Choose your NetScaler … wisely
June 17, 2013 33 Comments
I spend a lot of my time breaking down the different models of Citrix NetScaler appliances and different Software Editions within the Citrix NetScaler portfolio.
I decided to set up a blog about this since the path is usually pretty much (lengthy but) the same. This does not mean the answer is always easy because there are a lot of questions that need to be answered.
The first thing I would like to get off my chest is the following: Stop seeing/selling the Citrix NetScaler as a replacement for Secure Gateway. It is so much more than that. I often have discussions with various engineers and consultants telling me that Citrix NetScaler is so expensive for a Remote Access solution because Secure Gateway always used to be free. No offense but a Citrix NetScaler solution belongs to the networking department, not the Citrix XenApp sys admin department. Or maybe limited.
That leads me to the first difficult thing of a Citrix NetScaler project. The adoption of the Citrix NetScaler appliances to the networking guys of an organization. They need to embrace the solution to make this a success. For some reason they too see it as a ‘’Citrix’’ solution. For that reason one of the most important meetings to setup is usually with the networking guys to try to explain the L3-L7 functionality of the Citrix NetScaler solution. When they realize it competes with F5, Juniper, Cisco, etc then we are on the right track.
NetScaler Gateway or NetScaler Standard Edition
Usually the first question of a customer is regarding something simple like replacing the Remote Access solution. Since the NetScaler is going to be the main platform for publishing Citrix publications a NetScaler Gateway can be considered as a valid option. This is when I tell a customer it would be wise to spend a little extra on the NetScaler Standard Edition since this would leverage the solution be having full load balancing capabilities (among others). When you compare prices between the NetScaler Gateway and NetScaler Standard Edition you will see that the Standard Edition will be somewhat more expensive but I for one think that it is worth the difference given the feature set that come with the Standard Edition. Of course the NetScaler Gateway can always be upgraded to a NetScaler Standard Edition (or higher) if you will.
Another feature of Citrix NetScaler Standard Edition is the ability to run Citrix Web Interface on the appliance. Honestly, I do think is not really that important anymore since Citrix Web interface is going to be replaced by Citrix StoreFront and as of yet there are no plans of putting StoreFront on the NetScaler (that I know of). Of course for some situations it can still be a feasible solution. There is still the ability to dismiss multiple Microsoft IIS Servers by using Web Interface on Citrix NetScaler.
Virtual, Physical or Logical
I am aware this needs some explanation. Let’s start of with the Virtual.
Virtual (or VPX)
I hardly ever, ever, ever, sell the Citrix NetScaler VPX appliance. Only for use of Lab or Testing environment or really small, small, small businesses where the use case is to implement a remote access solution for a small number of users.
It happens that customers come to me and tell me they are thinking of purchasing a Citrix NetScaler VPX solution and would like my advise on which we will have this breakdown which changes their mindset about going for the VPX solution. I have by no means of interest of selling MPX over VPX, I just give a breakdown of the pro’s and cons for various solutions.
1. The first common mistake is the idea that VPX is cheaper because it is virtual (yes assumptions, the foundation of every well thought out IT project :-)), well, there goes the first bubble. Ask your Citrix Solution Advisor for an estimate of a Citrix NetScaler VPX 1000 and a Citrix NetScaler MPX 5550/5560 and you will be amazed.
2. No hypervisor resources guaranteed. The VPX platform runs on an organization’s hypervisor. Whenever I ask a hypervisor support engineer if they are not overcommitting resources, the answer is hardly ever no. It would not even be of first that I would even have to explain overcommitting in an hypervisor environment. But in an overcommitting environment it means that important hardware resources are shared among multiple virtual instances. Meaning that hardware resources can only be limited or even not guaranteed since it’s shared over multiple virtual instances.
3. No hardware acceleration. This one is pretty much inline with the above statement, the MPX has hardware accelerator card for encrypting/decrypting SSL connections. Within a VPX you would be dependent of hardware resources of the hypervisor. Of course this one becomes more important when the number of connections are significant.
