NetScaler 10 Overview - SKM

NetScaler 10
Overview
NetScaler 10.5
NetScaler 10.5 delivers a high quality mobile experience in
service provide and enterprise cloud environments.
2
Mobility und Cloud Services verändern die
Datacenter Netzwerke
BYO
Desktops
Mobility
SaaS Apps
UnternehmensApps
Daten
10.5 – Cloud Services und Mobility Support
Cloud-fähige
Services Platform
BYOD verändert die
Client Anforderungen
 Optimierung für
mobile Geräte
Verteilte Apps sorgen für
Bruch beim App
Monitoring  Cloudfähige Visibility Tools
Layer 4 Load Balancing
TCP and UDP Client Requests
Maintaining User
Sessions
Distributing Traffic
Monitoring Server
Health and Availability
• Source IP
• Least Connections
• TCP Connection
• Cookie
• Lowest Response Time
• HTTPS Connection
• SSL Session ID
• SNMP-based
• Extended Content Verification
• Server-ID in URL Query
• IBM SASP
• Scriptable Health Checks
• Customer Server-ID
• Hash-based
• Token (header or body)
• Many more…
Content Switching: Load Balancing on Steroids
HTTP Requests
Client Attributes
Request
Protocol
•Anything in request
body
• Any TCP Request
•Device Type
• HTTP Post
• HTTP Get
Request Method
•Any TCP payload
value
•Language
•Any HTTP payload
value
•Cookie
•Domain
•Wildcard URL
Global Application Availability
Site A
B2C
B2B
Site B
P2P
Integrated Application Firewall
Legitimate traffic
allowed through
Application
Attacks Blocked
Web App Users
Internet
Network
Firewalls
Citrix NetScaler
 Blocks dozens of day zero attack vectors
Includes CSRF, xPath Injection, XML attachment checks
 Bi-directional inspection: advanced attack prevention
 SSL traffic supported
 Sustained protection to 12 Gbps
 ICSA certified
Application
Infrastructure
NetScaler TriScale Technologie
NetScaler mit TriScale Technology
“Bis zu 40 Instanzen auf einer Box.“
“Kapazität bis zu 5x steigern.
Ohne zusätzliche Hardware.“
Scale Up
Elastisch mit
„Pay-As-You-Grow“
Einfach mit
„Many-In-One“
“Megabits zu Terabits.
Ohne Downtime.”
Erweiterbar mit
„Add-and-Go“
Clustering
Scale Out
Scale In: NetScaler SDX
• Instanzen, keine Partitionen
ᵒ
ᵒ
ᵒ
ᵒ
ᵒ
ᵒ
Memory, CPU, SSL Isolation
Version/Lifecycle Unabhängigkeit
Vollständige Isolation
Separate Routing Domain
Unabhängiges Routing, IP Stack
Unabhängige Connection Table, ACLs, etc.
• Netzwerk Isolation
• Separate Lizensierung und Versionierung
• Integrierte Service VM
• 3-40 Instanzen auf einer Plattform
3rd Party Support
Hosting von 3rd
Party Services
3rd-Party Support auf NetScaler SDX
Clustering
1 App
Sehr schnell
App App
App
App
App
App App
Virtual
Appliance
Hardware
Appliance
App
App
App App
App
Viele Apps App
App
App
App
Einfach zu
App
App App
managen App
App App
App
App App
App
14
App
App
App
App App
Multi-tenant
Appliance
App
Echtes Clustering:
Hohe Skalierung:
Data und Management Plane
Management + Performance
Jeder Form-Faktor:
Cluster VPX, MPX, oder SDX
Scale Out – Clustering jetzt auch für SDX
Ein
großes
System
Clusters
within
a single über
SDX
versch. Boxen (bis zu 32)
•
•
•
•
•
Cluster
Clustersüber
acrossInstanzen
instances
hinweg
Kapazität kann nach Bedarf erweitert werden
Hohe Effizienz durch Active/Active Betrieb
Ein Image für Konfiguration und Management
Healthcheck Framework / Response sharing
Ein VIP kann mehrere Boxen umfassen
Cluster
einer
One
large auf
system
across
einzelnen
SDX
multiple
boxes (up
to 32).
