5 cool things you can do with citrix netscaler
TRANSCRIPT
5 Cool things you can do with
Citrix NetScaler
NetScaler is the Coolest Networking product Ever
AppFlow Insight
AutoScale
SPDY Gateway
Diameter Load Balancing
Kerberos Constrained Delegation
App Visibility
End User
Web
Front
App
Server
Tap Agent
Agent
DB
Server Agent
Instrumentation Limiting
Ubiquitous App Visibility
Tap
Tap
Limited,
Expensive
Tools
Costly | Intrusive | No Standards
Getting it Right
End User
Web
Front
App
Server
Tap Agent
Agent
DB
Server Agent
In-Place Real Estate
Tap
Tap
Limited,
Expensive
Tools
Non-Instrusive| App Aware| Standardized
ADC
ADC
WOC
ADC
AppFlow
Simple
Tool AppFlow
Simple
Tool AppFlow
Simple
Tool AppFlow
• Actual flow records that follow a given templates Template
• Unidirectional IP packets identified by five tuples: sourceIP, sourcePort, destIP, destPort, and protocol Flow
• Data points on traffic streams passing through the device Record
• Device which generates flows sent to the collector Exporter
• Third-party tools aggregating records for reporting purposes Collector
• Standard based on IPFIX
• Transaction level visibility for HTTP, SSL, TCP and SQL
• Ability to sample and filter desired flow types
• Flow records transmitted to external collectors
• Collectors aggregate the flow records for real-time reporting
• Collector for AppFlow records
• NetScaler driven consumer and analytic module
• Built-in analytic for ᵒ End to end Application performance
ᵒ Analytic data from Layer 2 to Layer 7
ᵒ Application Debugging
ᵒ Client and Server side analytic
• Built-in specialized reports for Application
• Easy setup and simple to use with multiple NetScalers
AppFlow Insight Architecture
NetScaler AppFlow Client
AppFlow Analytics • Application
High Performance Collector • IPFIX
AppFlow Client Stack
• Clients
• RESTful
NITRO API • Pluggable
UI • Mobile
High Performance data store
• Object based Reporting module
• Intuitive Navigation with multiple starting points
• Each Navigation leads to one or more Reports
• Client Side Monitoring features integrated seamlessly
• Helpful in drilling down on specific Objects like ᵒ URL
ᵒ Client
ᵒ Server
ᵒ Form Factor
ᵒ Operating System
• Data movement across various components
• Access visibility through Application and Data
• Details of Request and Response parameters
• Different client types access
• Details of the client form factor
• Applications are key and we help define ᵒ Top Apps by Hits
ᵒ Bandwidth
ᵒ Response Time
• HTTP monitoring stats ᵒ Client Network Latency
ᵒ Server Network Latency
ᵒ Server Processing Time
• Client side stats ᵒ Page load time
ᵒ Page render time
• Deep dive into HTTP req/res streams
• Reports on: ᵒ Form factor
ᵒ Operating System
ᵒ Request Methods
ᵒ Response Status
• Client and Server association
• Waterfall Chart
• Ability to analyze the Syslogs
• Efficient reporting on Syslogs ᵒ Enables better visibility
ᵒ Provides Security related data
ᵒ Provides access and audit info
• Reports to be built on need and use case basis
• NITRO APIs are available for all objects ᵒ Device
ᵒ Application
ᵒ Server
ᵒ Client
ᵒ Form factor etc…
• SDK is available for Java and C#
• Sample REST API request/response http://10.102.31.209/nitro/v1/appflow/app_unit?duration=last_1_day&args=device_ip_address:10.102.126.205
Response : { "errorcode": 0, "message": "Done", "app_unit": [ { "name": "iis2", "rpt_sample_time": "-1", "total_bytes": "396867",
"network_latency_client_side": "430", "device_ip_address": "10.102.126.205",
"server_response_time": "9730", "network_latency_server_side": "1338",
"application_response_time": "10161", "ip_address": "10.102.126.164", "total_requests": "7" } ] }
Load Balancer provides High Availability for Server farm
Internet
Spike in traffic overloads the server farm
M
M
M
M
M
M
Less powerful servers start to fail Snowball effect, load shifts to other servers Application responsiveness suffers, pages time out
Solution
• Over provision to handle peak load
• Idle resources
• Higher Capex and Opex
CloudStack
NetScaler provides Load Balancing and High Availability for Server farm
M
M
M
M
NetScaler monitors servers for CPU, Memory, Latency, Throughput … NetScaler monitoring engine auto-detects run time issues with servers
M
M
NetScaler triggers AutoScale capability in CloudStack CloudStack “auto-provisions” new server instances based on AutoScale policy On successful AutoScale, CloudStack provides new service descriptions NetScaler automatically adds new service resources and binds to LB Traffic is seamlessly scaled to the newly added services on NetScaler
M
M
Internet
#CitrixSynergy
AutoScale Actions
• Provision new servers
• De-provision new servers
• Syslog events
Application Triggers
• Server CPU
• Application Response time
• Concurrent connections
• Time of the day
• SurgeQ (waiting clients)
#CitrixSynergy
• Elasticity
ᵒ Adapt to varying load conditions
• Transparency with Visibility
ᵒ All events are logged
• Configuration simplicity
ᵒ Zero touch scale out and scale in of server infrastructure
• Burst handling
ᵒ Excess traffic can be handled in public or private cloud
ᵒ Spin up additional NS VPXes on demand
AutoScale
SPDY Gateway
#CitrixSynergy
SPDY in the news
SPDY in Amazon’s Kindle Fire
Ever wondered why Google search and Gmail is faster on Chrome – SPDY!