4. No need for a HA solution. This one may seem a little strange but it pops up once and awhile. Customers choosing a single Citrix NetScaler VPX appliance because they have VMware HA and DRS and rely on snapshotting of the VM’s making the solution highly available. Agreed, in some cases it might work but it depends on what the accepted downtime is for the given solution. If this is a couple of hours or a day that would be fine. You would have to keep in mind that a single appliance solution could require a full restore of the VM dependent on the issue. This means restore from snapshot/backup but could also be a new installation of the VM and restore of the configuration. This would require the relevant knowledge of how to which is not always present in my opinion. Also keep in mind that Citrix NetScaler VPX does not vMotion well, I’ve seen hanging Citrix NetScaler vMotion VM’s.
5. Bandwidth. A Citrix NetScaler VPX comes in different (bandwidth) flavors (5, 10, 200, 1000 and 3000). I have done a number of PoC’s with the Citrix NetScaler VPX and see them miserably fail with at least the 5 and 10 by the solution consuming bandwidth (I try to disregard the Express version which is 5 as much as I can). It could be a solution though if you are using DSR (Direct Server Return) Load Balancing solutions (meaning that the traffic is not actually flowing through the NetScaler). The thing to remember is that the Bandwidth of the VPX is end-to-end on all interfaces it has, so if you have a Citrix NetScaler VPX 1000 with 2 virtual interfaces the 1000Mbit is being counted over all interfaces (so no 2 x 1000 Mbit).
Physical (or MPX)
Usually when I have given a customer some of the somewhat ‘’drawbacks’’ listed above and convinced the networking guys of the networking features of the appliance they are tending towards the MPX platform.
1. Bandwidth. The Bandwidth of an MPX is somewhat listed differently then that of it’s VPX variant. Citrix calls this ‘’Kernel Bandwidth” or “L7 Bandwidth”, this last one can be a little bit confusing because it implies that L3 (or Dirty Load Balancing) would not be intermitted to the Bandwidth limit. This is not the case.
Here a list of the most commonly deployed appliances and there Kernel Bandwidth:
– MPX 5550 (0.5Gbps) (Upgradeable to an MPX 5560 (1Gbps) by software license);
– MPX 8200 (2.0Gbps) (Upgradeable to an MPX 8400(4Gbps) by software license);
– MPX 8400 (4.0Gbps) (Upgradeable to an MPX 8600(6Gbps) by software license).
More information on the different MPX platform models:
2. Rackspace. Yes, as you might expect an MPX appliance is physical which means it requires Rackspace. Although for the entire 55xx and 8xxx it is 1U per appliance, but still Rackspace.
Logical (or SDX)
An Citrix NetScaler SDX is a so-called hypervisor appliance. It runs on Citrix XenServer, but a special server of XenServer (SR-OIV). In a nutshell it means that the Citrix NetScaler VPX that run on this hypervisor has direct access to hardware resources. That’s why the number of virtual appliances on the different models is limited.
I think the SDX will be the more common appliance for customers to acquire. There are a couple of reasons for this.
1. A lot of security compliances by companies do not allow machines to have a connection to a perimeter network (like DMZ) and a internal network at the same time. Over time I see that customers are allowing more logical segregation of the network by machines that touch multiple networks. For instance hypervisors that have VM’s in a perimeter network and internal network. This is where a Citrix NetScaler SDX could be really beneficial. On the SDX you could have a Citrix NetScaler VPX for remote access on the perimeter network and a Citrix NetScaler VPX on the internal network for Load Balancing purposes.
2. Platinum Edition. On Citrix NetScaler SDX you can run multiple instance of Citrix NetScaler and they are licensed with the Platinum Edition of Citrix NetScaler software. This means that L7 App Firewall could/would/should be deployed on all of the Citrix NetScaler VPX appliances.
3. Upgrade MPX. Citrix has recently announced that even the Citrix NetScaler MPX 8400 can be upgraded to an SDX platform. This used to be from the MPX 11500 which made it far fetched for almost any company that I know. Since the MPX 8200 and 8400 are the same hardware this means that there are upgrade paths from even the MPX 8200. The thing to keep in mind is that on Citrix NetScaler SDX 8400 only 5 virtual appliances can be deployed.
4. Third party appliances. Citrix has opened up the SDX platform for 3rd party to create appliances for the SDX platform.
Other decisions that can be of influence
If your organization requires fiber connections that you will have to purchase at least the Citrix NetScaler MPX 8200 series or higher. The 8200 comes with options for connecting SFP or SFP+ fiber connections.
