Citrix NetScaler engineering continues to deliver new enhancements and cool features. This technical session will highlight five recent NetScaler innovations in virtual application, desktop and server availability and security that can improve your datacenter network and make applications run better and faster. Topics will include faster app acceleration and why developers are building apps to leverage advanced ADC capabilities.

1. © 2014 Citrix. Confidential.1

2. © 2014 Citrix. Confidential.2
• As
a
tradi)on,
every
Synergy,
we
highlight
the
coolest
NetScaler
features
in
this
session.
My
name
is
Anoop
Reddy.
Along
with
me
I
have
Tushar
Kanekar,
Anoop
Agarwal,
Minoo
Gupta
and
Sanjay
Gupta.
• This
year
we
have
really
cool
things
to
discuss.
Given
the
overall
Citrix
focus
on
Mobile,
we
will
talk
about
the
new
NetScaler
features
that
op)mize
mobile
access
and
Mobile
Security.
We
will
then
talk
about
our
innova)ons
for
the
Next
Gen
Data
Centers.
• We
will
finish
off
with
some
of
the
exci)ng
User
Experience
and
automa)on
enhancements
• We
have
a
lot
of
stuff
to
cover.
We
will
have
5
mins
for
Q&A
at
the
very
end.

3. © 2014 Citrix. Confidential.3
• Please
tweet/blog
about
this
session
with
hashtags
SYN207
and
citrixsynergy.
For
those
of
you
who
tweet/blog,
we
have
giveaways
at
the
end
of
this
session.

4. © 2014 Citrix. Confidential.4
Mobile
is
different.
Mobile
networks
are
characterized
by
high
latency
lossy
pipes,
last
mile
bandwidth/capacity/connec)on
constraints,
connec)on
breaks
when
switching
between
cell
towers
and
even
device
contraints
-­‐
baYery
life
is
important
and
the
viewport
is
smaller.
This
year
we
introduce
a
bunch
of
NetScaler
op)miza)on
features
specifically
geared
towards
op)mizing
applica)on
delivery
in
the
mobile
context
not
just
at
the
tcp/hYp
level
but
also
by
moving
deeper
into
the
applica)on
and
op)mizing
html
content.

5. © 2014 Citrix. Confidential.5
• Let’s
just
cut
to
the
chase
and
first
see
a
demo.
On
the
le]
hand
side
you
will
see
the
details
of
directly
accessing
an
applica)on
while
on
the
right
hand
side
with
NetScaler
in
the
path
with
our
Front
End
Op)miza)ons
turned
on.
• You
will
see
a
100%
improvement
in
page
load
)me,
with
a
40%
reduc)on
in
the
number
of
bytes
downloaded
and
a
30%
reduc)on
in
the
number
of
requests
made
to
the
server.
5

6. © 2014 Citrix. Confidential.6
• Now,
let’s
analyze
the
top
1000
sites
as
reported
by
hYparchive.org
/*which
tracks
web
trends,
stats
and
performance
*/
and
see
what
kind
of
op)miza)ons
are
possible.
As
you
can
see,
javascript
and
images
dominate
the
content
in
a
scenario
where
individual
pages
are
becoming
heavier.
So,
any
op)miza)ons
for
javascript
and
images
can
be
very
effec)ve.
Only
25%
of
the
images
are
op)mized
and
more
than
50%
of
the
content
doesn’t
leverage
browser
cache.
• So,
there
is
a
lot
of
scope
for
op)miza)on.
6

7. © 2014 Citrix. Confidential.7
• Now,
let’s
see
how
we
achieve
these
amazing
results.
Most
of
the
techniques
for
Front
End
Op)miza)ons
are
fairly
well
known
that
either
require
changes
in
your
web
server
config,
applica)on
code
or
get
the
app
server
to
talk
to
new
processes
and/or
setup
extra
proxies
in
the
path.
Instead
you
can
achieve
all
of
these
op)miza)ons
by
applying
a
simple
config
on
NetScaler.
• A
typical
web
page
access
can
be
broken
down
into
ini)al
connec)on
setup
stage,
the
page
content,
embedded
object
downloads
followed
by
rendering
the
page.
We
op)mize
each
of
these
stages.
• Before
we
go
into
the
details
I
would
like
to
emphasize
that
it
is
important
to
not
be
very
aggressive
with
op)miza)ons
that
might
break
apps/browser
compa)libitliy
etc.
We
have
chosen
middle
path
by
op)ng
for
the
least
intrusive
features
that
give
us
the
maximum
performance
boost.
7

