Citrix NetScaler is the industry’s leading load balancer and application delivery controller (ADC), powering thousands of enterprise applications and the largest web sites in the world. However, we’re just scratching the surface of its potential. Citrix engineers have been hard at work getting NetScaler ready to tackle the next set of IT and application delivery challenges, such as virtual application, desktop and server availability and security. This technical session will highlight how NetScaler can help to migrate from IPv4 to IPv6 and make applications run better and faster.
Swiss IPv6 Council: IPv6 in der Cloud - Case Study der cloudscale.ch
12. Smooth migration from IPv4 to IPv6 with Citrix NetScaler - Daniel Künzli
1. Citrix NetSclaer
Service Delivery System
smooth transition from IPv4 to IPv6
Daniel Künzli, Systems Engineer NG
Citrix Systems GmbH, Switzerland
2. Agenda
• Overview
• IPv6 integration and translation
• Basic features
• NetScaler for Citrix XenApp / XenDesktop
• NetScaler for SQL
• NetSclaer SDX
• Citrix Open Cloud
Citrix Confidential – For NDA use only
3. Secure access to Citrix app and desktop virtualization
An integrated delivery infrastructure
Citrix Branch Access
Receiver Repeater Gateway XenApp
XenDesktop
XenServer
NetScaler
Delivery
Network
5. 5 wesentliche Begriffe zum Load Balancing
Der "Full Proxy"
Ansatz
ermöglicht einen
deutlich höheren
Full Proxy
Funktionumfang!
TCP Client TCP Backend
1. VServer: Nimmt Anfragen der Clients entgegen (14)
2. Service (Backend): Netzwerk Endpunkt an den der NetScaler weiter leitet (17)
3. Monitor: Prüft periodisch die Funktion des Backend-Services (29+)
4. Load Balancing Methode: Auswahl des Services zur Weiterleitung (15+)
5. Persistence (Stickiness): Client wird immer an selben Service geleitet (9+)
8. Prefix Based IPv6-IPv4 Translation
IPv6 Enterprise
IPv4 Server
V4IP:30.30.30.30
IPv4 Internet
IPv6 IPv6
IPv6
Netscaler NAT prefix:
2000::/96
V4IP: 20.20.20.20
IPv6 DB Server 9900::1 IPv4: 20.20.20.20<->30.30.30.30
IPv6: 9900::1 <->2000::30.30.30.30
9. Prefix Based IPv6-IPv4 Translation
• In 9.3, NS can translate packets sent from private IPv6 servers into IPv4
packets, using an IPv6 prefix configured in the NetScaler appliance.
• IPv6 packets addressed to this prefix have to be routed to the NS so that
the IPv6-IPv4 translation is done by the NetScaler.
The IPv6 servers If there is a match, the
The NS compares NS generates an IPv4
embed the destination
The first 96 bits of the first 96 bits of packet and sets the
IP address of the IPv4
the destination IP the destination IP destination IP address
servers or hosts in the
address field are address of all the as the last 32 bits of
last 32 bits of the
set as the IPv6 incoming IPv6 the destination IP
destination IP address
NAT prefix. packets to the address of the
field of the IPv6
configured prefix. matched IPv6 packet.
packets.
Citrix Confidential – For NDA use only
10. IPv6 Support in INAT
The following Inbound Network Address Translation (INAT) configurations
are now supported:
IPv6-IPv6 Mapping: A
IPv4-IPv6 Mapping: A IPv6-IPv4 Mapping: A public IPv6 address on the
public IPv4 address on the public IPv6 address on the NetScaler appliance listens
NetScaler appliance listens NetScaler appliance listens to connection requests on
to connection requests on to connection requests on behalf of a private IPv6
behalf of a private IPv6 behalf of a private IPv4 server. The NetScaler
server. The NetScaler server. The NetScaler appliance translates the
appliance creates an IPv6 appliance creates an IPv4 packet's public destination IP
request packet with the IP request packet with the IP address to the destination IP
address of the IPv6 server as address of the IPv4 server as address of the server and
the destination IP address. the destination IP address. forwards the packet to the
server at that address.