Citrix NetScaler – die Multifunktionslösung
Preis-Performance
Überall einsetzbar
Multi-Mandanten
Physische
Virtuelle
Plattform
Hardware
Software
Software auf Hardware
NetScaler hat immer die gleiche Funktionalität –
unabhängig von der Plattform
VIP Support: Striped & Spotted
Server
400 Gbps
Striped VIP
Server
Spotted VIP
Action
Analytics
400 Gbps
Server
Große Server Farm
Server
Spotted VIP
App Firewall
Server
Internet Clients
Server
N+1 NetScaler Cluster
• Striped VIPS: funktionale Module auf jedem Knoten
• Spotted VIPs: spez. Funktion auf spez. Knoten laufen lassen
• Nicht jedes Modul braucht Skalierbarkeit
Erweiterte TriScale Cluster Funktionen
• Basic Networking
• Path MTU Discovery
•
Content Switching
•
TCP Buffering
• OSPF
• IPv6 support
•
DataStream
•
DDoS
• RIP
• Cache Redirection
•
DNS Load balancing
•
Client Keep-alive
• BGP
• Web logging
•
Rate Limiting
•
HDOSP/PQ/SC support
• VLAN
• INAT
•
ActionAnalytics
•
Surge protection
• ICMP
• IP-ID
•
HTTP Callout
•
• Fragmentation
• SNMP
•
HTTPS Callout
Policy Infrastructure
(PE/PI)
• MAC-Based
Forwarding
• IP-IP tunneling
•
AAA-TM
•
Rewrite
• IS-IS Routing
•
Transparent LB
•
Responder
• RNAT
• Basic Load Balancing
•
GSLB
•
Integrated Caching
• ACL
•
FTP
•
Application Firewall
• Simple ACL
• Load Balancing
Persistency
•
RTSP
•
XML XSM
• PBR
• SIP
•
Compression Control
•
syslog and nsauditlog
• MSR
• Spillover
•
Content Filtering
• Policy-based RNAT
• SSL (PI policy)
Optimize Mobile Client Experience
Multi-path TCP
Using an app over a 3G
link is great. App access
is done over standard
TCP connections.
Until the access point
changes. The TCP
connection must reset
leading to access delays.
Multi-path TCP solves
this by using two TCP
connections. NetScaler
can then unite the data.
Optimizing XenMobile
with NetScaler
Citrix — The Most Complete Mobile Portfolio
Requirements of the Mobile Enterprise
Value on Investment (VOI)
Mobile Device
Management
Sandboxed
Mail and Web
Mobile App
Security
Mobile Data
Control
Mobile Network
Control
SSO and Identity
Management
Desktop
and App
Virtualization
Collaboration
Netscaler with XenMobile Integration
XenMobile Deployment Scenarios
23
1
2
3
Bastion Host
w/ Simple Config
Access Control to
Mobile Email
MDX / CloudGateway
Solution
(LB, SSL, GUI)
(ActiveSync Filter)
(CG + StoreFront + AG +
XM)
Front-end Security
How?
Why?
NetScaler provides High Availability, Security with built in
Scalability
Provide complete security against external threats – scalable to
over 100,000 concurrently connected users
XenMobile Device Managers (XDMs)
24
How?
With tight XenMobile integration,Email
NetScalerAccess
filter access to
Microsoft Exchange based on DeviceID
Policy Controls with
NetScaler and XNC
Why?
Protects In-line Exchange ActiveSync access against unauthorized
Allow Secured Mobile devices
and/or compromised access to
the enterprise mail servers, with
Block Jailbroken devices
seamless blacklist/ whitelist control
Help corporate compliance
XenMobile MDM w/
XenMobile NetScaler Connector (XNC)
25
Scalable and Secure Access to Mobile Applications
How?
Why?
26
Full SSL VPN tunnel with NetScaler Gateway and MicroVPN for
app-level policy controlled tunneling for mobile apps and browse
Policy-driven access to corporate resources are essential
especially in BYOD
XenMobile MDM
AppController
Analytics: NetScaler Insight
Center
NetScaler Insight Center
Visibility and Control
Action Analytics
NetScaler App
Delivery Fabric
Mobile Devices
Netscaler Command Center
Management and Orchestration
Virtual desktops
Web apps
Cloud services
Data services
Achieving Application Visibility with NetScaler
3rd Party
Analysis Tools
NetScaler Insight
Center
Cloud
Enterprise
Combining NetScaler with Analysis Tools
NetScaler generates a wealth of application visibility data by way of AppFlow™
NetScaler Insight Center is the best way to view Citrix-specific data
Desktop
NetScaler Insight Center
HDX
Insight
Analytics for XenApp and XenDesktop
Web
Insight
Analytics for enterprise applications
NetScaler Insight Center
Web
Insight
Analytics for Enterprise Applications
•
Break down detailed reporting on enterprise application
use, even for SSL encrypted traffic
•
Correlate network metrics with application behavior
•
Determine end user experience without agents
NetScaler Insight Center
AppFlow
HDX
Insight
Analytics for XenApp and XenDesktop
• Gain visibility into end user experience for virtual
desktops, applications, and users for XenDesktop
• Correlate network data with application data with
real-time metrics for effective troubleshooting
• Integrated with XenDesktop management tools
NetScaler Insight Center
AppFlow
Integration with XenApp/XenDesktop Management
NetScaler
Director
XenDesktop Traffic
Single Infrastructure View
Director
HDX Insight
NetScaler Insight Center
Visibility, Correlation & Analysis
33
Network Visibility
Drill Down
Real-time visibility into the end-user
experience from the packet to the application.