8. © 2014 Citrix. Confidential.8
• Browsers
enforce
a
limit
on
how
many
connec)ons
can
be
open
for
a
single
domain.
To
improve
parallel
downloads
we
split
the
requests
across
mul)ple
domains
and
also
insert
html
direc)ves
to
prefetch
domain
dns.
8

9. © 2014 Citrix. Confidential.9
• We
improve
browser
content
caching
(basically
avoid
unnecessary
304
not
modified)
by
1)
versioning
image
urls
instead
of
ar)ficial
and
inaccurate
cache
)meouts
2)
we
can
insert
etags
to
signal
content
changes
and
leverage
NetScaler
compression.
9

10. © 2014 Citrix. Confidential.10
• A
lot
of
op)miza)ons
are
possible
in
embedded
object
sec)ons.
We
do
javascript/css
minifica)on
to
compress
the
objects,
we
can
inline
smaller
css/javascript/images
and
combine
css
to
reduce
#
of
requests.
10

11. © 2014 Citrix. Confidential.11
• We
improve
page
rendering
by
defering
javascript
loading
and
moving
objects
such
as
css
that
affect
the
visible
por)on
and
parallel
downloads
to
the
top.
We
also
only
load
images
in
the
current
viewport
–
this
is
especially
significant
for
mobile
devices
where
content
not
in
the
current
view
doesn’t
need
to
be
loaded.
11

12. © 2014 Citrix. Confidential.12
• To
summarize,
we
op)mize
at
every
stage
of
the
page
load
process.

13. © 2014 Citrix. Confidential.13
• Now,
going
down
the
stack
to
op)mize
at
the
lower
layers
taking
into
account
mobile
network
characteris)cs.
In
the
past
we
have
talked
about
NetScaler
as
a
speedy
gateway.
This
is
extremely
relevant
in
mobile
networks
for
performance.
We
have
also
talked
about
MPTCP
support
in
NetScaler
that
can
leverage
mul)ple
available
networks
parallelly
while
also
smoothening
out
cell
tower
to
wifi
transi)ons.
• Packet
losses
in
the
mobile
context
are
not
just
because
of
conges)on
but
due
to
losses
in
the
medium
and
also
due
to
transi)ons
between
cell
towers.
• This
year,
we
announce
Cubi/Bic
which
are
mobile
specific
tcp
conges)on
and
flow
control
protocols
that
take
into
account
such
characteris)cs
and
op)mize
delivery
in
mobile
networks.

14. © 2014 Citrix. Confidential.14
• NetScaler
can
now
op)mize
at
a
much
deeper
level
in
the
html
content
for
mobile
networks.
Most
important
to
note
-­‐
we
chose
the
least
intrusive
features
that
do
not
break
browser
compa)bility
or
apps
while
giving
us
the
maximum
op)miza)on.
• We
con)nued
to
op)mize
TCP
for
mobile
by
introducing
support
for
mobile
specific
conges)on/flow
control
TCP
protocols
such
as
Cubic/Bic.
• If
your
apps
are
used
on
mobile
devices
and
delivered
through
mobile
networks
–
you
have
to
try
the
latest
version
of
NetScaler!!
• With
that
I
hand
the
presenta)on
over
to
Tushar
Kanekar.

15. © 2014 Citrix. Confidential.15

16. © 2014 Citrix. Confidential.16
• NetScaler
–
industry
leader
in
secure,
op)mized
and
reliable
delivery
of
web-­‐apps
and
is
also
best
in
class
Mobile-­‐apps.
• Security imperatives to address –
- SSL everywhere, you cannot have few pages over SSL and others in clear.
- Need per App micro-VPN, for isolation and per-app access control, security.
- Support for 2048bit RSA key, the new guidelines from NIST.
- Device efficient crypto - to conserve precious battery of handheld device.
- To top this off, you need protection from the every changing threat landscape –
with Beast, Crime and latest Heartbleed to name a few.
Given this, you need a very robust delivery mechanism to protect your apps
and your infrastructure – that’s where NetScaler ADC device come to the
rescue.
How NetScaler helps to meet the imperatives?

