Shulou(Shulou.com)06/01 Report--

Preface

Today we will focus on what are the new features of Citrix NetScaler 11. Which of these functions belong to more exciting functions, and in terms of these functions, which of the solutions we may give to users can become a unique highlight. In terms of landing, it is necessary for our channel partners to use these capabilities to generate some best practices in the testing and integration process.

Today's Master Class is explained by me alone. Abroad, there are three lecturers to introduce the functions of the three dimensions of NetScaler 11.

As shown in the figure above, we can see diagrams of three dimensions. Today's presentation is mainly about the update of NetScaler 11 from these three dimensions: Unified Gateway (Unified Gateway), Telco (Telecommunication Network) and Core ADC (Application delivery).

UnifiedGateway (Unified Gateway)

First of all, let's start with Unified Gateway (Unified Gateway) to explain the updates of NetScaler products in this part. Unified Gateway (Unified Gateway) is a new name that only appeared in NetScaler 11. Essentially before, this feature was called Access Gateway, or AG; for short, until it became NetScaler Gateway, and now it's called Unified Gateway in version 11. The name changes all the time, but change always has its meaning. So where is this Unified Gateway reflected? Let's take a look at the following picture:

In this diagram, we can see that under the dimension of Unified Gateway, in addition to Unified Gateway itself, Smart Comtrol functions, Portal Customization, N-factor Authentiartion, Gateway Insight, GSLB Zone Preference have been added. We will introduce these six functions in this section. Before we introduce, let's take a look at a solution:

For this solution, I believe you all configure Gateway, so we can see that, in fact, in Citrix NetScaler Gateway or Citrix Access Gateway, we can configure some of the above configurations or applications. Including our ADC delivery, we do a traditional SSL × × ×, do a Micro × × × access (Micro × × × used in the Citrix XenMobile solution), and virtual desktops and applications ICA delivery and so on. Well, when you configure, you don't know if you have encountered some scenarios, and there will be some troublesome places. For example, in the scenario of a user, he needs to have two vServer of SSL × × ×, that is, he needs to have some ordinary SSL × × × dial-in, and at the same time, he needs to publish the ICA Proxy of Citrix XenApp/XenDesktop. If possible, the user also buys a Citrix XenMobile solution and needs Micro × × × access. So what do we usually do at this time? We generally ask the user to give three different FQDN, and then for each FQDN, each FQDN is bound to a NetScaler vServer. In such a configuration environment, users may complain that they can't do SSO when they visit! Users need to enter a domain name when accessing SSL × ×, then enter a user name and password in the login interface, enter another domain name when accessing the virtual desktop, and then enter a user name and password in the login interface.

This may also be relatively troublesome. In the new Unified Gateway, as shown in the figure above, you can see that there will be a unified URL in the NetScaler. The demons behind this unified URL can see that there are many different types of business applications. When we release this unified and URL to the public, we only need this unified URL. This is a very good solution to the problem of SSO, we only need a UI, after this UI is given to us, we only need to log in once to access these different business application types after URL, and based on SSO, we no longer need to enter a user name and password. In essence, the mode of SSO is realized through URL. If we adopt this new feature of NetScaler 11, when we encounter similar mixed deployment scenarios, we can dial in through a unified URL to achieve direct access to different types of publishing applications. This feature is the first feature we introduced, and it is also a highlight of NetScaler 11.

Well, based on a new feature such as Unified Gateway, or a new function, there are these three improvements for users. The first improvement is the user experience. The overall user experience will be better than the original experience, and we will continue to accept the specific advantages later; second, it is more secure; the third point for users is the greater flexibility in the integration of the solution, which is mainly applied to multiple data centers. For example, the typical data disaster preparedness architecture of two places and three centers.