Secures XenDesktop from data leaks with tight
integration and proper authentication of users.
Single point of configuration to deploy NetScaler
solution for XenDesktop Infrastructure
Simplifies the transition from Web Interface to
StoreFront from a single point of access.
Übergang zur IPv6 Infrastruktur
NAT64 / DNS64
NAT46
IPv6 Ready
Adress Umsetzung (stateful) von IPv6 zu Ipv
IPv6
IPv6 Netzwerk
IPv6
IPv4
DNS64
NAT64
IPv4
Web
Server
IPv4 Netzwerk
• Konvertierung von Paket Headern
• Nutzt IP/ICMP Algorithmus mittels RFC6154
• Übersetzt Unicast-Pakete mit TCP, UDP und ICMP
Umsetzung (stateless) von IPv4 zu IPv6
IPv4
IPv4 Netzwerk
IPv4
IPv6
INAT Table
Web
Server
IPv6
IPv6 Netzwerk
• Integrierte INAT Tabelle
• Umsetzung der IPv4 Clients zu IPv6
• Responses von IPv6 Ressourcen werden auf Pv4
umgesetzt
NetScaler als
Authentifizierungsstelle
NetScaler Access Control
AAA Module
Single
Sign On
Web Services
SharePoint
Fileserver
Exchange
Licensing
SQL
DNS
RADIUS
LDAP
DMZ
NetScaler ist Authentisierungspunkt in der DMZ
•
•
•
•
•
•
Benutzer Autentifizierung (ReverseProxy) mittels Zertifikat, OTP, LDAP
Terminierung von HTTP, ICA, SQL und SSL VPN Tunnel
Überprüfung von HTTP Traffic mittels Web App Firewall Regeln
Kerberos Constrained Delegation (KCD) basierend auf Client Zertifikaten
SAML 2.0
Dynamic CRL checking und Issuer Validierung
XenApp &
XenDesktop
NetScaler Access Control
Client Side Authentication
Server Side
Authentication
Kerberos
HTTP – Basic,
Constrained
Digest, NTLM
Delegation
Non-Kerberos
SAML
Version 1
Version 2
CAC (Smart Card): at SSL/TLS
Layer
HTTP Basic
Form-based
Kerberos
X
X
X
X
NTLM
Kerberos
X
X
X
X
X
Application Delivery Controllers
Powering Cloud, Mobile and Data Networks
Cloud Infrastructure
Availability &
Performance
Cloud Scale
Security &
Analytics
Infinite
Flexibility
Enterprise Datacenter
Any User
Any Device
Any Location
Any Application
Any Data / Information
Work better. Live better.
Application Layer Security
Automatic Signature Updates for App Firewall
1.
2.
3.
4.
Enable
Signature
Protection
Tune/Auto
Updated
Signatures
Enable
Advanced
Security
Tune
Security
Policies
Comprehensive Application Protection
• Auto update of signatures from cloud-based services
• Simplifies detection against known application vulnerabilities
• Shortens Application Firewall deployment cycle
• Signatures based on public vulnerability databases (e.g. Snort, CVE, Bugtraq, etc.)
Vulnerability Scanner Integration
IBM AppScan and Whitehat
Run periodic scans
Protected website
Import files
into NetScaler
Übergang zur IPv6 Infrastruktur
NAT64 / DNS64
NAT46
IPv6 Ready
Adress Umsetzung (stateful) von IPv6 zu Ipv
IPv6
IPv6 Netzwerk
IPv6
IPv4
DNS64
NAT64
IPv4
Web
Server
IPv4 Netzwerk
• Konvertierung von Paket Headern
• Nutzt IP/ICMP Algorithmus mittels RFC6154
• Übersetzt Unicast-Pakete mit TCP, UDP und ICMP
Umsetzung (stateless) von IPv4 zu IPv6
IPv4
IPv4 Netzwerk
IPv4
IPv6
INAT Table
Web
Server
IPv6
IPv6 Netzwerk
• Integrierte INAT Tabelle
• Umsetzung der IPv4 Clients zu IPv6
• Responses von IPv6 Ressourcen werden auf Pv4
umgesetzt
Front End Optimierung
Caching
Stream Opt
Image
Optimierung
Optimierung
Optimierung
Payload
Reduzierung
Mobile
Video
•
•
•
•
•
XML based standard for exchanging auth information
Better security as compared to cookie based approach
Treated as authentication protocol for the Cloud
Solves the SSO problem at Web browser layer
Logical security domain
• Identity provider (producer of assertions)
• Service provider (consumer of assertions)