Citrix Confidential – For NDA use only
11. IPv6 Support in INAT
IPv4 Server
74.125.91.100
IPv6 IPv4 Internet
IPv6
IPv6
NAT Table 2009::100:1
IPv6 DB Server Public IP Private IP
192.168.1.100
2009:ffff:1000::100 192.168.1.100
2009:ffff:1000::200 3ffe:100::100
74.125.91.105 3ffe:100::100
74.125.91.106 192.168.1.100
12. IPv6 Support in INAT
IPv4 public
address to
IPv6 private
address
IPv6 public
address to
IPv4 private
address
13. Schlüsseltechnologien für
Anwendungsbereitstellung
B2C
B2B
P2P
Verfügbarkeit Performance Sicherheit
• Load Balancing • Surge Protection + Sure Connect
Information auf Layer 3 (IP) / Layer 4 (TCP/UDP) Server arbeiten effektiver: Vermeidung von Lastgrenzen
entscheiden, auf welche Services weitergeleitet wird und Warteschlangen (Surge Queue)
• Content Switching • Global Server Load Balancing (GSLB)
Information auf Layer 7 (HTTP, FTP, DNS, RADIUS, TCP, Verteilung des Verkehrs durch intelligente
UDP…) entscheiden auf welche Gruppe von Backend- Namensauflösung des NetScalers
Services weitergeleitet wird
14. NetScaler Surge Protection
Server arbeiten effektiver: Vermeidung von Lastgrenzen und Warteschlangen (Surge Queue)
Ohne NetScaler – Server-Überlastung
100%
REQUESTS
0%
Mit NetScaler Surge Protection
100%
REQUESTS
0%
SURGE
QUEUE
15. GSLB – Site Load Distribution“ & „Global Naming”
100%
100%
0%
www.abc.de
0%
100%
0%
www.abc.de
Wenn ein vordefiniertes Traffic Load Limit erreicht wurde, wird
der User Traffic an alternative Rechenzentren weitergeleitet.
16. GSLB – Desaster Recovery
www.abc.de
www.abc.de
Im Falle eines Site-Ausfalls wird der Client an das
nächst gelegene Rechenzentrum umgeleitet.
17. GSLB – Load Balancing von „Incoming Traffic"
über Providerzugänge
• Incoming Traffic steht dabei für eine User-
seitig initiierte Verbindung – wird über das
GSLB-Feature realisiert.
• Outgoing Traffic hingegen beschreibt eine
Server-seitig initiierte Verbindung – wird über
das LLB-Feature realisiert.
• Funktion: NetScaler antwortet auf eine vom
ADNS der Haupt-Domain an ihn "delegierte"
DNS-Anfrage mit der VServer-IP des Providers ADNS
(gslb.cps.com)
A oder B (im Bild A)
LLB: Link Load Balancing
18. Schlüsseltechnologien für
Anwendungsbereitstellung
B2C
B2B
P2P
Verfügbarkeit Performance Sicherheit
• TCP Offload • Erweiterte TCP-Optimierung
Befreit Server vom Verbindungs-Management Wesentlich effizientere Verbindungen
durch TCP-Windows Scaling, SACK und TCP-Buffering
• HTTP Compression
Daten-Komprimierung vor Daten-Auslieferung • SSL Offload
Übernimmt CPU intensive Entschlüsselungs-Aufgaben
• Integrated Caching für Backend-Server
NetScaler als Caching Instanz im Netzwerk
19. TCP Connection Offload
…wird möglich durch die NetScaler Full Proxy Architektur
SYN
SYN+ACK
Bestehender Pool • Interrupts an den Server
an Server Verbindungen
ACK CPUs werden reduziert
GET
GET
• Server wird vor SYN-Floods
Data geschützt (Zombie
Data
Data
Connection Schutz)
Data
Data • Vorhandene TCP-
Data
FIN Verbindungen werden
ACK „re-used“
FIN
ACK • Summe der TCP-
Verbindungen am Server
werden reduziert
Client NetScaler Web Server
20. Application Templates
• Ermöglicht applikationsnahe NetScaler
Konfiguration
• Funktionen: Import, Export, Create,
Endpoint Definition, Match Rule pro App-
Unit
• Vereinfachung und Portierbarkeit der
Konfiguration für 6 Basis Funktionen
• Templates z.Z. verfügbar für EasyCall,
OWA, Sharepoint, SAP NetWeaver,
Oracle, Gereric Web-App
• http://community.citrix.com/display/ns/Ap
pExpertTemplates
21. Network Visualizer
Grafische
Netzwerk-
Übersicht
Konfiguration
und Statistiken
22. Schlüsseltechnologien für
Anwendungsbereitstellung
B2C
B2B
P2P
Verfügbarkeit Performance Sicherheit
• Schutz auf Application Layer • Filtering, Rewriting und Responder
Schutz vor Datendiebstahl und Ausnutzung von Granularer Filter in Hin- und Rückrichtung. HTTP Inhalte
Sicherheitslöchern können modifiziert, direkt beantwortet oder umgeleitet
werden – NetScaler als „Simultan Dolmetscher“
• DoS-Abwehr
DoS-Schutz durch Full-Proxy-Architekur, Verhinderung • SSL-VPN (AGEE)
