NetScaler 10 Overview NetScaler 10.5 NetScaler 10.5 delivers a high quality mobile experience in service provide and enterprise cloud environments. 2 Mobility und Cloud Services verändern die Datacenter Netzwerke BYO Desktops Mobility SaaS Apps UnternehmensApps Daten 10.5 – Cloud Services und Mobility Support Cloud-fähige Services Platform BYOD verändert die Client Anforderungen Optimierung für mobile Geräte Verteilte Apps sorgen für Bruch beim App Monitoring Cloudfähige Visibility Tools Layer 4 Load Balancing TCP and UDP Client Requests Maintaining User Sessions Distributing Traffic Monitoring Server Health and Availability • Source IP • Least Connections • TCP Connection • Cookie • Lowest Response Time • HTTPS Connection • SSL Session ID • SNMP-based • Extended Content Verification • Server-ID in URL Query • IBM SASP • Scriptable Health Checks • Customer Server-ID • Hash-based • Token (header or body) • Many more… Content Switching: Load Balancing on Steroids HTTP Requests Client Attributes Request Protocol •Anything in request body • Any TCP Request •Device Type • HTTP Post • HTTP Get Request Method •Any TCP payload value •Language •Any HTTP payload value •Cookie •Domain •Wildcard URL Global Application Availability Site A B2C B2B Site B P2P Integrated Application Firewall Legitimate traffic allowed through Application Attacks Blocked Web App Users Internet Network Firewalls Citrix NetScaler Blocks dozens of day zero attack vectors Includes CSRF, xPath Injection, XML attachment checks Bi-directional inspection: advanced attack prevention SSL traffic supported Sustained protection to 12 Gbps ICSA certified Application Infrastructure NetScaler TriScale Technologie NetScaler mit TriScale Technology “Bis zu 40 Instanzen auf einer Box.“ “Kapazität bis zu 5x steigern. Ohne zusätzliche Hardware.“ Scale Up Elastisch mit „Pay-As-You-Grow“ Einfach mit „Many-In-One“ “Megabits zu Terabits. Ohne Downtime.” Erweiterbar mit „Add-and-Go“ Clustering Scale Out Scale In: NetScaler SDX • Instanzen, keine Partitionen ᵒ ᵒ ᵒ ᵒ ᵒ ᵒ Memory, CPU, SSL Isolation Version/Lifecycle Unabhängigkeit Vollständige Isolation Separate Routing Domain Unabhängiges Routing, IP Stack Unabhängige Connection Table, ACLs, etc. • Netzwerk Isolation • Separate Lizensierung und Versionierung • Integrierte Service VM • 3-40 Instanzen auf einer Plattform 3rd Party Support Hosting von 3rd Party Services 3rd-Party Support auf NetScaler SDX Clustering 1 App Sehr schnell App App App App App App App Virtual Appliance Hardware Appliance App App App App App Viele Apps App App App App Einfach zu App App App managen App App App App App App App 14 App App App App App Multi-tenant Appliance App Echtes Clustering: Hohe Skalierung: Data und Management Plane Management + Performance Jeder Form-Faktor: Cluster VPX, MPX, oder SDX Scale Out – Clustering jetzt auch für SDX Ein großes System Clusters within a single über SDX versch. Boxen (bis zu 32) • • • • • Cluster Clustersüber acrossInstanzen instances hinweg Kapazität kann nach Bedarf erweitert werden Hohe Effizienz durch Active/Active Betrieb Ein Image für Konfiguration und Management Healthcheck Framework / Response sharing Ein VIP kann mehrere Boxen umfassen Cluster einer One large auf system across einzelnen SDX multiple boxes (up to 32). Citrix NetScaler – die Multifunktionslösung Preis-Performance Überall einsetzbar Multi-Mandanten Physische Virtuelle Plattform Hardware Software Software auf Hardware NetScaler hat immer die gleiche Funktionalität – unabhängig von der Plattform VIP Support: Striped & Spotted Server 400 Gbps Striped VIP Server Spotted VIP Action Analytics 400 Gbps Server Große Server Farm Server Spotted VIP App Firewall Server Internet Clients Server N+1 NetScaler Cluster • Striped VIPS: funktionale Module auf jedem Knoten • Spotted VIPs: spez. Funktion auf spez. Knoten laufen lassen • Nicht jedes Modul braucht Skalierbarkeit Erweiterte