You are on page 1of 33

Citrix vs F5

Kostas Skenderidis, Middle East FSE

F5 vs Netscaler

Quick Agenda

• Citrix in a Nutshell
• LTM vs Netscaler
• ASM vs Netscaler
• APM vs Netscaler
• GTM vs Netscaler

© F5 Networks, Inc - Confidential 2

Citrix – The Good, the Bad and the Ugly
Citrix Netscaler in a nutshell


• When attached to • Lack of technical depth • No templates,

XenApp it makes a very on many of the features deployment guides,
compelling argument iApps.
for the customer • No user community
(like DevCentral) • No focus on security
• Very easy GUI for Load
Balancing • Locks the customer in • Extremely weak WAF
Citrix XA/XD/XM
• Their pricing model for (Middle East related)
Enterprise/Platinum • Sales people focused
on XA/XD/XM • Very weak channel
• Comes with Command • No Professional
Center & Insight Services
• It works!! (for most of
the things )

© F5 Networks, Inc 4
LTM vs Netscaler
Compete on Performance/Features
Make Citrix more expensive to compete easier
• vCMP
• Compression/Caching
• Compete on Layer 4 throughput
• Lack of 10Gbps platform
• High-End and Low-End platforms

Make F5 look better technically

• iApps
• Deployment Guides
• Other technical points

© F5 Networks, Inc - Confidential 6

vCMP Compete

• vCMP is included in the LTM price of the BIG-IP platforms(5250v+).
• For Citrix, vCMP is not available on the Standard Edition (SE), but only in the
SDX version. SDX is significantly more expensive from SE (at least $35K-
$100K per box)
Note: Usually all SDX appliances come with 5 or ALL instances enabled, except
SDX-8015 that comes with only 2 vCMP instances enabled. Then the customer
needs to purchase additional 3 instances ($15K) to reach to the platform

• F5 vCMP scales better for higher density of instances
• For F5 each vCMP instance, the management processes (like monitors) take
10% of the assigned CPU.
• For each SDX instance, it requires 1 entire CPU to be assigned for
management purposes. Therefore, if you create 4 SDX instances, you will
waste 4 CPUs for mngt purposes.

© F5 Networks, Inc - Confidential 7

Compression & Caching

Compression and Caching are important functionalities of the ADC. F5
includes both of them on the basic LTM functionality, but Citrix requires
Enterprise Edition (EE) for Compression and Platinum Edition (PE) for
Therefore it we can push the price of Citrix ($15K+) to be more expensive.

• F5 includes dedicated hardware cards to offload the compression from the
BIGIP CPU. Citrix does the compression only on the CPU and hence the lower
performance metrics on HTTP compression.
• So, with Citrix, you are better having the compression on the web servers.
Note: Many of the ADC operations (like rewrite, WAF, URL transformation, etc) require the
responses not to be compressed.

© F5 Networks, Inc - Confidential 8

Layer 4 Throughput

Netscaler is limiting the bandwidth based on the Layer 7 license. Even if

there additional resources available on the box, it will not allow to exceed
the max. licensed throughput. The licensed throughput is applied for anything
that is going through the appliance.
F5 doesn’t force any limit on the throughput of the box and in the 5000
series and above, it offers higher L4 throughput.
We can push Citrix to offer higher models that meet our Layer4 capacities
when we do either of the following:
• When LTM is positioned inline and becomes the gateway of the internal
VLANs there is a lot of traffic going through the box, even if it is not load
balanced (Gateway).

• When we can offer Layer4 LB (instead of L7) and therefore we can achieve
higher throughput.

© F5 Networks, Inc - Confidential 9

10Gbps Platform

Netscaler 8000 series offers two options.

• 8005 (5Gbps) -> $25K for Standard Edition (SE) + 10K for EE + 10K for PE

• 8015 (15Gbps) -> $48K for Standard Edition (SE) + 10K for EE + 10K for PE

When we influence the account for a 10Gbps solution, Citrix has to offer 8015
to meet the throughput requirements and this will create a significant price
difference than our 4000s (or even 4200v).

Note: Adding Caching and Compression, would offer even better price difference
between F5 and Citrix. ($20K per box)

© F5 Networks, Inc - Confidential 10

High-End & Low End Platforms
For high Throughput Citrix now offers MPX/SDX 24xxx platform that
starts with 100Gbps and scales up to 150Gbps
• Compared to F5, the cost of these platform is very high.

• 24100 starts with $170K for Standard Edition and goes

up to $260K for SDX version.
24150 is about $50K more expensive than 24100.

• Comparing that with B2250 blade (80G L7/160G L4), we

are significant cheaper MPX-24100

Competing with MPX5x50

• Lack of 10Gbps interfaces (especially for 5650 that is a 5Gbps

• Lack of redundant power supply. MPX-5550

© F5 Networks, Inc - Confidential 11


iApps is a great tool as it simplifies and

speeds up the deployment process.

