What exactly is Netscaler and why do I need it?

steinooo · 8 Dec 2014 at 10:14

Hi all,

I have a large Citrix farm which is showing its age, it has a Web interface 4. something and I'm being asked to upgrade it to a newer version of the web interface to support some recent two factor authentication.

I started looking up upgrading the web interface and saw Netscaler. I read this article as to it's features, and it all sounds very impressive, but I'm just wondering, can anyone describe to me please do I need Netscaler AND a web interface?

One of the main features I can see that we would benefit from is the fact that you can maintain access to Citrix apps when outside of the network as it does some authentication wizardry.....so am I right that if I bought a netscaler as well as upgrading the web interface, the main benefits would be that one and possibly some better performance of the Citrix apps?

kefkef · 8 Dec 2014 at 11:05

Cant sa how they would apply to you as not my area of expertise, but be aware of the difference in pricing some of the options bring. As an example, the MPX5550 in it's 3 flavours Standard, Enterprise and Platinum, the pricing for those I received were £4.8k, £8.3k and £11.8k + Vat and Maintenance.

You could go for the dogs danglies though, and try a MPX9700 FIPS at £27.5k+

steinooo · 8 Dec 2014 at 11:13

that's a lot of money. I'm even more glad I asked the question now :-)

Essentially I was wondering if it's possible to still just use a web interface or storefront without a netscaler gateway

Caged · 8 Dec 2014 at 19:35

You've sort of skipped a few steps. How is this environment showing its age? What features aren't available to you? What do you want from a VDI environment?

Xez · 8 Dec 2014 at 20:18

How many people do you have accessing Citrix? It isn't a cheap product and depending on the size of the company and how many servers you have it may not be worth it.

We only have about 130 people accessing our system remotely and that will probably be a maximum of 30 people at any one time accessing it through Netscaler.

We have Netscaler implemented with Duo Security Two-Factor authentication and it wasn't the most easy thing to configure (Netscaler not Duo Security). I believe we have the Netscaler VPX 1000 integrated with our Citrix Xenapp 5 farm. I can't remember which license we have (Standard, Enterprise or Platinum).
What version of Citrix are you running as if you are running an older version Storefront isn't available but Web interlace will still be obviously.

You normally can use Citrix access gateway as a web interface it's one or the other really as the Netscaler appliance is a web interface, we use to have RSA SecureID integrated when we used CAG.

Deathwish · 8 Dec 2014 at 21:37

We use Netscaler for remote access (DMZ) and also internally to load balance StoreFront 2.5 servers. You can get a free version to have a look at, its fully functional just limited to 10mbps. You can get a 90 day 1000mpbs version as well.

Can be a bit daunting to configure one if you've never used it before, later ones have a slightly better HTML interface rather than Java (shudder).

steinooo · 10 Dec 2014 at 12:33

Caged - don't really want VDI, i'm on about current Xenapp

Xez and Deathwish - Up to ~400 concurrent, 1500 total. I tried the free version once and managed to integrate our RSA but wondering if it is really necessary if I can just use like you say, CAG as a web interface. Running a mix of farms I want to aggregate through the same WI 4.5, 6 and 6.5.

Deviant-4 · 10 Dec 2014 at 13:57

I dont consider myself to be an expert, but I do have some recent experience.

NetScalers are fantastic devices, they are also fantastically expensive (as physical appliances), and fantastically comlicated..

They have dozens, if not hundreds of uses, fwd proxies, reverse proxies, load balancing, TCP offload, SSL offload, the list goes on and on, you will find, for example, that many e-commerce sites have NetScalers appliances in front of the Web Server farm.

If your goal is to provide remote access to 1500 users, then NetScalers might be a good choice, but soo much depends on the rest of your architecture, for example, do you have a DMZ? is it a single DMZ or double-hop DMZ? do you already use visualization (XenServer, VMWare, HyperV)?

A super simple configuration consisting of a pair of NetScalers VPX's, where their is only a NAT/Firewall between you and the internet would be fairly simple compared to a multiple site, double-hop DMZ design that requires no fewer than 8 appliances...

Finally a quick word about Web Interface and StoreFront, Web Interface is pretty much end-of-life, so whilst you can install it on NetScalers (its an optional install, not a default), I really cant recommend it. you should be focusing on using StoreFront which cant be installed on NetScalers. IIRC StoreFront 2.7 is compatible with everything from CPS4.5 right upto XA7.6, and will provide aggregation accross multiple farms/versions.

steinooo · 10 Dec 2014 at 18:05

thanks for that Deviant.

Yes we have a single DMZ, when I tried Netscaler using the free license I remember it was configured as just one virtual machine and it worked.

The reason I'm confused is that I don't need any of the features you mentioned, simply to provide remote access to the Citrix farm (I don't think it can offer access to SMB, Sharepoint etc....) Imo the one feature which may be worth the cash is the SSL VPN it creates giving access to Citrix apps from outside of your corporate network

I thought as much regarding Storefront, and thanks for clarifying. I am happy to replace WI with Storefront, but wondered whether it was necessary to have a Netscaler in front of it.

Deviant-4 · 10 Dec 2014 at 22:24

OK, so just focusing on the Access Gateway components then.

The Access Gateway can operate in two modes.