17. © 2014 Citrix. Confidential.17
• NetScaler+XenMobile deployment, note NS is in DMZ providing all the
protection.

18. © 2014 Citrix. Confidential.18
• Security:
- NetScaler provides protection from various L2-7 attacks, including but not limited
to – Syn Attack, DDoS, HTTP DoS like Slowloris, Slowpost.
- SSL – hardened SSL/TLS engine with HW acceleration to do SSL termination
and offload. Not affected by the latest openssl Heartbleed bug
- Support for FIPS and new ciphers like AES-GCM/SHA-2, part of NIST’s Suite-B
list of algorithms.
- Ext. HSM – we are working to integrate NetScaler with external HSM vendors
like Thales. This will enable a non-FIPS device (VPX, MPX, SDX instances) to
utilize the security of a FIPS 140-2 Level-2/3 certified HSM device.
- ECC cipher suite, this provides same level of security as RSA, but at lower key
size. It can be efficiently done on low-powered handhelds and thus helps to
conserve precious battery life. To give an example 224 bit ECC == 2048bit RSA
- Strong access control – a critical piece of mobile app with single sign-on and
multi factor authentication including client/device level certificate checks.
- Various protections for your app and backend servers – Application Firewall for
protecting against sql injection and XSS attacks. ActiveSync filtering to prevent

19. © 2014 Citrix. Confidential.19
• ActiveSync Filtering – NS does a call out to XNC server, asking for the managed
status of the incoming device, based on the ActiveSync ID present in the header.
XNC provides a managed / unmanaged response, and NS acts on it.

20. © 2014 Citrix. Confidential.20
• Reliable
=
capacity
to
grow.
• We talked about security features, but what the use if you cannot reliably deliver
your apps? NetScaler provides the capacity to handle different work-loads.
• Remember the per App micro-VPN, each of this will open a isolated SSL
connection, now imagine each handheld has 3-4 apps and 1000s of such
handhelds connecting to an enterprise at any given time.
• NetScaler has best in class TPS and throughput numbers. The numbers quoted
here are for the 22120 MPX system.
• Note: TPS here, stands for transactions per sec, which are new handshakes per sec without
any reuse thrown in.
• HA support to protect against system failure and GSLB for site-failures.

21. © 2014 Citrix. Confidential.21
• Perfect forward Secrecy: In this new snowden era, many companies are
investing in PFS to secure user-data. PFS provides the security of protecting old/
existing data even if the private-key is compromised. You need ECDHE or EDH
to achieve this and not RSA.
• Support for RFC 5746 for secure renegotiation – to mitigate different MITM
attacks.
• DTLS – Datagram TLS to secure your application over UDP. For example, Voice,
Video.

22. © 2014 Citrix. Confidential.22
• NetScaler Application Firewall (AppFW) wins Best of Web Application Firewalls
2013 (By the Essential Guide – Security Readers’ Choice Awards) This award is
based on vote from the Security Readers on what they think is the top Web
application firewalls in 2013: Standalone WAFs and products that are part of
application acceleration/delivery systems. Criteria are based on essential
security features and at same time ease of use, configuration and administration.
• Link:
hYp://searchsecurity.techtarget.com/feature/Best-­‐of-­‐Web-­‐applica)on-­‐firewalls-­‐2013

23. © 2014 Citrix. Confidential.23

24. © 2014 Citrix. Confidential.24
• Light
weight
mul)-­‐tenancy
solu)on
• Each
tenant
gets
the
experience
of
a
logical
NetScaler
while
actually
sharing
the
same
instance.

25. © 2014 Citrix. Confidential.25
• To
appreciate
Par))ons,
let
us
walk
through
the
NetScaler
architecture
evolu)on
• First
we
had
what
today
we
call
Classic
Architecture
• Then
with
9.2
we
introduced
nCore.
• With
10.0,
we
introduced
cluster
• Now
in
2014,
we
are
planning
to
introduce
Par))ons.