In terms of improving the user experience, we know that there is no doubt that most of NetScaler's Gateway is based on Citrix XenApp/XenDesktop scenarios. However, it is also said that users are only used for the use of SSL × × functions, so there is such a trend that there is a special plug-in in NetScaler corresponding to this scenario. This plug-in is the client of SSL × ×. In previous versions, updates were actually stopped for a while, and this plug-in is just a plug-in based on Windows. At the same time, I have received feedback from some users that it is not available in NetScaler version 10. And if users deploy such a solution in a non-Citrix scenario and need to use a mobile terminal to access it, there is no such plug-in in the past, and the solution must be this Gateway plus their own software before the Gateway can run on the mobile terminal. Now in version 11, the mobile plug-in of Unified Gateway is provided specifically for mobile scenarios, even if the back end is not Citrix. The reason why Citrix is emphasized here is that when the back end is Citrix system software, we only need to install Citrix Receiver on the mobile terminal. If it's XenMobile, it's Worx Home. It's all based on Citrix. At the same time, if we are using Windows 10 to access, NetScaler 10.5 currently does not support plug-in for Windows 10 and needs to be upgraded to NetScaler 11.

The second point is that there will be a completely customized interface for improving the user experience. We know that when deploying Gateway, users will either or less have some customization requirements, mainly for the customization of the UI in the login interface. In NetScaer 11, a very big improvement has been made to meet this need, and the first big improvement is to make a theme. There are three different themes for users to choose from by default.

At the same time, as shown in the image above, we can clearly see that this is a login interface that has been completely customized and modified by the user. All the identified parts of this interface can be customized. Only part of the interface settings can be modified in the original interface. Now, basically, everything our eyes can see can be customized. In the past, the modified version also needs to modify the html code and css, but now if it is all open, it will save a lot of time for channel vendors and suppliers, especially for deployment and implementation engineers who do not know much about artists.

Here we can add a theme in which we can make such a customized change, including some of the background that you need to call in the theme. The above is some introduction to the user experience, and then we will introduce some aspects of security improvement.

In terms of security, we have added a new feature called SmartControl in NetScaler 11. Before, you probably know that NetScaler has a feature called SmartAccess. SmartAccess from the survey of most users that NetScaler has implemented and deployed, there are not many applications. SmartAccess itself is a good feature, but when implemented, it needs to be deployed on both sides. We need to configure the policy on NetScaler, and we also need to configure a corresponding policy on the back end of the software. Unified Gateway works in ICA Proxy mode by default, but in SSL × × environment, there are two working modes: one is transparent working mode, the other is proxy mode or TCP proxy mode. Let's go back to ICA Proxy. Only Citrix's NetScaler Gateway can understand the contents of the 32 channels in the ICA protocol that Citrix wants. The question is how does NetScaler switch the 32 subchannels of the ICA protocol? It turns out that such a thing is done through SmartAccess. In fact, one of the interesting things you will find in the new version 11 is that you will find that in addition to the original conversation strategy under Gateway, there is also an ICA strategy. The ICA policy is designed to do this, including that you can choose which users are fully controlled to access the following resources, and those that need to be restricted. Including copying, printing and down to whether you can copy and paste in the open Word, and so on. So SmartCotrol is the general name of this function.

If we can use SmartCotrol to implement and simplify the deployment of these features after configuration on NetScaler, this will undoubtedly greatly improve user access and configuration best practices. And why should this function be called this name independently? It is because in addition to the ICA policy, SmartCotrol can also control the access of SSL × ×, which is something that no other SSL device can do.

At the same time, for the security of NetScaler, on the other hand, NetScaler is such a solution for visualization. We know that there are many visualization solutions on the market, and among these visualization solutions, they are nothing more than NPM or APM and BPM. One of the biggest problems with these visualization solutions is that if your environment runs away from the traffic of the Citrix environment, then these visualization solutions have no effect on Citrix, because these software do not understand the ICA protocol content of Citrix, and some visualization providers will be forced to install an Agent in the software layer of Citrix, such as DDC and StoreFront. Pull something out through this Agent and send it to their entire report phone engine to form a report. But in this way, according to our recent cases, users feel that the loss outweighs the gain, and even there has been a failure and trouble in some user scenarios. On the other hand, Citrix provides a visual solution for the products it delivers. The most attractive thing for users in this area is the visual solution of HDX Insight provided by Citrix when doing desktop delivery.

