Inside Citrix – The FlexCast Management ArchitectureInside Citrix chapter fifteen – The one with the NetScalerGateway and ADCAlthough considered as an optional component to the FMA, you rarely see a full-blown Citrixenvironment without one. It is often referred to as Citrix’s personal Swiss Army knife because ofits flexibility and numerous capabilities when it comes to handling inbound and outboundnetwork traffic. The Citrix NetScaler Gateway is by far the best-known ‘edition’ of theNetScaler. But what most people do not realise is that the Gateway functionality built into theNetScaler is only about 5% (well, maybe 10) of what it is capable of. In fact, the Citrix NetScaleris often used for very large-scale deployments, which do not even include Citrix XenDesktopand/or XenApp. Let me elaborate a bit more on this.The NetScaler ADC and GatewayMost of the confusion starts with the terms Citrix NetScaler and Citrix NetScaler Gateway.Although they sound very similar, and they do have an overlap, there are multiple differencesdepending on the licenses used.Citrix NetScaler refers to their Application Delivery Controller, or ADC, line of products, whilethe NetScaler Gateway, formerly know as the Citrix Access Gateway, or CAG, is primarily usedfor secure remote access to XenDesktop and/or XenApp environments.You basically buy a ‘normal’ NetScaler but with limited functionality due to the NetScalerGateway License you upload. NetScaler ADCs are capable of doing much more than ‘just’remote access: they can be used for load balancing and HA, content switching, applicationoffloading, application firewalling, cloud connectivity, hybrid cloud solutions, and much more.Multiple books have been written on each of these subjects independently. In fact, you mightwant to give Marius Sandbu a Google, or look him up on Amazon: he has written some veryexciting stuff around NetScaler.Physical and virtual appliancesA NetScaler (ADC or Gateway) appliance can either be physical or virtual. If you decide to govirtual, be aware that the underlying Hypervisor, or virtual machine, that it runs on needs to havesufficient resources to handle your external connections, SSL offload and whatnot. As far as thephysical appliances are concerned, Citrix offers a whole range to choose from. Depending on thephysical model you choose, your network throughput will increase (this goes for the virtualplatforms as well), as does the amount of RAM and/or dedicated SSL chip capabilities.FMA fact: Just recently, Citrix introduced the CPX model, which is Citrix’scontainerized version of NetScaler; mainly used for testing and development use cases. Itis still in tech preview at the time of writing.1

Inside Citrix – The FlexCast Management ArchitectureA NetScaler VPX is a virtual appliance which runs on your Hypervisor of choice; a NetScalerMPX is a physical appliance; and last but not least, a NetScaler SDX is a physical appliance(running a customised edition XenServer) which is capable of running multiple VPX appliances,up to 80 in total, depending on your underlying physical resources. It comes with a (branded)XenServer pre-installed. Check out the main Citrix NetScaler products page over at itwill provide you with an overview of all physical as well as virtual models available.Typical NetScaler Gateway setupADC Edition licensesNo matter which type or model of ADC NetScaler you pick, you have three different editionlicenses to choose from (a.k.a. as platform licenses): Standard, Enterprise or Platinum.Depending on the edition you purchase, different functionality becomes available after youupload your license file. NetScalers are upgraded using the so-called pay-as-you-grow model.FMA fact: While there is a separate NetScaler Gateway license available, also know thateach ‘normal’ ADC NetScaler (Standard, Enterprise or Platinum license) includes theGateway functionality by default: no additional licenses needed.Let’s say you start out with a Standard NetScaler license, never mind the physical or virtualunderlying platform, and after a while it turns out you need certain functionality not availablewithin the Standard license portfolio. Next you simply buy an Enterprise license providing youwith the feature(s), you need (like Dynamic content caching, for example) and all you have to dois upload the license file and you are good to go.A bit more on licensingOther NetScaler licenses include: Internal, Partner use, Demo, Evaluation, Express, Developerand/or VPX. Licenses are assigned to physical and virtual appliances. NetScaler SDX appliancesrequire licenses for each physical appliance and each virtual instance. Although NetScaler VPXedition licenses are handled and purchased separately, they work in the same way as the ADCMPX and SDX licenses as far as feature enablement goes; the same applies to ‘Burst Packs’, bythe way, read on 2