Netscaler equivalent is AppExpert

Templates. BUT:

1) The have not been updated for

almost 2 years now (see screenshot
from the official site)

2) NONE of the templates are for the

new NS versions 10.5 or 11.0.

3) Only few of the templates are for

10.1 and many are for NS versions
that are EoL (9.0, 9.1, 9.2)

© F5 Networks, Inc - Confidential 12

Deployment guides
Similar to iApps, deployment guides are equally
Netscaler have 10 deployment guides (Exchange,
Sharepoint, Lync, TMG, Oracle EBS, Citrix) whereas
F5 have more than 50 only for LTM
For the full list of deployment please see:
Citrix Deployment Guides
F5 Deployment Guides

Citrix Deployment Guides F5 Deployment Guides

© F5 Networks, Inc - Confidential 13

Technical Points that can make a
Technical Points that can make a difference

Active-Active Configuration
• Active-Active configuration is very complicated in Citrix, and they try to avoid it. In such
a case they will push for Clustering. (Clustering as well as RD have several feature
limitations, such as state-full failover)
• Active-Active doesn’t support config propagation/sync. So the admin needs to do the
config to all boxes manual.
• During a device failure, Citrix will redistribute the Vservers based on a predefined list.
F5 can be load aware so that at the time of the failure it distributes the Vservers

Out Of band Management

• OOB Management uses the same routing as the box. The only way to isolate it, is by
adding Policy based routing and ACLs. This can be proved to be a major security
concern as a bad configuration can expose the internal network from the
management network.

© F5 Networks, Inc - Confidential 15

Technical Points that can make a difference
• You cannot failover a single partition in case of a failure. (for example the gateway of
that partition). You need to failover the entire box.
• You cannot check the availability of your routes within the partitions
• Doesn’t support certain functionality within the partitions(like SSL-VPN or WAF)
• It doesn’t support state-full failover.

• Netscaler will failover only if the devices cannot reach each other or if a route
becomes unavailable. It uses the Management IP to probe each other. By Default it
uses all untagged VLANs unless forced to a single “sync” VLAN.
• There is no control on how to handle the services (restart/reboot/etc) that cause a

Stateful failover
• Netscaler doesn’t support HTTP or SSL mirroring for stateful failover

© F5 Networks, Inc - Confidential 16

Technical Points that can make a difference

Priority Groups
• Netscaler doesn’t have priority groups for Load Balancing. It only supports Backup
Vserver. Therefore you cannot have the granular control that F5 gives you

Bandwidth Shaping
• Up to 10.5 (don’t know 11) Netscaler didn’t support bandwidth shaping. If you exceed
the assigned bandwidth, it dropped all new TCP connections. This could create a VERY
bad end user experience.

Client Authentication
• If you deploy client authentication, and the user doesn’t have the correct SSL-cert
installed, you cannot customize the response. Therefore the user will get “unable to
open the page”

SNI for the backend systems

• Netscaler doesn’t support SNI for the backend systems. You need to change the SNI
configuration on your backend servers (

© F5 Networks, Inc - Confidential 17

Netscaler WAF vs ASM
Competing with Citrix WAF

Citrix WAF is lacking significantly against the ASM, although they have
been significant improvements the last 2 years. I have summarized into 4
As we will see later, Citrix WAF is lacking in the following areas:
• Features

• Security

• Logging

• Reporting

© F5 Networks, Inc - Confidential 19

Technical Points that can make a difference

Login Pages
• Netscaler doesn’t our functionality as our Login Pages. They can only do it
with APM (equivalent) that has its own limitations.

URL Learning
• Citrix learns the entire string on the URL (including the query string) which
can create several problems when the applications are using query strings.

Learning limited at 2000

• Netscaler learns up to 2000 suggestion per category. Especially with URL
(with query strings) this can finish very quickly.

Response Code Learning

• Citrix doesn’t enforce (nor learn) the allowed responses from the page. They
can block it through the LB module but the customer will loose on visibility,
logs and learning.

© F5 Networks, Inc - Confidential 20

Technical Points that can make a difference

Method learning
• Similar to response codes, methods are not learned/enforced.

L7 DDoS attacks
• Citrix supports rate limiting and HTTP DoS. On the rate limiting, side it is very
static (user or page, exceeds X number of requests per second) and as it is
not part of the WAF it doesn’t provide learning suggestions and WAF logs.
• HTTP DoS functionality is so basic that cannot be really used. it will provide a
JavaScript challenge (to Y number of transactions) if the application Queue
is bigger than X. It will also not create learning violations and logs as it is not
part of the WAF module.
• Comparing it with F5 L7 DDoS where you have granular control of all

• Citrix WAF doesn’t support web scraping protection. They can create a rate
limit on the LB module, but it will not create WAF logs and learning violation

© F5 Networks, Inc - Confidential 21

Technical Points that can make a difference

Summary Page
• Netscaler is lacking a page that will consolidate all violations (and their
details) such as our manual Traffic Learning page.