TriScale Cluster Funktionen • Basic Networking • Path MTU Discovery • Content Switching • TCP Buffering • OSPF • IPv6 support • DataStream • DDoS • RIP • Cache Redirection • DNS Load balancing • Client Keep-alive • BGP • Web logging • Rate Limiting • HDOSP/PQ/SC support • VLAN • INAT • ActionAnalytics • Surge protection • ICMP • IP-ID • HTTP Callout • • Fragmentation • SNMP • HTTPS Callout Policy Infrastructure (PE/PI) • MAC-Based Forwarding • IP-IP tunneling • AAA-TM • Rewrite • IS-IS Routing • Transparent LB • Responder • RNAT • Basic Load Balancing • GSLB • Integrated Caching • ACL • FTP • Application Firewall • Simple ACL • Load Balancing Persistency • RTSP • XML XSM • PBR • SIP • Compression Control • syslog and nsauditlog • MSR • Spillover • Content Filtering • Policy-based RNAT • SSL (PI policy) Optimize Mobile Client Experience Multi-path TCP Using an app over a 3G link is great. App access is done over standard TCP connections. Until the access point changes. The TCP connection must reset leading to access delays. Multi-path TCP solves this by using two TCP connections. NetScaler can then unite the data. Optimizing XenMobile with NetScaler Citrix — The Most Complete Mobile Portfolio Requirements of the Mobile Enterprise Value on Investment (VOI) Mobile Device Management Sandboxed Mail and Web Mobile App Security Mobile Data Control Mobile Network Control SSO and Identity Management Desktop and App Virtualization Collaboration Netscaler with XenMobile Integration XenMobile Deployment Scenarios 23 1 2 3 Bastion Host w/ Simple Config Access Control to Mobile Email MDX / CloudGateway Solution (LB, SSL, GUI) (ActiveSync Filter) (CG + StoreFront + AG + XM) Front-end Security How? Why? NetScaler provides High Availability, Security with built in Scalability Provide complete security against external threats – scalable to over 100,000 concurrently connected users XenMobile Device Managers (XDMs) 24 How? With tight XenMobile integration,Email NetScalerAccess filter access to Microsoft Exchange based on DeviceID Policy Controls with NetScaler and XNC Why? Protects In-line Exchange ActiveSync access against unauthorized Allow Secured Mobile devices and/or compromised access to the enterprise mail servers, with Block Jailbroken devices seamless blacklist/ whitelist control Help corporate compliance XenMobile MDM w/ XenMobile NetScaler Connector (XNC) 25 Scalable and Secure Access to Mobile Applications How? Why? 26 Full SSL VPN tunnel with NetScaler Gateway and MicroVPN for app-level policy controlled tunneling for mobile apps and browse Policy-driven access to corporate resources are essential especially in BYOD XenMobile MDM AppController Analytics: NetScaler Insight Center NetScaler Insight Center Visibility and Control Action Analytics NetScaler App Delivery Fabric Mobile Devices Netscaler Command Center Management and Orchestration Virtual desktops Web apps Cloud services Data services Achieving Application Visibility with NetScaler 3rd Party Analysis Tools NetScaler Insight Center Cloud Enterprise Combining NetScaler with Analysis Tools NetScaler generates a wealth of application visibility data by way of AppFlow™ NetScaler Insight Center is the best way to view Citrix-specific data Desktop NetScaler Insight Center HDX Insight Analytics for XenApp and XenDesktop Web Insight Analytics for enterprise applications NetScaler Insight Center Web Insight Analytics for Enterprise Applications • Break down detailed reporting on enterprise application use, even for SSL encrypted traffic • Correlate network metrics with application behavior • Determine end user experience without agents NetScaler Insight Center AppFlow HDX Insight Analytics for XenApp and XenDesktop • Gain visibility into end user experience for virtual desktops, applications, and users for XenDesktop • Correlate network data with application data with real-time metrics for effective