NetScaler Release 10.

5 For
Technical Decision Makers

Overview and Features

10 June, 2014
Overview

• NetScaler major release, 2014

• Over 100 features in Beta 1
• New feature highlights
ᵒ NetScaler MobileStream™
ᵒ Core
• Policy Variables, TCP Optimizations, Traffic Domains, Link Redundancy

ᵒ Load Balancing
ᵒ Cisco Technologies

© 2014 Citrix
New Licensed Features

Feature Platinu Enterprise Standard

m NetScaler Platinum Enterprise Standard
MobileStream™
NetScaler MobileStream™ ✔ ✔
SPDYv3, MPTCP, BIC TCP, ✔ ✔ ✔
Policy Variables ✔ ✔ ✔ CUBIC, TCP Westwood
Traffic Domains ✔ ✔ ✔ Domain Sharding, ✔ ✔
Prefetch, Image Opt, CSS
LLDP ✔ ✔ ✔ & JS Opt, Lazy loading
Link Redundancy ✔ ✔ ✔ MicroVPN for Mobile ✔ ✔ ✔
Application Firewall Devices (NetScaler Gateway)
✔ *
Cisco: RISE* ✔ ✔
Cisco: vPath* ✔ ✔ ✔

* Note: Only RISE or vPath can be enabled at one time per NetScaler instance
* Available as an a-la-cart feature

© 2014 Citrix
NetScaler MobileStream™
Front End Optimization (FEO)
Importance Of Mobile User Acceleration

• Optimization historically focused

on optimizing and reducing load Retina
displays Web
Screen size
at the backend. different
browser
different

• With current trend of Mobility Firmware

Connectivity
location
different
NetScaler Focuses on faster and different

efficient web content delivery by

optimizing the web page
FEO
Network
Every device
speed
components most dependent on unique
different

client side processing.

Mobile Acceleration Improves Your Mobile Clients’ Experience

© 2014 Citrix
What is MPTCP?
Application/Session HTTP
• Transport layer protocol
• Coexist with TCP Presentation SSL

• Provides fault tolerance and path failover

MPTCP
• Increase throughput by using multiple paths
Transport
• Availability
ᵒ RFC 6824 TCP-1 TCP-2 TCP-n

ᵒ Linux distribution (Standard & Android)

ᵒ BSD in development

TCP Options MP_CAPABLE

Establish secure Subsequent subflows

token on first use the secure token
subflow (SF #1) from SF #1 to connect
© 2014 Citrix
High-Speed Enablement
BIC
SPDYv3 CUBIC
TCP
Next Generation For High Speed For High Speed
HTTP Variable Latency Unreliable &
• Proposed as HTTP Networks Lossy Networks
2.0

Send large Simplified

amounts of data window control
quickly over long • RTT window size
distances

© 2014 Citrix
How NetScaler Optimizes The Front-End

Domain Sharding

• Change embedded URLs to use sub-domains and trick the browser to open more connections

Minimize & Optimize Order of CSS & JS

• Remove unnecessary characters & space

• Simplify processing & reduce download time to client device
• Move CSS & JS objects to end of HTML body
• Inline Download

Image Optimization

• JPG optimize, Convert GIF to PNG, Image Lazy load, Image shrink to display attributes of the user-device

© 2014 Citrix
Core
Conversion from Java to HTML5

• 1000s of Views now only in HTML5

• Load time reduced by over 50%
• Improved user efficiency
• Following areas will be converted in a 10.5 maintenance
release
• AppFW, Visualizer, Diagnostics

© 2014 Citrix
Core Feature

• Policy Variables
ᵒ Store a token (data) from the request or response in a system variable
ᵒ Reference stored data for
• Fully customized session persistence
• Internal computation
• Policy processing

Watch This

© 2014 Citrix
LLDP Support

• Allow stations attached to an LLDP Info consist of multiple TLVs

IEEE 802 LAN to advertise
System Information. Helps to
create network topology.
• System information
TLVs must be in following sequence
advertised
ᵒ Capabilities
ᵒ Management addresses
ᵒ Connectivity information
Dst MAC Src MAC Ether Type LLDP Info
01-80-C2-00-00-0E 88-CC