First of all, this solution is aimed at Citrix's own environment, and second, it is very simple for users, and only need to access NetScaler when deploying. NetScaler enables the function of data collection and uploads it to the report generation engine. If the user's environment does not have such a report generation tool, then Citrix also provides a special tool-Insight Center. At present, it is a virtual machine based on virtualization. Users only need to download and import, simple configuration can be used. In Insight Center, users can see the status and traffic in the current ICA. For example, in the implementation of some VDI projects, the user response slows down after a period of time, so you need a piece of software to analyze what is slow. In the past, everyone used performance testing tools to see and test, and most of them were blind to touch the elephant, and some users even invited some people from APM manufacturers to do analysis. But the results of the analysis may not be satisfactory. Now with Insight Center, everything becomes very clear, and if the user slows down, it is clear at a glance where the user is busy. And the report is very simple and easy to understand. At the same time, it can also be integrated with some data mining software, such as Splunk.

For NetScaler visualization, how the user's access behavior flow is visualized. For the user, the user's request is first sent to the gateway,gateway and forwarded to the background business system, such as the Citrix environment. When the data passes through NetScaler, NetScaler will do an operation to send the data to Insight Center in the form of AppFlow. In Insight Center, there are two Insight, one is HDX-based Insight and the other is Web-based Insight. HDX's Insight is aimed at Citrix's virtual desktops and applications, which spit out the Citrix-based data and send it to Insight Center. Web's Insight is a Web-based application where data can be spit out and sent to Insight Center. Insight Center also has a big improvement in version 11. When using visualization, the most important thing is to check the service AppFlow on NetScaler. At 10.5, this feature is turned on by default, and it is recommended to turn it off when we do not use it.

So what can we see on Insight Center? As shown in the figure above, we can see the network information. This is more important information. As far as users are concerned, users can also integrate it into the NPM solution. NPM is a solution for network performance monitoring. When a probe is installed in the network, the probe will send the data flow to the data collection end, and the collection end will analyze it and generate a report. In Citrix, NetScaler acts as this probe, and then we spit out the traffic to do this through AppFlow. Why is it called AppFlow? there is a difference. Flow was originally invented by Cisco. It is called NetFlow,NetFlow, which is a data exchange method. Its working principle is: NetFlow uses the standard exchange mode to process the first IP packet data of the data stream, generates NetFlow cache, and then the same data is transmitted in the same data stream based on the cache information, no longer matching the relevant access control and other policies. The NetFlow cache also contains statistics for subsequent data streams. The information that NetFlow can see is relatively simple, such as source address, destination address, source port, destination port and other basic information. But for Web access, we need to see more things, including URL, directories, browsers, etc., of course, the most important thing is to be able to see these things in the ICA protocol. So Citrix is based on Flow, and the development extends AppFlow.

Next, we will introduce some things about multi-factor authentication. Before, you may think that NetScaler is a little weak in the area of multi-factor certification. Where is it? For example, users want users to see different UI interfaces after authentication, but my implementation before version 11 is more troublesome, because as you may know, NetScaler is placed together for authentication, including login interface and login interface. So for the new NeScaler 11, there are Dynamic Auth Flow, Extensible to any number, Policy based decisions, EPA based selection, UI generation usingLoginSchema and so on. EPA based selection is the most important thing to decide whether to allow access after scanning the terminal, especially UI generation usingLoginSchema. We can display different UI according to the different permissions of authenticated users. Of course, if we have a software environment, such as StoreFront, then we can directly implement this function, but this function is mainly used in scenarios where there is no such software, and users need this function.