#CitrixSynergy
SPDY: Introduction
• Encrypted (SSL) session
layer protocol to accelerate
page load time
• Google Chromium projects:
http://dev.chromium.org/spdy
#CitrixSynergy
SPDY: Features
SPDY
Single secure TCP connection
Full packets, less packets
Compressed headers
Asynchronous
Interleaved
Request prioritization
Typical web page download
80+ embedded objects, js, css, multiple conn
Connections ramp up individually
Redundant headers (e.g., UserAgent)
Synchronous, request-response model
Head of the line blocking
HTTP pipelining doesn’t work well
Source:
SPDY Benefits: Bandwidth & PLT
On low-bandwidth links, headers are costly
RTT matters for Page Load Times (PLT)
#CitrixSynergy
SPDY: Impact on Infrastructure Components
Back to decade old layer4 TCP processing
Breaks security best practices
Impacts capacity planning
SPDY HTTP
Web Server
TCP/IP
SPDY Session
HTTP Semantics
SSL
Web Server
TCP/IP
HTTP Semantics
Request 1
TCP/IP
HTTP Semantics
Request 2
TCP/IP
HTTP Semantics
Request 3
SPDY Encapsulated HTTP Cache Response
L7 Content Switch & Analytics
SPDY Encapsulated 403 Forbidden Response
Responder
TCP/IP
HTTP Semantics
Response 1
SPDY Session
SSL
Enables L7 optimization
Transitional path for infrastructure
SPDY Gateway
R1 R2 R3
SPDY Facts
1. SPDY Enabled Vs Disabled
3. Gateway L7 benefits
0
2
4
6
SPDY Disabled SPDY Enabled
Page Load Time
2. Components: • Mozilla Firefox Bowser client @ 200 ms RTT
• Wikipedia main page staged in the lab
• NS SPDY Gateway
• Firebug for waterfall charts SSL
HTTP
SPDY
Caching Analytics Logging … L7 benefits
No Blocking: Interleaved asynchronous streams
SPDY Disabled (4.3 sec) Vs SPDY Enabled (2.84 sec)
Blocking: Requests waiting for free connection
SPDY Acceleration w/o losing Operational Control
Enjoy SPDY benefits
Faster applications
Faster user experience
Enable L7 infrastructure components
Transitional upgrade path, like v6 Gateways
SPDY HTTP SPDY Gateway
• Next-gen AAA signaling protocol
• IP based signaling protocol
• Specially designed data messages • Sent from one network element to another.
• Reliable transport over TCP/SCTP
• Backward compatible with Radius
Citrix Confidential - Do Not Distribute
Diameter ?
• Surge of control plane signaling can bring network to its knees
• Processing required for diameter server is much higher
• Server becomes a bottleneck in the deployment
• LB for diameter messages among multiple servers
• Connection from Diameter client to server is low
• Thus there is a need of per-message loadbalancing
Diameter Load Balancing – Why?
• Lesser load on diameter server translating to faster response time
• Server Health monitoring and Better failover capabilities
• Better Scalability in terms of adding new servers on fly
• High Availability by sharing session information across
• Policy Enforcement and Security check point
• Statistics, reporting and logging
Benefits of Diameter Load Balancing
Citrix Confidential - Do Not Distribute
1. Aggregated message on single tcp tunnel
Diameter Server1
NS Diameter Server2
Packet Gateway
and Diameter
Client
Diameter Server3
DIAMETER REQUESTS
DIAMETER ANSWERS
2. Asynchronus messaging
3. Server Initiated Requests
Citrix Confidential - Do Not Distribute
NS Diameter Message Based LoadBalancing.