© 2014 Citrix
Ethernet jumbo frames
Big Payloads

Fewer Packets

Reduced
Reduced
Protocol
Network I/O
Processing Less Packet
switching

Increased
Throughput Lowered CPU
and Goodput Usage

© 2014 Citrix
Traffic Domains

• Inter-Domain Routing
ᵒ Internally communicate across traffic domains. Virtual server and services can now be in different traffic
domain
• Rate Limiting per traffic domain
ᵒ Limit the …
Number of requests per second from clients
Number of Active Client Connections
Maximum Bandwidth
• Rates can be
• SMOOTH - # of requests in a given interval of time spread evenly across the time slice
• BURSTY - # of permitted requests allowed to exceed the quota within the time slice
• Policies can be combined with others to create complex policy sets
• VMAC Support
ᵒ Map Traffic Domain by destination MAC instead of incoming VLAN
ᵒ VLANs can be shared across traffic domains

© 2014 Citrix
Dynamic Routing
• BGP
ᵒ Local-AS command, ECMP routes
ᵒ Address-prefix ORF based on RFC 5291 and RFC 5292.
• OSPFv2
ᵒ LSA Throttling
• OSPFv3
ᵒ NSSA & Link LSA Suppression (RFC 5340)
ᵒ Multiple address families (RFC 5838)
ᵒ Distance, Summary address, distribute-list commands
• ISIS
ᵒ ISIS manual area expansion feature improved from 3 to 254
ᵒ Priority-driven convergence (RFC 5130)
ᵒ Restart signaling (RFC 5306), pre-route calculation

© 2014 Citrix
 How it works?
Link Redundancy Switch Switch Switch
X Y Z
At any point of time
only one channel will Key 1 Key 2 Key 3
be active.
• LR Trigger for LACP channels
ᵒ Set a minimum bandwidth for dynamic LCAP Key 4

channels. When throughput falls below

threshold, a link failover is triggered to
make another channel. One of the active link fails –
ᵒ For HA pair, when all channels reach Min threshold is hit

threshold, trigger HA failover. When one of the Switch Switch Switch

active link fails, and
• LR Trigger for generic channels lrMinThroughput is
X Y Z

ᵒ Fail to another channel (to a redundant hit, we select a Key 1 Key 2 Key 3
subchannel with
switch) when threshold reached high throughout and
make it active by LCAP Key 4
reseting all other
interfaces

© 2014 Citrix
Orchestration

• NITRO API SDK in Python for better server side scripting. Python SDK will be
Python SDK available and supported with python 2.7 and 3+.

Dynamic • NITRO API support for routing protocols. Changes sync to all peers.
Routing

File • NITRO APIs for Upload, Download, Write and Read methods. Key functional
Operations requirements like SSL certkey will be able to get the benefits.

Other • NITRO APIs and commands for better system manageability

Commands • Tech Support, batch, source, show nstrace, start nstrace, stop nstrace

© 2014 Citrix
Service Supporting Features

• Content Switching
ᵒ Multi-port CS
• Configure a CS vserver on a combination of ports
ᵒ DNS_TCP Support
• DNS_TCP protocol is now supported with a Content Switching Vserver
• Audit Logging
ᵒ Ability to distinguish whether the command is executed from CLI or the GUI
• AAA Session Stickiness
ᵒ LDAP, RADIUS, & TACACS: We now stick to the server where last session was
successful.

© 2014 Citrix
Service Supporting Features (cont)

• AAA-TM
ᵒ Custom error strings
ᵒ Backend HTTP Web-Form Authentication
ᵒ Strong Encryption Support in KCD/Kerberos (AES-256, RC4-HMAC)
• OWA Force Session Timeout
ᵒ Forced timeout on long-lived connections that are open for monitoring
• Client Certificate Pass-through
ᵒ In XenMobile deployments, a client-certificate is required to be passed to Storefront.
Now send the client-certificate any Application server. No configuration needed.
• Forms Based SSO – Relative URLs
ᵒ NS can take relative URL and processed for Form based SSO

© 2014 Citrix
SDX SVM Manageability & 3rd Party Software

• CLI Support
• File management via NITRO
• AAA Support
ᵒ Use LDAP/TACACS/RADIUS for
SVM access
ᵒ Authorization & Audit log support
ᵒ Password expiration support
ᵒ For more details refer : AAA edocs
• Ethernet Jumbo Frames Support
with SR-IOV Open service delivery
platform for
• Central SSL Cert & Key 3 party services
rd

Management

© 2014 Citrix
Load Balancing
TM & DNS

LB: Increased number of service groups to 8000

DNS LB: CNAME record caching in Proxy mode

• NetScaler to use DNS caching module to cache CNAME record and send it from NS than
fetching it every time

DNS: NAPTR
• NAPTR support on NS along with SRV records.