Inside Citrix – The FlexCast Management ArchitectureBurst packsCitrix also offers ‘Burst Pack’ licenses. When applied these will temporarily increase the networkthroughput capabilities of your NetScaler appliance (physical and virtual). This way you canhandle sudden, and perhaps unforeseen, traffic spikes without having to heavily invest in newhardware.Make sure you check out the Citrix NetScaler data sheet: it will show you all the differentfeatures available per edition. It’s a lot to take in, so take your time and if you’re not sure aboutwhat you’re reading, it’s probably best to contact one of your Citrix sales representatives.From a high-level perspective, when purchasing a Citrix NetScaler follow these steps: First you need to decide which physical or virtual model to go with: think about theamount of network throughput you may need, SSL offloading capabilities, that sort ofthing.Next, depending on specific features or functions you would like to use, you choose youredition (platform) license. So if it is the Gateway functionality you are looking for, gowith the Gateway license.Finally you may want to purchase a maintenance contract with Citrix: they come in gold,silver or bronze, representing three, two or one year (s) of support. Contact your Citrixrepresentative for more information.FMA fact: The virtual NetScaler (VPX) can handle up to 1500 concurrent ICA connections(supported by Citrix, theoretically it can handle more). If you need more, then you’ll have toupgrade and purchase a physical MPX appliance, which, depending on the model, can handleanything ranging from 10,000 to 35,000 concurrent ICA connections at a time.UniversalNext to the Access Gateway Edition, or platform license, you might also need an AccessGateway universal license, a.k.a. a Concurrent User license (CCU). This license enables theAccess Gateway Enterprise edition appliance to support a specific number of concurrent usersto make use of features like full SSL VPNs, Smart Access Endpoint Analysis, Clientless Accessto the websites or Micro VPNs in the case of Citrix XenMobile. Note that the total number ofconcurrent user sessions logged onto a NetScaler Gateway virtual server cannot exceed thelicense count defined in the NetScaler Gateway universal license.FMA fact: There’s a lot of overlap between the two (ADC and Gateway): it basically allcomes down to the license you purchase and upload, with the NetScaler Gateway licensebeing the most ‘basic’ one.3

Inside Citrix – The FlexCast Management ArchitectureNote that these licenses also apply to the ADC NetScaler family highlighted earlier, and that theyare optional: you don’t necessarily need them. The NetScaler Gateway is available as a virtualappliance as well as physical and upgrading, if it’s more than standard Gateway functionality thatyou need; also works by uploading a Standard, Enterprise or Platinum (ADC) license.Basic NetScaler terminologyNetScalers can be hard to get: if it is not the licensing that will get your head spinning, then itwill be the terminology used within NetScaler configurations to get things up and running. HereI will provide you with the basics that you will need to know to get started.Virtual serversThe NetScaler uses vServers (virtual servers) to deliver different kinds of services and they comein several different tastes; for example, you can have a virtual server for secure gateway purposes,handling secure remote access for your users. You can have a virtual server to load balancetraffic, one to handle content switching or VPN access etc. Needless to say, you can, andprobably will have, multiple virtual servers on your NetScaler at any given time. A vServer iswhat they call a logical object.However, it doesn’t really matter what kind or type of virtual server we want to implement: thereare a few basic steps, which will (almost) always need to be taken care of.Think of the NetScaler virtual server as the first point of contact (though a firewall will probablysit in front) from an external user perspective when trying to access resources from your internalnetwork: it is where the external connection terminates and the NetScaler takes over. A virtualserver will have a VIP, or virtual IP address, which will be ‘known’ on the outside. Besides aVIP, it will also have a name (primarily used for administration purposes), including a definitionof the protocol and port it will support.Service and server objectsOnce a virtual server has been configured, one of the next steps will include the set-up andconfiguration of a so-called service object. A service object basically represents an applicationrunning on one of your back-end systems, like HTTP, when dealing with web server requests.This is how it would work. First we create a service object and give it a name, again primarily foradministration purposes; then within the service object we tell it to what type of protocol andport number it should apply its magic and last but not least, to which physical or virtual back-endserver it should forward the actual requests, HTTP in this case. Once done, the service objectand the virtual server will be bound together, a process referred to as binding.To help the service object in actually finding the physical or virtual back-end system, asmentioned above, we will also need to create and configure a server object (don’t get confused,yes, we have server and service objects) which we will then need to bind to the earlier createdservice object. The server object will also have a name within the NetScaler configuration, justlike the virtual server and service object, and it will point to the IP address or FQDN of theactual back-end system handling the HTTP requests, one server object per back-end web server.4

