutoScale, CloudStack provides new service descriptions NetScaler automatically adds new service resources and binds to LB Traffic is seamlessly scaled to the newly added services on NetScaler

M

M

Internet

#CitrixSynergy

AutoScale Actions

• Provision new servers

• De-provision new servers

• Syslog events

Application Triggers

• Server CPU

• Application Response time

• Concurrent connections

• Time of the day

• SurgeQ (waiting clients)

#CitrixSynergy

• Elasticity

ᵒ Adapt to varying load conditions

• Transparency with Visibility

ᵒ All events are logged

• Configuration simplicity

ᵒ Zero touch scale out and scale in of server infrastructure

• Burst handling

ᵒ Excess traffic can be handled in public or private cloud

ᵒ Spin up additional NS VPXes on demand

AutoScale

SPDY Gateway

#CitrixSynergy

SPDY in the news

SPDY in Amazon’s Kindle Fire

Ever wondered why Google search and Gmail is faster on Chrome – SPDY!

#CitrixSynergy

SPDY: Introduction

• Encrypted (SSL) session

layer protocol to accelerate

page load time

• Google Chromium projects:

http://dev.chromium.org/spdy

#CitrixSynergy

SPDY: Features

SPDY

Single secure TCP connection

Full packets, less packets

Compressed headers

Asynchronous

Interleaved

Request prioritization

Typical web page download

80+ embedded objects, js, css, multiple conn

Connections ramp up individually

Redundant headers (e.g., UserAgent)

Synchronous, request-response model

Head of the line blocking

HTTP pipelining doesn’t work well

Source:

SPDY Benefits: Bandwidth & PLT

On low-bandwidth links, headers are costly

RTT matters for Page Load Times (PLT)

#CitrixSynergy

SPDY: Impact on Infrastructure Components

Back to decade old layer4 TCP processing

Breaks security best practices

Impacts capacity planning

SPDY HTTP

Web Server

TCP/IP

SPDY Session

HTTP Semantics

SSL

Web Server

TCP/IP

HTTP Semantics

Request 1

TCP/IP

HTTP Semantics

Request 2

TCP/IP

HTTP Semantics

Request 3

SPDY Encapsulated HTTP Cache Response

L7 Content Switch & Analytics

SPDY Encapsulated 403 Forbidden Response

Responder

TCP/IP

HTTP Semantics

Response 1

SPDY Session

SSL

Enables L7 optimization

Transitional path for infrastructure

SPDY Gateway

R1 R2 R3

SPDY Facts

1. SPDY Enabled Vs Disabled

3. Gateway L7 benefits

0

2

4

6

SPDY Disabled SPDY Enabled

Page Load Time

2. Components: • Mozilla Firefox Bowser client @ 200 ms RTT

• Wikipedia main page staged in the lab

• NS SPDY Gateway

• Firebug for waterfall charts SSL

HTTP

SPDY

Caching Analytics Logging … L7 benefits

No Blocking: Interleaved asynchronous streams

SPDY Disabled (4.3 sec) Vs SPDY Enabled (2.84 sec)

Blocking: Requests waiting for free connection

SPDY Acceleration w/o losing Operational Control

Enjoy SPDY benefits

Faster applications

Faster user experience

Enable L7 infrastructure components

Transitional upgrade path, like v6 Gateways

SPDY HTTP SPDY Gateway

• Next-gen AAA signaling protocol

• IP based signaling protocol

• Specially designed data messages • Sent from one network element to another.

• Reliable transport over TCP/SCTP

• Backward compatible with Radius

Citrix Confidential - Do Not Distribute

Diameter ?

• Surge of control plane signaling can bring network to its knees

• Processing required for diameter server is much higher

• Server becomes a bottleneck in the deployment

• LB for diameter messages among multiple servers

• Connection from Diameter client to server is low

• Thus there is a need of per-message loadbalancing

Diameter Load Balancing – Why?

• Lesser load on diameter server translating to faster response time

• Server Health monitoring and Better failover capabilities

• Better Scalability in terms of adding new servers on fly

• High Availability by sharing session information across

• Policy Enforcement and Security check point

• Statistics, reporting and logging

Benefits of Diameter Load Balancing

Citrix Confidential - Do Not Distribute

1. Aggregated message on single tcp tunnel

Diameter Server1

NS Diameter Server2

Packet Gateway

and Diameter

Client

Diameter Server3

DIAMETER REQUESTS

DIAMETER ANSWERS

2. Asynchronus messaging

3. Server Initiated Requests

Citrix Confidential - Do Not Distribute

NS Diameter Message Based LoadBalancing.