GSLB: Static proximity sync

• Auto sync of static proximity db

© 2014 Citrix
Diameter Support

• Rewrite & Responder

ᵒ New expressions allow the Admin to look up AVPs by
index, ID or name, examine the information in the AVP,
and send a response based on that information.

• Content Switching
ᵒ Diameter expressions on NS will help with content
parsing and CS policies would do the evaluation and
routing of messages through different LB path

© 2014 Citrix
SSL

• ECC Cipher Support

ᵒ More secure & faster ciphers available on N3-based MPX, SDX, & VPX
• ECDHE-RSA-RC4-SHA, ECDHE-RSA-DES-CBC3-SHA, ECDHE-RSA-AES128-SHA, ECDHE-RSA-AES256-
SHA

• Common Name Check

• Server Auth configuration is enhanced to accept “commonName” check. This check will be
performed on SSL certificates received from backend server
• SSL Profiles
ᵒ SSL profiles added for frontend and backend communication
• SSL Cert Chain
ᵒ Helps identify the certificates belonging to a chain and suggest if a cert is missing in the chain.

© 2014 Citrix
Database Deployment Support

MSSQL
• AlwaysOn HA: 1 service can join now 2 MYSQL
groups and be primary in one and • Transparent Deployment Mode: Audit log,
secondary in the other AppFlow, & stream analytics
• Special Query Handling: queries can transparently for DB connections
change either global or local properties of • Database-Specific LB: A database can be
the server or connection. “use db” can online or offline independent of others on
be changed by NetScaler to reduce the same server. New monitor enables
server-side connections. DB state awareness.

© 2014 Citrix
Cisco Technologies
RISE, vPath, ACI Integration, + Management (DCNM)
 Citrix NetScaler – Preferred ADC for Cisco Nexus

Nexus 1000v Nexus 7000 Nexus 9000

Sold and vPath RISE ACI

supported by Integration Integration Integration
Cisco

27 © 2014 Citrix
 NetScaler 1000V in the Virtualized Data Center
Virtualized/Cloud Tenant A
Data Center ASA 1000V Cisco Virtual Cloud
Cloud Security Services
Physical Infrastructure Firewall Gateway Router
NetScaler 1000v vWAAS 1000V

Zone A

WAN Zone B
Router Switches Servers

vPath VXLAN Nexus 1000V

Multi-Hypervisor (VMware, Microsoft*, RedHat*, Citrix*)

CSR 1000
Nexus 1000V vWAAS ASA 1000V VSG (Cloud Router) NetScaler 1000V
• Citrix NetScaler
• VM-level Application
• Distributed switch • WAN optimization • Edge firewall, VPN • WAN L3 gateway
controls Delivery Controller
• NX-OS consistency • Application traffic • Protocol Inspection • Routing and VPN • Citrix NetScaler
• Zone-based FW
Web App. Firewall

28 © 2014 Citrix NetScaler is the ADC for Nexus 1000V Virtual Networking
Key Advantages for NetScaler with vPath

Web
• Dynamic NetScaler deployments in Multi-Tenant environment

vWAAS
• NetScaler gets benefits of intelligent service chaining
with no worrying about VLAN stitching in dynamic
ASA 1000V virtual environments
Cloud Firewall
• Preserve Client IP; No Source NAT or PBR required to send
NetScaler 1000v server return traffic to NetScaler
• No disruption to east-west / distributed services, that would
Virtual Security
Gateway normally happen with Source NAT

vPath

VM VM VM

© 2014 Citrix
vPath Service Chaining – Virtual Network Overlay
Policy based traffic steering through virtualized network services

Cisco VSG

VM VM VM VM VM VM VM VM

VM VM VM VM VM VM VM

5 4
Cisco Nexus 1000V Cisco vPath
Distributed Virtual Switch

1 2
Citrix NetScaler
vPath Encapsulation
© 2014 Citrix NetScaler ADC supports Nexus 1000V vPath
Logical packet flow
Service Integration Challenges within Data Centers

Service Modules Appliances RISE-enabled appliances

NetScaler
RISE provides best
of both worlds!