The first is a nice simple ICA-proxy mode, no software required on the client device other than Reciever, and no licenses required, but its ICA only, no SMB, no SharePoint, no OWA, just ICA.

The second mode is a full SSL VPN, you'll need either Platinum licenses, or Gateway Universal licenses, you also need the Gateway plugin installed on the client device, the advantage is that you can access pretty much anything on the Network.

There is a third mode that offers some of the features of the full SSL VPN, but presented in a web portal GUI, not one I've messed around with much.

And contrary to what I said earlier, VPX's are great for playing around with, and are great for some load balancing tasks, but as they lack the dedicated SSL offload hardware of a physical appliance, the SSL encryption/decryption must be handled by the CPU, the result is that a VPX will exhaust its CPU with as few as 50 connections.

You dont need a NetScaler in front of StoreFront, but they do make excellent load balancing devices, actually they are pretty much the only way to load balance StoreFront.

anything I don't mind · 11 Dec 2014 at 01:34

I just upgraded from cag 4.5 to netscaler gateway vpx and it didn't include the vpx features like load balancing, even though it had enterprise in the name. I think it was just an upgrade from our old license and not the full vpx netscaler enterprise.

The guy who set it up was a bit dumb i think he set it up with the netscaler in the dmz and the internal network. With the snip in the internal network but he went and requested rules like the snip was in the DMZ and put the nsip in the DMZ as well. The old config had the cag in the DMZ and routed traffic to the internal network via the firewall. It seems less secure than old config but it is still supported config.

The site only uses it for remote access utilising the server desktop app. They don't use it internally. The netscaler is meant to give an extra layer of security amongst other features like load balancing and app filtering and end point analysis and more.

Storefront is a bit flaky iis 40 mbyte http server running on windows server that is one of the reasons why people use netscaler and not just stick storefront on the wan. Netscaler is made on freebsd.

anything I don't mind · 11 Dec 2014 at 12:49

I managed to convince the guy implementing the netscaler that his firewall rules were wrong and now its setup correctly with no internal lan snip and the firewall routes the traffic from the dmz snip to the internal network.

it is now all working

steinooo · 13 Dec 2014 at 14:04

Deviant-4 said:
they lack the dedicated SSL offload hardware of a physical appliance, the SSL encryption/decryption must be handled by the CPU, the result is that a VPX will exhaust its CPU with as few as 50 connections.

That could be the dealbreaker for an appliance over the VM then, there will be many more than 50 connections concurrently. Thanks for that, I didn't know that.

anything I don't mind said:
Storefront is a bit flaky iis 40 mbyte http server running on windows server that is one of the reasons why people use netscaler and not just stick storefront on the wan. Netscaler is made on freebsd.

I see what you mean that having a Windows server on a WAN is more of a security flaw than a hardened appliance like Netscaler, but what do you mean about 40 mbyte?

anything I don't mind · 15 Dec 2014 at 15:01

The storefront install file is just a 40mbyte .exe that installs a .net 4 IIS web server. ie the install file is 40mbyte, that doesn't necessarily mean much, i was just pointing out that its relatively small install file.

ubern00b · 16 Dec 2014 at 13:21

Deviant-4 said:
the result is that a VPX will exhaust its CPU with as few as 50 connections.

Not sure an absolute is the best in this reference. We run VPX's (10.5) in our ESXi estate with SSL offloading on 2000+ connections and they don't break a sweat.

Baz · 16 Dec 2014 at 18:24

If you want to allow remote access to Citrix, Netscaler Gateway is the best option, VPX will only support up to 500 Ica connections though.

Also regarding Storefront, if you wish to support client less HTML5 clients, you will have to move from Web Interface to Storefront. Even though it may support back to PS 4.5 farms, it is a pain to get it to work and isn't supported by Citrix.
You should get away with a VPX, if not then a MPX 5500 series, and of course two in a HA pair for resilience

steinooo · 16 Dec 2014 at 19:41

Baz said:
If you want to allow remote access to Citrix, Netscaler Gateway is the best option, VPX will only support up to 500 Ica connections though.

I just checked and it says 1500 on their datasheet.

ubern00b said:
Not sure an absolute is the best in this reference. We run VPX's (10.5) in our ESXi estate with SSL offloading on 2000+ connections and they don't break a sweat.

I thought this may be the case. Do you just use the hypervisor layer to do your HA for you?

ubern00b · 16 Dec 2014 at 20:58

steinooo said:
I just checked and it says 1500 on their datasheet.

I thought this may be the case. Do you just use the hypervisor layer to do your HA for you?

No, we have platinum licensing with two Netscalers in an HA pair but its an active/passive setup. Active/active is silly money.

anything I don't mind · 17 Dec 2014 at 14:10

Baz said:
If you want to allow remote access to Citrix, Netscaler Gateway is the best option, VPX will only support up to 500 Ica connections though.

Also regarding Storefront, if you wish to support client less HTML5 clients, you will have to move from Web Interface to Storefront. Even though it may support back to PS 4.5 farms, it is a pain to get it to work and isn't supported by Citrix.
You should get away with a VPX, if not then a MPX 5500 series, and of course two in a HA pair for resilience

we went with strorefront as web interface is eol next year i think. Plus we wanted to virtualise everything and didn't see the need in virtualising the web interface that is currently phyiscal. ie at this point you might as well use storefront as its newer.