Out of Band Management
If your organizations requires Out-of-Band Management you will have to purchase at least the Citrix NetScaler MPX 8200 series or higher.
Replacing Microsoft Forefront TMG
We do a lot of implementation where we replace Microsoft TMG with Citrix NetScaler as for Reverse Proxy solutions. Since Microsoft has announced the Microsoft TMG to be En-of-Life with no replacement products Citrix NetScaler can come in to place. Microsoft Exchange is such an example of solutions we publish through Citrix NetScaler. A big advantage of Citrix NetScaler is that it can integrate 3rd party token authentication to add that extra layer of security for publishing your mail to users. (Keep in mind, Citrix NetScaler Enterprise Edition minimum requirement for AAA functionality).
Security, Business and Technical
One of the first conversation I will have regarding a Citrix NetScaler project is with Security and Business. The reason for this is that they often have conflicting wishes and desires. Often the Business has many progressive plans for making possibilities work to make their users work more productively. Yet, when the Security finds out about these plans they can contradict with Security Compliancy. So, one of the first tasks is to make sure these departments align. If you do not give this the attention it needs it will come back to you. Technical seems to be irrelevant and it sort of is. Technically almost anything is possible with Citrix NetScaler, that’s the reason why they are last in line.
Network and High Availability
The last item I would like to point out is network (and High Availability) and the options there are using Citrix NetScaler. The Software Edition of a Citrix NetScaler is very much dependent of the type of network that exist at the customer. If a customer is running a single ISP, single datacenter (or server location) a Citrix NetScaler Standard Edition with HA (High Availability will suffice. It becomes more interesting when a customer has two datacenter locations which uses different ISP’s. Then a Citrix NetScaler Enterprise Edition in a GSLB configuration becomes often/usually) the favor of choice.
1. Single appliance. This I would never recommend.
2. HA (High Availability). This is the most common one used. You buy two appliance and they run in an Active/Passive Cluster. They can be in the same subnet, they can be in different subnet (INC mode). Drawback is that you buy 2 appliances and only use one. Available from Standard Edition and up.
3. GSLB. All appliances run standalone in a GSLB cluster. Very scalable solution. Often used when multiple datacenters are approached active/actively and/or multi-homed (multiple ISP’s). Based on High Level Authorative DNS, for that requires its DNS name (space). All appliance actively participate within the configuration. A drawback could be that all appliances run stand alone, so configuration has to be identical on all appliances. Available from Enterprise Edition and up.
4. Cluster. Available since version 10. For me I think this kind of implementation uses a rather large footprint because of the demand of a dedicated network for cluster traffic and basically need for master node. This means that minimum recommend appliances is three whereas you actively use two. Requires separate license, not present in any edition.
5. VRRP. This solution is used a lot in active/passive (core) switch configurations. Since some time available on the Citrix NetScaler. Within this solution all appliances run standalone. The same IP’s are configured on multiple appliances but have a vrID assigned, the highest priority vrID is alive, should that one fail the second priority vrID comes alive. Advantage is that you can use all appliances that you buy, however you cannot load balance a resource over two active Citrix NetScaler appliances.
Be very aware of the VRRP type of implementations for two reasons:
– When using VRRP on a VPX you will have to configure the virtual switch in ‘’Promiscuous Mode’’ which makes it a hub. Network Admins will not be happy with you :-);
– When using VRRP and you have to load balance a solution like Microsoft Lync which requires a SSL pass-through configuration (SSL_Bridge), this will lead to asynchronous traffic. A solution would be to have the Lync server use the NetScaler as Gateway but this will not be feasible when the resource fails over to the other NetScaler appliance.
In my (humble) opinion I would rather see VRRP disappear as an option all together. I have not seen a workable solution based on VRRP yet.
As I stated earlier, I have no gain in customers buying one or the other. The outline above is purely based on my experience of advising Citrix NetScaler for years now. The choice of a Citrix NetScaler solutions may look complex but often is logical. Based on security compliance, business needs, datacenter locations, number of ISP’s etc.
So, this is it. I hope this has some value for you to make some decisions regarding which NetScaler hardware or virtual appliance and software editions to acquire.