Diameter Server1

NS Diameter Server2

Packet Gateway and

Diameter Client

Diameter Server3

Diameter Client opens connection to NS

Client sends CER message to NS

NS does load balancing and selects a server. Opens the connection to selected server. And forwards CER messages to the server.

Server will prepare CEA and send it to NS

NS will forward it to client with some modification in message to pretend that it is Diameter relay agent.

Now client can send Diameter messages over the tcp tunnel.

When NS selects a server where it has not opened the connection, it will first open the connection to backend server and forward the cached CER to that server when server replies with CEA, it will forward the message to backend server.

NS doing de-multiplexing of diameter messages to multiple diameter servers.

Protocol Transition Constrained Delegation

Citrix Confidential – For NDA use only

Kerberos Based Auth – What Next? Widely-adopted, open-standard, efficient and strong

security solution!

• Kerberos protocol includes a mechanism called delegation of authentication

• Client (requesting service) delegates authentication to a second service

• Second service acts on behalf of Kerberos security principal

• The second service can delegate authentication to a third service

• Accomplished using a proxy TGT or forwarded TGT

Citrix Confidential – For NDA use only

KCD and PT

• Allows a service that uses Kerberos to obtain a Kerberos service ticket to itself

• Ticket is issued on behalf of a user or proxy known as Kerberos security principal

• Doesn’t requires the principal to initially authenticate to the KDC or be part of the domain

• No user credentials needed for the transition

• Allows transition even when authentication is done through other means

Citrix Confidential – For NDA use only

Protocol Transition

• Allows a service to obtain service tickets under the delegated user's identity

• Tickets are issued for restricted list of other services

• Service ticket can be obtained through protocol transition

• Provides a way for domain administrators to limit the network resources that a service trusted for delegation can access to a restricted list of network resources

Citrix Confidential – For NDA use only

KCD

Citrix Confidential – For NDA use only

Simple Kerberos Auth

Netscaler

Client

(User)

TM Vserver

1. GET /

2. HTTP 401 Negotiate

5. GET / + new SPNEGO GSSAPI msg

Validate SPNEGO GSSAPI token

6. … …

3. GET / + SPNEGO GSSAPI msg

4. HTTP 401 + SPNEGO GSSAPI msg

Server Farm

Aaad + lwagent +

lsassd

Beyond Front-end: KCD/KPT

Client

TM Vserver

8. HTTP 200 + session cookie

2. Reply 401 Negotiate

1. Fwd request to backend service

7. Reply 200 OK

6. Send request with service ticket

3. AS_REQ/RES

4. S4U2Self

5. S4U2Proxy

KDC

Auth Done

Server

The SSO Game

HTTP Basic

FormBased

Kerberos

NTLM

SmartCard

SAML

HTTP Basic

FormBased

Constrained

Delegation

Building End to End Kerberos Engine

Allgemeine Informationen

Besuchen Sie die Partner in der Ausstellung

Nutzen Sie unsere Zusatzangebote!

• Citrix Expert Desks: Unsere Produkt-Spezialisten beantworten Ihre individuellen

Fragen und geben Ihnen Einblick in aktuelle Projekte

• Citrix Tech Lounge: Lernen Sie die wichtigsten Funktionen von Citrix XenClient live

kennen - bei einem Hands-On-Test in unserer Tech Lounge

• Meet the Architects: Buchen Sie an der Info einen Kurz-Workshops mit Citrix-

Consulting und erarbeiten Sie eine Zielarchitektur für Ihr Unternehmen

• Citrix Datentankstelle: Lassen Sie sich auf Ihren mobilen Endgeräten einen

Citrix Receiver mit Demozugang einrichten

• Citrix Education Desk: Informieren Sie sich über die aktuellen Trainingsangebote

• Citrix Test Center: Die Plätze sind ausgebucht. Es besteht die Möglichkeit über die

Warteliste noch kurzfristig einen Platz zu bekommen

Feedback und Präsentationen

• Ihre Meinung ist uns wichtig! Bitte nehmen Sie sich einige Minuten Zeit,

unseren Online Feedbackbogen auszufüllen. Den Link dazu erhalten Sie einige

Tage nach der Veranstaltung

• Im Anschluss an den Fragebogen haben Sie Zugriff auf die Downloadseite der

Präsentationen

Bitte vormerken: Citrix Synergy 2012

• The premier event on cloud

computing, virtualization and

networking

• 17.- 19. Oktober 2012 im

International Convention Centre

Barcelona

• Weitere Infos:

http://www.citrixsynergy.com/barcelona

Work better. Live better.