Inside Citrix – The FlexCast Management ArchitectureA quick résuméWe have our virtual server, which has a VIP or virtual IP address, a name, protocol and portnumber. The virtual server is then bound to a service object, while the service object is bound toa server object, which points to the actual physical or virtual back-end server handling the HTTPrequests. Are you still with me?Time to monitorLoad balancing, when implemented / configured, will take place at a virtual server / serviceobject level. Obviously there will need to be a way for the virtual server to monitor the serviceobjects on the back-end system it is load balancing to. Also see the image on the next page.Otherwise, if one or multiple of those services become unavailable (down), because theaccompanying back-end system has crashed, and the virtual server doesn’t know about it, it willkeep load-balancing requests to those service objects resulting in 404 errors, the requestedresource is not available. Enter monitors A monitor is another logical object that sits in between the service and the server object (notethat it is bound to the service object) and constantly monitors the overall health and availabilityof the physical or virtual back-end systems (the services on it) handling the actual HTTPrequests. As soon as a monitor notices that a back-end system, or the services on it, becomesunresponsive it will show the accompanying service, that it has been bound to, as down withinthe NetScaler management console, and it will stop sending traffic its way.NetScaler objectsNetScaler IP AddressThe NSIP address (NetScaler IP Address) is the IP address which is used by the Administratorto manage and configure the NetScaler; it is also referred to as the Management IP Address. It ismandatory when setting up and configuring the NetScaler for the first time: there can only beone NSIP address, it cannot be removed and when it’s changed you will have to reboot theNetScaler.Subnet IP AddressA SNIP (Subnet IP Address) is used for server side connections, meaning that this address willbe used to route traffic from or through the NetScaler to a subnet directly connected to theNetScaler. The NetScaler has a mode named USNIP (Use SNIP), which is enabled by default,5

Inside Citrix – The FlexCast Management Architecturethis causes the SNIP address to be used as the source address when sending packets from theNetScaler to the internal network.When a SNIP address is configured, a corresponding route is added to the NetScaler’s routingtable, which is used to determine the optimal route from the NetScaler to the internal network.If it detects the SNIP address to be part of the route it will use it to pass through the networktraffic using the SNIP address as its source. A SNIP address is not mandatory. In a multiplesubnet scenario you will have to configure a SNIP (or MIP: I’ll discuss this in a minute) addressfor each subnet separately. Also, when multiple SNIP addresses are configured on the samesubnet, they will be used in a round robin fashion. By default, a SNIP address is not bound to aNetScaler interface; all network traffic is transmitted on all interfaces. So you could say that it’scloser to a network hub than anything else. Fortunately, you have a few options in binding SNIPaddresses to a NetScaler interface, or multiple, when needed.FMA fact: A NetScaler SNIP address is probably best compared to a layer 3 routing tableentry. Not only does it tell the NetScaler that it has a connection to a specific network, soit is ‘known’, it also tells it how and where to reach it so that it is able to route networktraffic its way.Mapped IP AddressThe NetScaler has a feature referred to as USNIP, use Subnet IP, which is enabled by default. Ifthis ‘mode’ is disabled, then no SNIP addresses can or will be used. Ok, so what then, you ask?Or what if you have a subnet connected to the NetScaler without a SNIP address configured?This is where the Mapped IP Address comes into play.If a MIP (Mapped IP) address is configured it would be used as the source IP address if theabovementioned USNIP mode is set to disabled or when no SNIP addresses are available.Also, when used in conjunction with a SNIP address, if they both reside on the same subnet, forexample, a MIP address might also be used as a source IP address when routing traffic from theNetScaler. However, only if the MIP address is the first address on the subnet will a route beadded to the NetScaler routing table.6