Diameter Server1
NS Diameter Server2
Packet Gateway and
Diameter Client
Diameter Server3
Diameter Client opens connection to NS
Client sends CER message to NS
NS does load balancing and selects a server. Opens the connection to selected server. And forwards CER messages to the server.
Server will prepare CEA and send it to NS
NS will forward it to client with some modification in message to pretend that it is Diameter relay agent.
Now client can send Diameter messages over the tcp tunnel.
When NS selects a server where it has not opened the connection, it will first open the connection to backend server and forward the cached CER to that server when server replies with CEA, it will forward the message to backend server.
NS doing de-multiplexing of diameter messages to multiple diameter servers.
Protocol Transition Constrained Delegation
Citrix Confidential – For NDA use only
Kerberos Based Auth – What Next? Widely-adopted, open-standard, efficient and strong
security solution!
• Kerberos protocol includes a mechanism called delegation of authentication
• Client (requesting service) delegates authentication to a second service
• Second service acts on behalf of Kerberos security principal
• The second service can delegate authentication to a third service
• Accomplished using a proxy TGT or forwarded TGT
Citrix Confidential – For NDA use only
KCD and PT
• Allows a service that uses Kerberos to obtain a Kerberos service ticket to itself
• Ticket is issued on behalf of a user or proxy known as Kerberos security principal
• Doesn’t requires the principal to initially authenticate to the KDC or be part of the domain
• No user credentials needed for the transition
• Allows transition even when authentication is done through other means
Citrix Confidential – For NDA use only
Protocol Transition
• Allows a service to obtain service tickets under the delegated user's identity
• Tickets are issued for restricted list of other services
• Service ticket can be obtained through protocol transition
• Provides a way for domain administrators to limit the network resources that a service trusted for delegation can access to a restricted list of network resources
Citrix Confidential – For NDA use only
KCD
Citrix Confidential – For NDA use only
Simple Kerberos Auth
Netscaler
Client
(User)
TM Vserver
1. GET /
2. HTTP 401 Negotiate
5. GET / + new SPNEGO GSSAPI msg
Validate SPNEGO GSSAPI token
6. … …
3. GET / + SPNEGO GSSAPI msg
4. HTTP 401 + SPNEGO GSSAPI msg
Server Farm
Aaad + lwagent +
lsassd
Beyond Front-end: KCD/KPT
Client
TM Vserver
8. HTTP 200 + session cookie
2. Reply 401 Negotiate
1. Fwd request to backend service
7. Reply 200 OK
6. Send request with service ticket
3. AS_REQ/RES
4. S4U2Self
5. S4U2Proxy
KDC
Auth Done
Server
The SSO Game
HTTP Basic
FormBased
Kerberos
NTLM
SmartCard
SAML
HTTP Basic
FormBased
Constrained
Delegation
Building End to End Kerberos Engine
Allgemeine Informationen
Besuchen Sie die Partner in der Ausstellung
Nutzen Sie unsere Zusatzangebote!
• Citrix Expert Desks: Unsere Produkt-Spezialisten beantworten Ihre individuellen
Fragen und geben Ihnen Einblick in aktuelle Projekte
• Citrix Tech Lounge: Lernen Sie die wichtigsten Funktionen von Citrix XenClient live
kennen - bei einem Hands-On-Test in unserer Tech Lounge
• Meet the Architects: Buchen Sie an der Info einen Kurz-Workshops mit Citrix-
Consulting und erarbeiten Sie eine Zielarchitektur für Ihr Unternehmen
• Citrix Datentankstelle: Lassen Sie sich auf Ihren mobilen Endgeräten einen
Citrix Receiver mit Demozugang einrichten
• Citrix Education Desk: Informieren Sie sich über die aktuellen Trainingsangebote
• Citrix Test Center: Die Plätze sind ausgebucht. Es besteht die Möglichkeit über die
Warteliste noch kurzfristig einen Platz zu bekommen
Feedback und Präsentationen
• Ihre Meinung ist uns wichtig! Bitte nehmen Sie sich einige Minuten Zeit,
unseren Online Feedbackbogen auszufüllen. Den Link dazu erhalten Sie einige
Tage nach der Veranstaltung
• Im Anschluss an den Fragebogen haben Sie Zugriff auf die Downloadseite der
Präsentationen
Bitte vormerken: Citrix Synergy 2012
• The premier event on cloud
computing, virtualization and
networking
• 17.- 19. Oktober 2012 im
International Convention Centre
Barcelona
• Weitere Infos:
http://www.citrixsynergy.com/barcelona
Work better. Live better.