Support of non-English Characters

• Although Citrix supports non-English characters, it encodes them before
displaying them to their GUI. Therefore the customer cannot actually review
the URLs as it is not in a readable format

Lack of HTTP headers

• Citrix doesn’t capture the HTTP headers (request and response) on the logs,
which makes the troubleshooting much more difficult.

ICAP Support
• Citrix doesn’t support the ICAP protocol that leaves the application
vulnerable to malicious file uploads.

© F5 Networks, Inc - Confidential 22

Technical Points that can make a difference

Logging data
• Netscaler logs only 1K of data, which limits the information that can be sent
to the SIEM for further analysis. In most of the cases URLs, violations will be
full when reviewing the logs. F5 support up to 64K of data.
• Also the logging information most of the times doesn’t give you the reason
why the transaction was blocked. For example, in a signature violation, it will
mention the signature and nothing else. You even have to go online to get
more info about the signature. Same for parameter violation

• Signatures are enforced globally. Which means that if you have a false
positive, you need to disable the signature for the entire site, leaving you
vulnerable to attacks on other parameters.
• Additionally, signatures are not learned (as many of other things) and once
you review the logs, you need to go and manually disable it.
• F5 signatures are updated every 4 weeks. Citrix updates can take much
longer. At some point there was 6 months without an update. Also Citrix
relies only on 3rd party signatures

© F5 Networks, Inc - Confidential 23

Technical Points that can make a difference

SQL/XSS signatures.
• (until version 10.5) Same vulnerability as the signatures, if you had a false
positive on one parameter, you had to disable the entire XSS/SQL signatures
for that parameter.

Evasion techniques and RFC compliance

• You cannot disable any of the evasion techniques and RFC compliance. If
any part for the application has a false positive, you need to disable the WAF

• There is NO reporting environment except from a SYSLOG GUI to review the
internal syslogs. (by the way, up to v11 the GUI is vulnerable to XSS attacks
that is displaying - ).

Blocking clients that generating multiple attacks

• Netscaler lacks this functionality

IP reputation
• Netscaler lacks this functionality
© F5 Networks, Inc - Confidential 24
Technical Points that can make a difference

• It is very complicated for Geolocation to be applied on Netscaler. On top of
that only in v11 the geolocation is available on the logs. F5 has a simple
geolocation selection filter.

• Very few of the points are learned from the GUI (like F5 allows to do). Most of
the things need to be review from the syslog view and manually entered on
the WAF config page.

Many more
• Correlation, Captcha challenge, Violation Rating, Flows, Redirection
protection, No templates, No Deployment Guides, Session IDs on the url,
and the list goes on…..

© F5 Networks, Inc - Confidential 25

Violation lists between F5 and Citrix

© F5 Networks, Inc - Confidential 26

Netscaler AAA vs APM
Technical Points that can make a difference

It will do the basics. On version 11 they tried to copy F5’s APM on few
Multi Domains
• Netscaler SSO works only on the same domain. It cannot work across
multiple domains.

Page customization
• Only on version 11, they have added the concept Webtops. Still you cannot
fully customize your to look like your own pages. Even if you do customize
the first page (needs a LOT of tweaking) you cannot offer multiple pages
depending on the customer.

Authentication page is on different URL

• When you are prompted the page to enter the credentials, it needs to be to a
different FQDN. So the browser needs to be redirected back and forth. You
also need different public IP address.

© F5 Networks, Inc - Confidential 28

Technical Points that can make a difference

Visual Policy Editor

• Citrix tried to do something similar to version 11, but it only scratches the
surface from what APM VPE can achieve. If you want have a look at (watch between 31’-33’)

OTP & Captcha

• Lack of OTP and Captcha. Even the integration with Google Captcha is not an
easy task.

• As you add rules on what each type of user is allowed to do and under which
condition, Citrix is a nightmare to configure.

• Very limited reporting, on who is
connected to the appliance.
• If you want to see login failure. Only
some info is available to the syslog
© F5 Networks, Inc - Confidential 29
Netscaler GSLB vs GTM
Technical Points that can make a difference

• If Citrix GSLB is used as a standalone box, then there is no integration with
the Load Balancing appliances (even if it is Netscaler). It will probe it as a
normal web server and therefore cannot get information regarding load,
connections, of the backend services (adding the extra load of each

DNS Firewall features

• Lack of DNS protocol validation and DNS firewall features that GTM can have
with the addition of AFM

Command propagation
• When running on top of the Load Balancing module, you need to do the
configuration manually in each site.

Full DNS server

• Citrix agrees that they are not a full DNS server as the don’t cover all the
resource records (they cover the most common) and they don’t support
features such as zone transfer.
© F5 Networks, Inc - Confidential 31

• When it comes to load Balancing only, we are better but we can also be
cheaper than Citrix!!!
• When we add more modules (ASM, APM) we are technically far better
• We have modules that Citrix cannot compete with (AFM, Websafe, SWG)
• As part of our normal support we have “Emergency Security Response
Offering” that can assist customers that are under an attack.
• AND of course all the other benefits that mentioned on the official CAT

If I can be of further assistance please contact me: | +971 55 488 2658