At the same time, the authentication section also supports the mode of SAML, SAML is the security declaration markup language, the full name in English is Security AssertionMarkup Language. It is an XML-based standard for exchanging authentication and authorization data between different security domains (security domain). The SAML standard defines the identity provider (identity provider) and the service provider (service provider), which constitute the different security domains mentioned earlier. Although SAML certification is not new to version 11, there will be some improvements, including SingleLogout for SAML, Redirect Binding, and so on, as shown in the figure above. If there are existing authentication scenarios where users need to use SAML, NetScaler can meet his needs very well.

As shown above, version 11 also introduces a new feature, GSLB Zone Preference. GSLB is the abbreviation of Global Server LoadBalance, which means global load balancing. Function: realize the traffic provisioning between servers in different regions on the wide area network (including the Internet) to ensure the use of the best server to serve the nearest customers, so as to ensure the quality of access. When deploying Gateway, NetScaler's GSLB functionality is rarely integrated in previous deployment scenarios. At the same time, in local DNS, there will be a problem with GSLB's Site choice, which is LDNS issue, and LDNS issue will become very large in some scenarios. For example, when we are in the network of Unicom, I may use LDNS, which may not be the best path when choosing a path. In this case, if we have multiple data center Citrix virtual desktop environments, then in StoreFront, the generated ICA protocol files to the user side, there may be conflicts or incorrect. As a result, users use LDNS to access virtual desktops, and although users use the GSLB of NetScaler to choose a preferred path at the front end of the access, StoreFron does not choose a preferred path or the correct background data center, which actually leads to a bad experience of the whole access. Then the user has to manually adjust a correct configuration or choose the best path to access.

Let's explain this problem in detail through the following picture:

In this picture, the user is in Washington, D. C., and its LDNS belongs to San Jose. If LDNS is San Jose, in the back-end data center, one belongs to San jose, as shown in the figure. The other is New York. Then through GSLB,GSLB, you can judge the best path by looking at the IP of the user's local LDNS. Because the LDNS of the user is San Jose, normally the user should go to the virtual desktop of San jose.

As shown in the figure, it is determined by GSLB at this time that the user has successfully accessed the Citrix NetScaler service Gateway of San Jose's data center. Whether it is to use dynamic or static nearest parties, it is normal to give an address of san jose. What about when you connect to gateway? The problem is StoreFront. StoreFront connects to DDC (Desktop DeliveryController), and finally DDC gives the available virtual desktop information, including IP address and login credentials, and so on.

As shown in the figure, if StoreFront went to the DDC of New York to get the virtual desktop information, then the end user's virtual desktop access would look like this:

So this is obviously an unfriendly experience.

The solution to this problem is that in version 11, there is a linkage between GSLB and StoreFront to solve this problem, which is the GSLB Zone Preference function. So how exactly is it achieved?

First of all, in the case of GSLB, select a selection for GSLB. On the figure, there are three data centers on the far right and a StoreFront in the upper right corner.

For example, GSLB selects 1 at this time, in which GSLB will check the correspondence of the three data centers.

Then the requested data is given to StoreFront, and at this point, the GSLB of NetScaler has written the IP address of the preferred data center into the given data, telling StoreFront that the IP address at the back end should be selected.

Then StoreFront goes to the preferred data center to request the authentication information of the virtual desktop and the information needed to generate the ICA file from the DDC inside.

After getting the required information to generate the ICA file, StoreFront returns it to NetScaler,NetScale and returns it to the user.

As far as the user is concerned, after the local Citrix Receiver parses the ICA file, it can directly access the virtual desktop of the preferred data center.

So with this solution, when we encounter a similar integration of GSLB and Gateway, we can use this solution to solve the above problems perfectly.

At the end of Gateway, the last function, the RDP proxy, is introduced.

There is a specific strategy for RDP in the configuration, in which we can make some optimizations to the RDP protocol as shown in the figure above. So why is there such a function? We know that the traditional RDP is released to the external network through the firewall to do NAT port mapping. One of the problems is that there are loopholes in the RDP protocol, so * you can easily access our private network using the RDP protocol and use the RDP proxy of NetScaler version 11, so that we can avoid the risk of being *.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.