Citrix NetScaler ADC Overview

Citrix NetScaler ADC Overview

The Citrix® NetScaler® ADC product line optimizes delivery of applications over the Internet and private networks. NetScaler is an application delivery controller (ADC) that accelerates application performance, enhances application availability with advanced L4-7 load balancing, secures missioncritical apps from attacks and lowers server expenses by offloading computationally intensive tasks. All these capabilities are combined into a single, integrated appliance for increased productivity, with lower overall total cost of ownership.

NetScaler is deployed in front of web, application and database servers. It combines high-speed L4-7 load balancing and content switching with application acceleration, data compression, static and dynamic content caching, SSL acceleration, network optimization, application performance monitoring application visibility and robust application security via an application firewall.

NetScaler appliances are installed in the data center and route all connections to back-end servers. The NetScaler features are enabled and the policies configured are then applied to incoming and outgoing traffic. NetScaler requires no additional client or server side software, and can be configured using the NetScaler web-based GUI, RESTful API (“Nitro”) and CLI configuration utilities.

NetScaler is available as a high-performance network appliance and a virtual appliance for maximum

deployment flexibility. The hardware based MPX appliances with multi-core processor designs are available with a wide range of appliance availability; from sub gigabit throughput to 50 Gbps. Each leverages a fully hardened and secure operating system.

NetScaler appliances provide multi-dimensional scalability for a superior ROI. Pay-As-You-Grow and Burst Pack upgrade licenses enable specific models to be upgraded to higher-end models within a

particular platform via a software license. NetScaler SDX models allow up to 40 fully independently

managed NetScaler instances to run on a single platform. NetScaler with Citrix TriScale clustering

allows up to 32 NetScaler appliances (of the same platform, model and edition) to be aggregated

into a single group to increase aggregate app delivery capacity.

NetScaler solutions are available in three software editions: Standard, Enterprise, and Platinum. These editions offer the following feature sets:

Standard Edition

NetScaler Standard Edition provides comprehensive layer 4-7 load balancing and content switching, SSL acceleration and server offload capabilities.

Enterprise Edition

NetScaler Enterprise Edition is a highly integrated application delivery solution. It includes all Standard Edition capabilities, plus dynamic routing support, data compression (AppCompress), global server load balancing (GSLB), surge protection, priority queuing, L7 DoS protection, AAA for traffic management and cache redirection. Enterprise Edition also includes Citrix Command Center software.

Platinum Edition

NetScaler Platinum Edition is the most integrated and feature-rich NetScaler offering. It includes all Enterprise Edition capabilities, plus content caching (AppCache), web application firewall, NetScaler Cloud Bridge and EdgeSight for NetScaler application performance monitoring. It also includes Citrix Command Center software and NetScaler Cloud Bridge.

Note: NetScaler clustering license upgrades are available on all NetScaler MPX and VPX models and software editions.

Software Options

The following options are available for NetScaler MPX appliances.

• Global Server Load Balancing (GSLB) - Directs user requests to the data center best able to handle it. Requests can be redirected based on dynamic changes in global network performance, site connectivity and availability. Server location, load and many other factors determine the optimal server to use.
• NetScaler AppCompress™ - Improves end-user performance and reduces bandwidth consumption by compressing HTML/text content before transmission to clients. AppCompress supports both encrypted and unencrypted data.
• AppCache™ – Citrix NetScaler AppCache improves application performance by storing cacheable content, both static and dynamic, directly on the NetScaler platform. Multiple techniques ensure content freshness.
• NetScaler Application Firewall™ – NetScaler Application Firewall ensures security at the application layer. It is an ICSA-certified web application firewall that automatically blocks malicious web traffic.
• Citrix EdgeSight™ for NetScaler – EdgeSight for NetScaler is a transparent tool to measure end-user performance, and does not require a client-based agent. EdgeSight for NetScaler helps evaluate performance issues and monitor trends to anticipate future unacceptable performance levels allowing proactive network changes. Numerous application performance parameters, such as time to download a page and round trip response times, are stored and displayed in a variety of formats.

Network Topology

Where Does a NetScaler Fit in the Network?

NetScaler resides in front of web and applications servers, so that client requests and server responses pass through it. In a typical installation, virtual servers (vservers) configured on the NetScaler provide connection/termination points that clients use to access the applications delivered by NetScaler. In this case, the NetScaler owns public IP addresses that are associated with its vservers, while the real servers are isolated in a private network. It is also possible to operate the NetScaler in a transparent mode as an L2 bridge or L3 router, or even to combine aspects of these and other modes.

Physical Deployment Modes

NetScaler can be deployed in either of two physical modes: inline and one-arm. In inline mode, multiple network interfaces are connected to different Ethernet segments, and the NetScaler is placed between the clients and the servers. The NetScaler has a separate network interface to each client network and a separate network interface to each server network. The NetScaler and the servers can exist on different subnets in this configuration. It is possible for the servers to be in a public network and the clients to directly access the servers through the NetScaler, with the NetScaler transparently applying the L4-L7 features. Usually, vservers are configured to provide an abstraction of the real servers.

The following figure shows a typical inline deployment.

In one-arm mode, only one network interface of the NetScaler is connected to an Ethernet segment. The NetScaler in this case does not isolate the client and server sides of the network, but provides access to applications through configured vservers. One-arm mode can simplify network changes needed for NetScaler installation in some environments.

Citrix NetScaler as an L2 Device

A NetScaler functioning as an L2 device is said to operate in L2 mode. In L2 mode, the NetScaler forwards packets between network interfaces when all of the following conditions are met:

• The packets are destined to another device’s media access control (MAC) address.
• The destination MAC address is on a different network interface.
• The network interface is a member of the same virtual LAN (VLAN).

By default, all network interfaces are members of a pre-defined VLAN, VLAN 1. Address Resolution Protocol (ARP) requests and responses are forwarded to all network interfaces that are members of the same VLAN. To avoid bridging loops, L2 mode must be disabled if another L2 device is working in parallel with the NetScaler.

Citrix NetScaler as a Packet Forwarding Device

A NetScaler can function as a packet forwarding device, and this mode of operation is called L3 mode. With L3 mode enabled, the NetScaler forwards any received unicast packets that are destined for an IP address that it does not have internally configured, if there is a route to the destination. A NetScaler can also route packets between VLANs.

In both modes of operation, L2 and L3, a NetScaler generally drops packets that are in:

• Multicast frames
• Unknown protocol frames destined for a NetScaler’s MAC address (non-IP and non-ARP)
• Spanning Tree protocol (unless BridgeBPDUs is ON)