Citrix Netscaler 10 Summary Notes – Getting Started – Day 3

Networking 3 Minutes

Understanding the NetScaler

An Application L4-L7 Switch. Used for Web Applications. Functions as a TCP Proxy

Features:

  • Switching Features for optimal distribution of client requests
  • Security and protection Features protects web applications from application-layer attacks
  • Server-farm Optimization Features speeds up applications by offloading resource-intensive operations from the server

Placement

2013_09_13_13_18_21_Greenshot

Request Switching

  • Netscaler is deployed infront of a server farm as a transparent TCP proxy
  • No client side  config needed
  • Appliance can separate HTTP Request from TCP Connection request

Physical Deployment Modes

Inline Mode

  • The appliance has a separate network interface to each client network and a separate network interface to each server network
  • Appliance transparently applys L4-L7 features

One-Arm Mode

  • Only one network interface of the appliance is connected to an Ethernet segment
  • Does not isolate the client and server sides of the network

L2 Mode

  • Operates as an L2 device
  • Packets are forwarded if:
    • Destination MAC is for another device
    • Destination MAC is on a different interface
    • Interface is member of same VLAn (Default vlan =1 )

L3 Mode

NetScaler-Owned IP Addresses

NetScaler IP address (NSIP) – Management address + High Availability (HA) Communication

Mapped IP address (MIP) – For server side communication. Appliance changes source IP with MIP before sending to server

Virtual server IP address (VIP) – IP of a virtual server. Public IP that clients connect to

Subnet IP address (SNIP) – If multiple subnets, SNIP is MIP for each subnet

IP Set – Set of IP SNIPs or MIPs

Net Profile – contains an IP add or IP Set. Used for communication with physical servers

Traffic Flow Management

If Virtual Server is present

  • Clients connect to VIP address of the virtual server
  • Appliance sends request to the server using MIP or SNIP by default

If Virtual server is absent (Transparent Mode)

  • Client sends request using Source IP SIP
  • Nescaler changes SIP to MIP or SNIP but does not change destination IP  transparently forwards request to server
  • If server needs actual SIP, netscaler adjusts HTTP header and adds SIP as additional field or configured to use SIP instead of MIP or SNIP to connect to servers

Building blocks for Traffic Management

  • Helps separate traffic flows
  • Cliets access applications through the Virtual servers

Load Balancing

  • Create a service for every server
  • Bind the service to a virtual server
  • Create a monitor to track the service
  • Clients connect to the VIP. Netscaler sends to the server accordingly

Virtual Servers

  • Represented by Alphanumeric name + VIP + port + Protocol
  • Name is locally significant
  • Clients conect to VIP and not address of the physical server
  • Multiple virtual servers can use the same VIP but different protocols and ports
  • Deliver features like compression, caching, SSL offload
  • Multiple services can be bound to 1 virtual server

Load balancing virtual servers – redirects requests to appropriate server

Cache redirection virtual server – redirect requests for dynamic contect to origin servers and for static content to cache servers. Work in conjunction with load balancing virtual servers

Content Switching virtual server – redirect traffic on the basis of content requested. Work in conjunction with load balancing virtual servers

Virtual private network (VPN) virtual server – decrypts traffic and sends to intranet applications

SSL virtual server – receives and decrypts traffic then sends to appropriate server

Services

  • Represents applications on a server
  • Can exist in the absence of a virtual server
  • Point for applying features
  • Use entities (monitors) to track the health of the application
  • Every service has a default monitor (probes are sent at regular intervals to check state of service). If check fails – netscaler marks it as down.

Service-only mode

  • Appliance is proxy
  • Netscaler translates IP addresses, port numbers, and sequence numbers

Policies and Expression

  • Defines details on traffic filtering and management

2013_09_13_16_58_19_Greenshot

L7 Packet Flow Diagram for Netscaler

2013_09_13_17_43_10_Greenshot

  • Multipath TCP is a TCP extension specified in RFC6824 that allows endhosts to efficiently use multiple interfaces for a single TCP connection
  • SPYDY is an open networking protocol developed primarily at Google for transporting web content  with particular goals of reducing web page load latency and improving web security

Data Packet Flow Diagram (Supported by MySQL and MYSQL database)

2013_09_13_17_55_24_Greenshot

Published by CyberSecFaith

Published

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s