26. © 2014 Citrix. Confidential.26
• This
is
how
the
user
work
flow
will
look
like
• First
System
admin
will
create
par))ons
• Expecta)on
will
be
that
the
system
will
enforce
the
set
up
limits,
while
allowing
sharing
of
the
underlying
resources
• Then
the
Par))on
admin
will
create
work
flows
within
his/her
logical
netscaler
• Expecta)on
will
be
that
the
system
will
provide
sandboxes
views
for
configura)on,
monitoring,
logs
etc

27. © 2014 Citrix. Confidential.27
• Default
or
system
admin
logs
in

28. © 2014 Citrix. Confidential.28
• He
or
she
works
under
default
par))on.
• He
creates
par))ons.
Here
for
demo,
we
are
crea)ng
two
par))ons,
one
called
PartUS,
and
another
PartEMEA

29. © 2014 Citrix. Confidential.29
• System
admin
also
creates
two
users
and
associates
them
with
the
par))ons
just
created.
Namely
UserUS
and
UserEMEA

30. © 2014 Citrix. Confidential.30

31. © 2014 Citrix. Confidential.31
• Then
individual
users
log
in
with
their
creden)als.

32. © 2014 Citrix. Confidential.32
• They
have
their
own
configura)on
screens.
They
create
their
own
workflows
and
applica)ons.
• In
this
demo,
each
of
our
two
users
create
a
Load
Balancer
service,
namely
LBUS,
and
LBEMEA

33. © 2014 Citrix. Confidential.33
• They
can
monitor
the
state
of
their
service
in
their
respec)ve
configura)on
screens

34. © 2014 Citrix. Confidential.34
• They
also
have
their
separate
dashboards,
which
shows
the
state
of
affairs
for
that
par))on.
• In
this
demo,
LBUS
is
handling
8
req/sec
and
LBEMEA
is
handling
24
req/sec

35. © 2014 Citrix. Confidential.35
• Some
more
details
about
the
feature
• We
collect
sta)s)cs
per
par))on
for
metering
and
for
burs)ng
• Limits
per
par))on
are
enforced
• However,
transient
burs)ng
is
allowed
beyond
thresholds
• This
allows
for
sta)s)cal
mul)plexing
and
oversubscrip)on
of
capacity,
without
viola)ng
performance
SLA

36. © 2014 Citrix. Confidential.36
• So
how
does
Par))ons
fit
into
rest
of
the
porpolio?
• Par))ons
are
created
within
one
instance.
They
can
be
created
on
the
MPX.
They
can
be
created
on
VPX
instance.
• They
can
also
be
created
on
each
of
the
SDX
instance.
In
fact
this
could
be
a
very
effec)ve
way
of
controlling
the
blast
radius.

37. © 2014 Citrix. Confidential.37

38. © 2014 Citrix. Confidential.38

39. © 2014 Citrix. Confidential.39
• Today’s
data
centers
are
big
and
complex
with
many
opera)onal
challenges.
Such
as
one
arm
mode
deployment,
mul)
device
configura)on,
and
dynamic
service
provisioning
and
management.
One
arm
mode
deployments
require
rou)ng
and
service
changes
to
be
updated
manually
on
both
devices.
This
can
be
error
prone,
hence
causing
unplanned
and
poten)ally
costly
down)me.

40. © 2014 Citrix. Confidential.40
• Cisco
Nexus
70000
provides
a
new
protocol
called
RISE,
Remote
Integrated
Service
Engine.
Citrix
NetScaler
integrates
with
Cisco
N7K
and
supports
this
protocol
na)vely.
The
cross
func)onal
teams
with
Citrix
and
Cisco
have
been
working
very
closely
to
deliver
the
feature.
• RISE
integrated
ADC
devices
appear
as
virtual
blade
on
the
Cisco
N7K
switch.
• The
deployment
and
configura)on
of
the
devices
can
be
made
plug
and
play.
The
protocol
helps
automate
changes
to
service
and
route
across
the
devices,
further
op)mizing
traffic
flows
within
the
datacenter.
• NetScaler
is
the
only
ADC
device
which
integrates
with
N7K
RISE
protocol
today.
40