troubleshooting • Integrated with XenDesktop management tools NetScaler Insight Center AppFlow Integration with XenApp/XenDesktop Management NetScaler Director XenDesktop Traffic Single Infrastructure View Director HDX Insight NetScaler Insight Center Visibility, Correlation & Analysis 33 Network Visibility Drill Down Real-time visibility into the end-user experience from the packet to the application. Secures XenDesktop from data leaks with tight integration and proper authentication of users. Single point of configuration to deploy NetScaler solution for XenDesktop Infrastructure Simplifies the transition from Web Interface to StoreFront from a single point of access. Übergang zur IPv6 Infrastruktur NAT64 / DNS64 NAT46 IPv6 Ready Adress Umsetzung (stateful) von IPv6 zu Ipv IPv6 IPv6 Netzwerk IPv6 IPv4 DNS64 NAT64 IPv4 Web Server IPv4 Netzwerk • Konvertierung von Paket Headern • Nutzt IP/ICMP Algorithmus mittels RFC6154 • Übersetzt Unicast-Pakete mit TCP, UDP und ICMP Umsetzung (stateless) von IPv4 zu IPv6 IPv4 IPv4 Netzwerk IPv4 IPv6 INAT Table Web Server IPv6 IPv6 Netzwerk • Integrierte INAT Tabelle • Umsetzung der IPv4 Clients zu IPv6 • Responses von IPv6 Ressourcen werden auf Pv4 umgesetzt NetScaler als Authentifizierungsstelle NetScaler Access Control AAA Module Single Sign On Web Services SharePoint Fileserver Exchange Licensing SQL DNS RADIUS LDAP DMZ NetScaler ist Authentisierungspunkt in der DMZ • • • • • • Benutzer Autentifizierung (ReverseProxy) mittels Zertifikat, OTP, LDAP Terminierung von HTTP, ICA, SQL und SSL VPN Tunnel Überprüfung von HTTP Traffic mittels Web App Firewall Regeln Kerberos Constrained Delegation (KCD) basierend auf Client Zertifikaten SAML 2.0 Dynamic CRL checking und Issuer Validierung XenApp & XenDesktop NetScaler Access Control Client Side Authentication Server Side Authentication Kerberos HTTP – Basic, Constrained Digest, NTLM Delegation Non-Kerberos SAML Version 1 Version 2 CAC (Smart Card): at SSL/TLS Layer HTTP Basic Form-based Kerberos X X X X NTLM Kerberos X X X X X Application Delivery Controllers Powering Cloud, Mobile and Data Networks Cloud Infrastructure Availability & Performance Cloud Scale Security & Analytics Infinite Flexibility Enterprise Datacenter Any User Any Device Any Location Any Application Any Data / Information Work better. Live better. Application Layer Security Automatic Signature Updates for App Firewall 1. 2. 3. 4. Enable Signature Protection Tune/Auto Updated Signatures Enable Advanced Security Tune Security Policies Comprehensive Application Protection • Auto update of signatures from cloud-based services • Simplifies detection against known application vulnerabilities • Shortens Application Firewall deployment cycle • Signatures based on public vulnerability databases (e.g. Snort, CVE, Bugtraq, etc.) Vulnerability Scanner Integration IBM AppScan and Whitehat Run periodic scans Protected website Import files into NetScaler Übergang zur IPv6 Infrastruktur NAT64 / DNS64 NAT46 IPv6 Ready Adress Umsetzung (stateful) von IPv6 zu Ipv IPv6 IPv6 Netzwerk IPv6 IPv4 DNS64 NAT64 IPv4 Web Server IPv4 Netzwerk • Konvertierung von Paket Headern • Nutzt IP/ICMP Algorithmus mittels RFC6154 • Übersetzt Unicast-Pakete mit TCP, UDP und ICMP Umsetzung (stateless) von IPv4 zu IPv6 IPv4 IPv4 Netzwerk IPv4 IPv6 INAT Table Web Server IPv6 IPv6 Netzwerk • Integrierte INAT Tabelle • Umsetzung der IPv4 Clients zu IPv6 • Responses von IPv6 Ressourcen werden auf Pv4 umgesetzt Front End Optimierung Caching Stream Opt Image Optimierung Optimierung Optimierung Payload Reduzierung Mobile Video • • • • • XML based standard for exchanging auth information Better security as compared to cookie based approach Treated as authentication protocol for the Cloud Solves the SSO problem at Web browser layer Logical security domain • Identity provider (producer of assertions) • Service provider (consumer of assertions)