von HTTP-DoS-Angriffen Verschlüsselung, Authentifizierung, Autorisierung und
Endgeräte-Scan VOR dem Einlass in das Netzwerk
23. Warum Sicherheit für Web Applikationen?
DATEN
SQL Injection • Finanzberichte
Information Leakage • Kreditkarten-Infos
Cross-Site Scripting
• Kundendaten
HTTP Response Splitting
Path Traversal • Mitarbeiterdaten
• Patientendaten
Web App Users Network • Persönliche IDs
Internet Firewalls Web Apps
…
aller Attacken zielen heute
82% auf Schwachstellen von Applikationen - Gartner
Optimaler Schutz durch NetScaler
Web Application Firewall (WAF) !!!
24. WAF (Web Application Firewall) - Hybrid Security Model
Optimaler Schutz durch Kombination beider Security Ansätze
Positiv Hybrid Negativ
•Schutz vor Day-0
Schutz vor bekannten
•Schneller aktiver
Angriffen und unbekannten
Schutz vor
•Erfordert Lernen Angriffen mit überbekannten Angriffen
der Applikations 1200 "on board"- •Erfordert Pflege von
Strukturen Signaturen Signaturen
25. URL Transformation –
vereinfachte Konfiguration beim Rewrite von URLs
• Erhöhung der Sicherheit durch
Verbergen von internen www.abco.com/corpinfo/
Informationen (vergleichbar www.abco.com/products/
www.abco.com/empl/...
einem IP-NAT auf Layer-7)
• Wechselnde oder historisch
gewachsene Applikations-URLs
werden zum Kinderspiel
http://OldCo/cgi-bin/... http://mktg/default.asp
• User wird unabhängig von http://AbCo/finance/default.asp
• Applikations-Änderungen
• Infrastruktur-Änderungen
26. Rewrite – NetScaler als „Simultan Dolmetscher“ in
Hin-(Request) und Rückrichtung (Response)
Mit dem "Rewrite
Action Evaluator"
wird der Test von
von Rewrite
Konfigurationen
zum Kinderspiel…
28. How NetScaler Adds Value to XenApp and
XenDesktop
• Huge Scalability
• Secure Access
• High Availability
• DR/BC
• Integrated Web Interface option
• IPv6 to IPv4 translation
29. Seamless access through Citrix Receiver
•Receiver for Windows
•Receiver for Mac
•Receiver for Linux
•Receiver for iPhone
•Receiver for Android (in development)
•Receiver for Blackberry (in development)
•Receiver for Java
Citrix Confidential - Do Not Distribute
30. Driving Customer Value and Citrix Differentiation
HQ Office
Personalization
XenDesktop Farm XenServer Resource Pool
Virtual Desktop 1
User User User User User
Personalization: User A File Share A B C D E
Apps: Office
Desktop
Delivery OS: Vista
Applications
Remote User Controller
Branch Office
Desktop Virtual Desktop 2
Delivery
Firewall
Firewall
Controller XenApp
Personalization: User B Controller
Data Apps: Office
Secure Gateway Collector
OS
Web OS: XP
Interface
Virtual Desktop 3
Vista Windows Windows
Provisioning XP 7
Personalization:
Server
Home Office
Tablet Apps:
Active
OS:
Directory
Data Store
License
Server DHCP
Infrastructure
31. HQ Office
Personalization
XenDesktop Farm XenServer Resource Pool
Virtual Desktop 1
User User User User User
Personalization: User A File Share A B C D E
Apps: Office
Desktop
Delivery OS: Vista
Applications
Secure Branch Office
Remote User Controller
Access Desktop
Delivery
Virtual Desktop 2
Firewall
Firewall
Controller XenApp
Personalization: User B Controller
Data Apps: Office
NetScaler Collector
OS
Web OS: XP
Interface
Virtual Desktop 3
Vista Windows Windows
Provisioning XP 7
Personalization:
Server
Home Office
Tablet Apps:
Active
OS:
Directory
Data Store
License
Server DHCP
Infrastructure