Preserves slot space Operaitonal efficiency

Tightly embedded with
No performance Simplified manageability
switch backplane
bottleneck Performance advantage
Slot is expensive Mutual switch intelligence
Static conns, No switch intelligence benefits
Performance bottleneck
Scaling is difficult Scaling is difficult Multi-vendor ecosystem
Scalable and flexible

© 2014 Citrix
Cisco Prime Network Services Controller
Configure NetScaler VPX from Prime NSC using Openstack Integration
Cisco and Third-Party Management Ecosystem
Cisco Intelligent Automation BMC CLM Other
for Cloud
Operation Cisco UCS Director OpenStack CloudStack Hybrid
Management Cloud
Single API

IP Address Image Policy Service System License Amazon

Management Management Management Configuration Administration Management

Capacity Service Configuration VM Change

Monitoring Azure
Chaining Archive Lifecycle Audit
Management
Cisco Prime Network Services Controller
Performance
Terremark
Management VSG Third-Party
N1KV ASA1000V CSR1000V
(Zone-Based Device
InterCloud (Edge Firewall) (L3 Router)
Firewall) (VPX)

MultiService

vSphere HyperV KVM Xen

MultiHypervisor
© 2014 Citrix
 RISE Automated Policy Based Routing
• NS adds redirection rules as per configuration
ᵒ Sends the list of servers and the next hop 1. Client  VIP 8. VIP  Client
interface
Internet
• N7K applies to rules for its local servers and
propagates the rules for servers attached to
the neighboring N7K 2. Client  VIP

• No need for Source-NAT or manual 3. Client  Server

6. Server  Client
PBR configuration 7. VIP  Client
APBR
rules
Nexus
7000
• Uses the RISE control channel for 0. Auto PBR
Configure a
sending Auto PBR messages new service
5. Server 4. Client 
Client Server
Preserve Client IP Visibility without the operation cost of
Traditional Policy Based Routing

© 2014 Citrix
Automated Routing Updates – RHI
Automated Routing
• Allows NetScaler ADC to advertise (add or delete) Updates

the VIPs to Nexus 7000 dynamically based on

operational status of VIPs
• Route updates are communicated over the RISE
control channel Internet

• Routing protocols on Nexus 7000 can redistribute

VIP routes to rest of the network
RHI Pushes VIP Availability into
Nexus Routing Layer

© 2014 Citrix
RISE Integration Feature Summary

• Discovery, Auto Attach, and Bootstrapping of NetScaler by N7k

• Support for both Direct and Indirect (L2) Attach of NetScaler to N7k
• Full VPC and VDC support
• Automated Policy-Based Routing (ABPR)
• Service changes on NetScaler automatically add/delete PBR entries on Nexus 7000

• Route Health Injection (RHI)*

• NetScaler ADC advertises (add or delete) VIP routes to Nexus 7000 based on operational status
of VIPs. Faster than dynamic routing protocols such as OSPF
* Roadmap Q3 2014, subject to change

© 2014 Citrix
Auto-Discovery/Bootstrap of NetScaler by N7K
Directly Attached NS to Nexus7000 Line Card Ports
Four Simple Steps to Getting
Connected
Virtual Slot ID assigned
Data & Control Channels Established 1. Create port-channel

Auto discovery & bootstrap 2. Set up trunk vlans

5/1
1/1
5/2 3. Create rise service to get an
1/2
1/3 6/1 assigned slot
1/4 6/2
allow vlan 10, 21, 32-35
NetScaler 4. Interconnect the NetScaler
Appliance Nexus with the N7k
7000

© 2014 Citrix NetScaler configuration is bootstrapped from N7K

 Netscaler Appears as Virtual Service Module
N7k SUP recognizes NetScaler as a RISE service module.

switch# show module rise

Mod Ports Module-Type Model Status

--- ----- ----------------------------------- ------------------ ----------

333 2 Netscaler NA ok

N7K SUP can attach a RISE module and access NetScaler CLI via SSH from N7K:

‘attach rise X’ to ssh to appliance/vm.

© 2014 Citrix
Fill in and Apply, Now or Later!

© 2014 Citrix
More RISE / DCNM Integration to Come Co Not
m Ye
m t
itt
ed

© 2014 Citrix
CISCO ACI - Application Centric Infrastructure

Nexus 9500

APIC

Nexus 9300 and 9500

Hypervisors
Physical L4–L7 Multi DC
and Virtual Compute Storage
Networking Services WAN and Cloud
Networking
Nexus 7K

Integrated
Nexus 2K WAN Edge

© 2014 Citrix