Inside Citrix – The FlexCast Management ArchitectureNetScaler internalsNetScaler Default routeWhen configuring a NetScaler from scratch it will also ask you for a default route, which willfunction as the default gateway for the NetScaler. Without any internal routes known to theNetScaler, in the form of a SNIP or MIP address, it wouldn’t know what to do with the receivedtraffic or where to send it. It will then send out all traffic over its default route, back onto theInternet where it probably came from to begin with.FMA fact: You can also configure a SNIP address as a management IP, instead of, or bettersaid, alongside the NSIP address used to manage your NetScaler.Note that internal network traffic can also be sent through the NetScaler: this is not uncommonwhen load-balancing traffic destined for StoreFront and/or Delivery Controllers using a loadbalance virtual server.When traffic is routed using one of the NetScaler’s SNIP addresses, the source address of the IPpackets changes into that of the SNIP address, which makes sense since it will route traffic tosubnets directly connected to the NetScaler. When multiple SNIP addresses have access to thesame subnet, the SNIP which sits closest to the actual target will be used.A SNIP address is not mandatory when setting up and configuring your NetScaler. The use ofso-called net profiles is also optional; they can be used to predefine which SNIP should be usedfor back-end communication. When firewalls are in place this also helps in simplifying thecreation of ACL rules, since only one address will need to be defined.Static routesLet me give you an example to try and explain what a static route might look like. Let’s say youneed access to a resource which is located on network D, but you will have to go through, orcontact, network A to get there. Well, that’s basically it. You give the NetScaler a specific path to7

Inside Citrix – The FlexCast Management Architecturefollow when a certain network or resource needs to be addressed. It will be listed as a staticroute.Let’s say you have a SNIP configured on your NetScaler connecting you to subnet A. On yourinternal network you also have a subnet D, but it isn’t directly reachable from the NetScaler.Traffic will have to travel over, or through, subnet A, which is connected to a routing deviceconnecting it to subnet D. SNIP addresses only work with directly reachable subnets / networks,so adding an additional SNIP for subnet D won’t work.Instead you need to configure a static route (add route) telling the NetScaler to route networktraffic destined for subnet D over, or through, subnet A, including the IP address of the routingdevice connected to subnet D. Here the same rules apply as before, if no ‘known’ route tosubnet D is configured, the NetScaler will forward all traffic to its default route highlightedearlier.Static routeThe NetScaler Unified GatewayNot too long ago, as part of the NetScaler 11.0 release Citrix, announced the NetScaler UnifiedGateway. In simple terms it comes down to a single vServer receiving all inbound traffic, whichwill then be routed to the appropriate virtual servers that are bound to the Unified Gatewayvirtual server, making it possible to access multiple services (as configured on the internal virtualservers) by using just a single IP address / URL. And while the technologies behind it aren’treally new (they basically made use of existing technologies like Content Switching, Client Accessand Bookmarks) it does offer some additional benefits. The Universal Gateway virtual server canbe paired with a NetScaler Gateway virtual server, to secure remote access where and whenneeded, including one or multiple load-balancing virtual servers. Some of the added advantagesinclude: A single IP address / URL to access multiple back-end services like: XenDesktop /XenApp applications and desktops, mobile and web applications hosted by XenMobileand access to cloud resources. Freeing up the need for additional IP addresses.All known features of the NetScaler and XenDesktop platform can now be applied onone single platform while offering multiple back-end services, like: Single Sign-on, HDXand NetScaler Insight Services, End Point Analyses, RDP proxy, Content Switching,Smart Access Control etc.8

Inside Citrix – The FlexCast Management Architecture Triple A (AAA) support, which allows integration with cloud services Office 365 andSSO against existing NetScaler Load Balance servers.NetScaler Unified GatewayFMA fact: You can configure as many Unified Gateway virtual servers as you like or need.Securing NetScaler connectionsWhen connecting from a remote location we want to make sure that we are connecting to thetrusted company network and that it isn’t being spoofed in any way.In our case we would set up the Citrix NetScaler to function as a remote secure gat