32. HQ Office
Personalization
XenDesktop Farm XenServer Resource Pool
Virtual Desktop 1
User User User User User
Personalization: User A File Share A B C D E
Apps: Office
Desktop
Delivery OS: Vista
Applications
Secure Branch Office
Remote User Controller
Access Desktop
Delivery
Virtual Desktop 2
Firewall
Firewall
Controller XenApp
Personalization: User B Controller
Data Apps: Office
NetScaler Collector
OS
Web OS: XP
Interface
Virtual Desktop 3
Vista Windows Windows
Provisioning XP 7
Personalization:
Server
Home Office
Tablet Apps:
Strong SLAs Active
Directory
Data Store
OS:
License
Server DHCP
Infrastructure
33. Driving Customer Value and Citrix Differentiation
HQ Office
Personalization
XenDesktop XenServer Resource
Farm Pool
Virtual Desktop 1
User User User User User
HQ Office
Personalization: User A A B C D E
File Share
Apps: Office
Desktop
Applications Personalization
Remote User
Delivery
Controller OS: Vista XenDesktop Farm XenServer Resource
Pool
Branch Office
Desktop Virtual Desktop
Delivery 2
Virtual Desktop 1
Firewall
Firewall
Controller XenApp
Personalization: User B Controller
Data
Collector Apps: Office User User User User User
NetScaler OS Personalization: User A
Web File Share A B C D E
Interf OS: XP
ace
Virtual Desktop Apps: Office
3 Vista Windows Windows
Desktop XP 7
Personalization:
Delivery
Provision
ing
OS: Vista
Applications
Secure
Server
Home Office
Tablet Remote User Apps:
Controlle
Active
Branch Office Directory r
Data OS:
Global
Store License
Server DHCP
Access Infrastructu
Desktop
Delivery
Virtual Desktop 2
Firewall
Firewall
re
Controlle XenApp
Personalization: User B Controller
NetScaler
r
Data
Collector
Apps: Office Availability OS
Web
HQ Office OS: XP
Interface
Personalization
XenDesktop XenServer Resource
Farm Pool
Virtual Desktop 1
User User User User User
Virtual Desktop 3
Personalization: User A
File Share
A B C D E Vista Windows Windows
Provisioning XP 7
Desktop
Apps: Office
Personalization:
Delivery Applications Server
OS: Vista
Controller
Home Office
Branch Office
Remote User
Tablet Apps:
Strong SLAs
Desktop Virtual Desktop
Delivery 2
Firewall
Firewall
Controller
Active XenApp
Personalization: User B Controller OS:
Directory
Data
Apps: Office
Data
Collector
NetScaler
Store OS
Web
Interf
ace
OS: XP
License DHC
Server P
Virtual Desktop
3
Infrastructure
Vista Windows Windows
Provision
XP 7
Personalization: ing
Server
Home Office
Tablet Apps:
Active
Directory Data OS:
Store License
Server DHCP
Infrastructu
re
34. Driving Customer Value and Citrix Differentiation
HQ Office
Personalization
XenDesktop XenServer Resource
Farm Pool
Virtual Desktop 1
User User User User User
Personalization: User A A B C D E
File Share
Apps: Office
Desktop
Delivery Applications
OS: Vista
Remote User Controller
Branch Office
Desktop Virtual Desktop
Delivery 2
Firewall
Firewall
Controller XenApp
Personalization: User B Controller
Data
Collector Apps: Office
NetScaler OS
Web
Interf OS: XP
ace
Virtual Desktop
3 Vista Windows Windows
Provision
XP 7
Personalization: ing
Secure
Server
Home Office
Tablet Apps:
Active
Consolidation
Directory Data OS:
Global
Store License
Server DHCP
Access Infrastructu
re
Availability
HQ Office
Personalization
XenDesktop XenServer Resource
Farm Pool
Virtual Desktop 1
User User User User User
Personalization: User A A B C D E
