NetScaler 11 – BRING IT ION!
Synergy time again and Citrix have moved back to the theme park capital of the world to host their biggest gathering of customers of the year and clearly, there’s no better time to announce the beta of NetScaler 11, the latest firmware release for their next generation Application Delivery Controller (ADC).
Whole number firmware releases don’t come around that often in the NetScaler world (NetScaler 10.0 was back in April 2012) but ‘Project Ion’ as it’s been called internally has enough new features and enhancements to be granted an ‘x dot o’ status so it’s got Citrix excited – here’s the low down.
With Juniper deciding to leave the SSL VPN market and Microsoft calling it a day with their TMG offering, there’s certainly some potential market share available around security so first up is Unified Gateway – another re-brand of the Citrix Access Gateway (commonly known as the CAG) or is there a bit more to it…?
The challenges facing those responsible for service security are changing. Not so many years ago, all of the services delivered to remote users lived in one place – the corporate data centre. This made life easy for the security guy as there was one location to secure with one access point for the user and a simple life was had by all but things have moved on and the challenges have increased dramatically.
A typical user looks very different today. While traditional enterprise apps and desktops may still be delivered by XenApp/Desktop (XA/D) via the Citrix ICA protocol (often with a VPN thrown in for good measure), content from SaaS providers, Web Apps and the need to secure content to mobile devices has increased the number of point solutions in the security stack making the data centre infrastructure rigid, hard to manage and increasing the total cost of ownership.
The new Unified Gateway therefore builds on the commonly used features of it’s predecessors (the NetScaler Gateway and the Access Gateway) such as an SSL VPN and End Point Analysis with some pretty cool new features to help keep users in check and data secure.
For those administrators (and Bob Marley fans) who need to be Ion like a Lion in Sign-on (see what I did there?), Smart Access gets a significant overhaul. The existing NetScaler Gateway is often used to provide the access point to XA/D for remote users with the Smart Access feature on the NetScaler assessing the user/end point and effectively telling the XA/D farm what security polices to apply to the user session. This can be around printing, drive mapping or USB redirection (to name a few), which ultimately reduces the risk of sensitive data leaving the network. The key here is that to date, these policies have been applied by the XA/D farm based on what the NetScaler has told the farm the policies should be.
In larger deployments, this can cause some management challenges as users may access two, three or more XA/D farms due to the architecture of the environment or for GSLB purposes such as site failover or the user roaming between territories. As a result, the user access policies need to be managed on each XA/D farm that the user may access individually. Potentially, that’s a lot of work for someone…
Smart Access 2.0 allows the these policies to be applied by the NetScaler, effectively acting like a firewall blocking individual channels of the Citrix ICA protocol stream to control what the user can or cannot do in the session (regardless of which farm the session has come from) so it’s no longer necessary to apply and manage the policies on each individual XA/D farm. One policy managed on the NetScaler system or duplicate policies managed in each farm location including all of the potential GSLB scenarios? Sounds good to the customers I’ve discussed it with so far. Add in ICA auditing which offers a cut down version of HDX Insight for those who need to focus more on auditing rather than granular service visibility plus a new Geo-fencing capability that allows administrators to restrict access from particular territories and we can start to see the value proposition stack up, but there’s more…
Unified Gateway merges the authentication mechanisms of the Access Gateway and NetScaler’s Authentication, Authorisation and Auditing (AAA) features to allow users to sign on to a single Gateway and access all of their services such as web apps (same domain and different domain!), enterprise apps, their XA/D session, XenMobile, cloud apps and a new secure RDP proxy without the need for additional authentication. AAA debug and authentication vServer testing in the GUI? Don’t mind if I do! Authentication visualiser – magic!
Those who have struggled in the past will rejoice at a fully customisable Gateway landing pages (per page/vServer) and yes, it will still be there when you re-boot the appliance 🙂 Page title, header logo and position, field titles (Username, Password etc), legal disclaimer, fonts, form title, centre logo, logon button, watermark and background – it might only be a way to make things look pretty but it will be very well received.
The Clientless VPN Infrastructure gets an overhaul with off the shelf support for SharePoint and OWA and there are new client plugins for Android & Linux (no more Java). When it comes to security, NetScaler 11 lets administrators rule with an Ion fist!
NetScaler has had some big wins in the Telco sector following the acquisition of ByteMobile in 2012. In an industry that has it’s own set of unique challenges, Citrix is looking to strike while the Ion is hot (there’s more) to help support the massive growth in subscribers and services with Carrier Grade Network Address Translation (CGNAT) helping to overcome the depletion of IPv4 addresses, the slow adoption of IPv6 addresses and the need to support mixed mode IPv4 and IPv6 service delivery networks – critical if the Internet of Things (IoT) is to deliver all it promises to be.
DNS Logging to support the auditing of client requests, DNS responses, detection of DNS attacks and DNS troubleshooting clearly have their own values, with Subscriber Awareness allowing control over mobile user data plans, services, optimisations and usage. NetScaler’s TCP optimisation stack adds Nile (Illinois) to the previously introduced Westwood+, BIC and CUBIC to increase data flows by up to 30% and there are new SLA management features to help Telcos maximise their cost advantages.
NetScaler 11 also adds a range of Core ADC enhancements starting with the appliance infrastructure. Clustering of up to 32 NetScaler appliances is now supported at Layer 3 meaning clusters can now reside across subnets/multiple sites with support for Equal Cost Multiple Path (ECMP) routing.
Admin Partitions (originally introduced in an enhancement release or ‘e build’ in November 2014) now make it in to the core functionality, allowing each NetScaler appliance to be logically carved up between multiple administrators. Each partition has it’s own NetScaler configurations, own administrators/users (super users have global control of all partitions) and a subset of appliance resources such as bandwidth, memory and connection pools, all of which combine to effectively allow each admin partition to function as a stand alone NetScaler ADC. NetScaler leads the way when it comes to deployment flexibility with SDX appliances allowing multiple NetScaler ADCs to run on a single piece of tin, Traffic Domains allowing isolation of traffic flows within each ADC and now Admin Partitions allowing logical isolation of administrator actions within each ADC too. Following success with the initial release, Admin Partitions get additional functionality in NetScaler 11 with AppFirewall, AAA traffic management and Integrated Caching among a number of other features added to the supported list.
Insight Centre gets a new distributed architecture for greater resilience and more importantly scale as existing Web Insight production deployments have shown 10k HTTP requests per second can generate over 1Gbps of AppFlow records which can throw up some challenges. SPDY on steroids HTTP 2.0 support out of the box allows existing HTTP 1.1 content to be converted on the fly with NetScaler acting as an HTTP 2.0 gateway for super quick service delivery to supported endpoints. MobileStream Front End Optimisation gets a tweak or two allowing support of XenMobile, interoperability with AppFirewall and further image compression capabilities with Web-P and JPEG XR.
Some of our higher compliancy organisations love the new n-factor authentication, which allows risk based policies to challenge users for additional credentials only when the risk level is appropriate. This could be a known user accessing the network from an unusual territory or using a new laptop that the organisation wants to double check to be safe before letting them in. There are some new SAML Identity Provider features combined with new SAML Service Provider features such as Single Sign Out that look to have some real value. For SSL, ECDHE ciphers are now supported on MPX & SDX appliances and the big news for VPX users in TLS 1.1/1.2 support with a few new features such as SAN certificates, SSL profiles and auto certkey format detection thrown in for good measure.
There’s much more to NetScaler 11 but I’m afraid you’ll have to wait until late Q2 to get your hands on it while Citrix Ion out the kinks in the beta code (that’s the last one, I promise).
© Al Taylor
12th May 2015