41. © 2014 Citrix. Confidential.41
• N7K
can
discover
and
auto
aYach
to
devices
suppor)ng
RISE
protocol.
NetScaler
devices
can
be
bootstrapped
by
retrieving
their
configura)on
from
N7K
via
RISE
protocol.
N7K
support
direct
aYach
and
indirect
aYach
modes
for
bootstrap.
• Direct
aYach
is
used
for
configuring
MPX
boxes
and
in-­‐direct
aYach
mode
is
used
to
configure
VPXes
running
of
stock
hardware
or
SDX.
• N7K
and
NS
both
support
high
availability
configura)on
such
as
vPC
and
HA
along
with
RISE.

42. © 2014 Citrix. Confidential.42
• The
N7K
admin
starts
by
crea)ng
a
rise
service
with
Netscaler
IP,
assigning
port-­‐channel
and
configuring
VLANs
for
the
NetScaler
to
be
configured.
• Auto-­‐discovery
allows
configura)on
on
the
Nexus
7000.
It
then
pushes
the
seungs
to
the
NetScaler.
•
Simplifies
provisioning
significantly,
by
reducing
config
steps
from
30
to
8
in
some
use
cases.
42

43. © 2014 Citrix. Confidential.43
• RISE
allows
automa)on
of
service
changes
on
NetScaler,
by
propaga)ng
the
associated
routes
to
N7K
programma)cally.
Hence
elimina)ng
the
need
for
N7K
admin
to
manually
add
or
delete
corresponding
routes.
• This
preserves
the
client
IP
as
well
for
the
traffic
flow.

44. © 2014 Citrix. Confidential.44
• Auto
PBR
is
needed
to
eliminate
the
need
for
Source-­‐NAT
or
manual
PBR
configura)on
in
an
one-­‐arm
mode
design
• APBR
feature
allows
the
NS
to
program
policies
on
the
N7k
server-­‐facing
interfaces
to
redirect
return
traffic
to
the
NS
appliance
set
up
in
one-­‐arm
mode.
• NS
passes
IP
address,
port
#
,
protocol
etc
of
the
real
servers
on
to
N7K
in
an
Auto
PBR
message
and
a
route
map
is
applied
on
the
N7K
interface
through
which
the
real
server
can
be
best
reached.
• Since
it
is
desirable
to
change
the
src
ip
to
VIP
for
the
return
traffic,
the
APBR
policies
set
the
nexthop
ip
of
the
traffic
reaching
the
N7K
interface
to
the
NS
ip
without
modifying
the
packet.
• The
NS
appliance
will
then
direct
the
packet
to
the
client
by
changing
the
source
IP
to
VIP
•
In
case
of
mul)ple
NS
connected
to
N7K
,
RISE
Manager
on
N7K
will
create
an
ACL
for
each
NS’s
next
hop
ip
and
incorporates
it
into
a
route
map.
44

45. © 2014 Citrix. Confidential.45

46. © 2014 Citrix. Confidential.46
• Significantly
simplified
deployment
as
administrators
do
not
need
to
configure
complex
VLAN
and
route
seungs
to
enable
rich
availability
and
rou)ng
features.
Na)vely
integrated
with
Nexus
7000
vDC
and
vPC
architecture.
46

47. © 2014 Citrix. Confidential.48

48. © 2014 Citrix. Confidential.49

49. © 2014 Citrix. Confidential.50

50. © 2014 Citrix. Confidential.51

51. © 2014 Citrix. Confidential.52

52. © 2014 Citrix. Confidential.53

53. © 2014 Citrix. Confidential.54

54. © 2014 Citrix. Confidential.55

55. © 2014 Citrix. Confidential.56

56. © 2014 Citrix. Confidential.57

57. © 2014 Citrix. Confidential.59

58. © 2014 Citrix. Confidential.60

59. © 2014 Citrix. Confidential.61

60. © 2014 Citrix. Confidential.62

61. © 2014 Citrix. Confidential.63

62. © 2014 Citrix. Confidential.64

63. © 2014 Citrix. Confidential.65