File Share
Apps: Office
Desktop
Delivery Applications
OS: Vista
Remote User Controller
Branch Office
Strong SLAs
Desktop Virtual Desktop
Delivery 2
Firewall
Firewall
Controller XenApp
Personalization: User B Controller
Data
Collector Apps: Office
NetScaler OS
Web
Interf OS: XP
ace
Virtual Desktop
3 Vista Windows Windows
Provision
XP 7
Personalization: ing
Server
Home Office
Tablet Apps:
Active
Directory Data OS:
Store License
Server DHCP
Infrastructu
re
35. NetScaler in Database Tier
Web/App DB Tier
NetScaler Solution
Tier
TDS Protocol aware
Connection Scale-Up
Optimal Scale-Out
Internet
Improved Availability
High
Native SQL
HTTP TCP
Availability
Simple
Scalability
Conn Multiplexing HA
App Security
Content Switching
HighHigh
Availability
Simple Microsoft
LB SQL Server
Performance TCP Load
HTTP ADC
NetScaler Balancer
ADC
36. NetScaler Benefits
Scale Up Scale Out High-Availability
• SQL Multiplexing • Native SQL LB • Automated IP failover
Scale TCP connections Request Switching Virtual IP based
Host more DBs on Server Fast App response Lower cost HA
Reduce # of SQL Licenses
• SQL Conn. Offload • SQL aware policies • Intelligent Monitoring
Spare memory/cpu Read/Write Split
Faster Query execution Granular Control Replication state aware
37. NetScaler SDX
• Instances, not partitions
• Complete CPU isolation
• Complete memory isolation
• Version independence
• High availability independence
• Lifecycle independence
Introducing NetScaler SDX
38. NetScaler MPX 21500 NetScaler SDX 21500
50 Gb/s 50 Gb/s
Single VIP 16 instances
Up to 18Gbps per instance
8M packets/second
40. Evolutionary Path Forward to the Cloud
Hybrid cloud model to access and manage resources and data that may live on or
off premise
Traditional Hybrid
Private Cloud Public Cloud
Datacenter Cloud
• On premise • On/off premise
• Off premise
• High fixed cost • Low utility cost
• Low utility cost
• Full control • Self-service
• Self-service
• Known security • Fully elastic
• Fully elastic
• Trusted security
• Corporate control
42. So … Design for Any-to-Any Hybrid Architectures
Public
Cloud Apps
Private
Cloud
Hybrid
Public Cloud
Managed Infrastructure
Cloud
43. NEW!
OpenCloud Bridge in a NetShell
Global load balancing improves
performance as remote users
have their sessions routed to the
Optimizes application
closest or best performing
availability through advanced
datacenter.
L4-7 load balancing and traffic
Network management.
X
Netscaler MPX / VPX
Cloud Bridge
A truly network-transparent
L2 Tunnel
WAN optimization solution that
Tradition
doesn’t rely on disruptive
IPSec Tunnel
al
tunneling techniques. Hybrid
Datacent Cloud
Branch Repeater VPX
er
44. Multiple user databases.. Difficult to manage
ActiveDirectory Cloud Private
ActiveDirectory Database
ENTERPRISE XENAPP /
APPS XENDESKTOP IAAS APPS SAAS APPS
…with different apps requiring different identities…
45. One control point but where?
Web
Especially when
standards.. Aren’t
SaaS/Cloud Web Applications
iPad
It may be impossible
Sometimes desktop It’s expensive to
to change this.
Internet
can’t be changed change this.
Citrix
BYOC makes
the desktop tricky
Enterprise Web Applications
46. Citrix Open Cloud Access
One
Identity SaaS/Cloud Web Applications
Remote
Corporate
ActiveDirectory
OpenCloud Access Many
Applications
SSL-VPN
Corporate Enterprise Web Applications