Citrix ADC 12.1 TDM - ОЛЛИ Дистрибуция ADC - 12.1... · 2019. 10. 1. · •New Citrix Ingress Controller (CIC) –For low friction insertion –Ingress controller

Citrix ADC 12.1 TDMCore NetScaler

Hybrid/Multi Cloud

3 © 2018 Citrix | Confidential

• From this release, you can migrate a NetScaler VPX instance by using VMware vMotion

• VMXNET3 and E1000 interfaces are supported from NetScaler 11.0 onwards

• VPX 10 to 15G models are supported

• This was mainly an validation effort and was tested on ESX 6.0 and above.

vMotion Support of NetScaler

https://docs.citrix.com/en-us/netscaler/12-1/deploying-vpx/install-vpx-on-esx.html

https://docs.citrix.com/en-us/netscaler/12-1/deploying-vpx/install-vpx-on-esx.html


• From this release CPX can support bandwidth greater than 1 Gpbs and upto 10 Gbps.

• Pooled capacity licenses on MAS can be leveraged to allocate bandwidth greater than 1 Gbps.

• For example, If you license CPX with 5Gbps, it will checkout 1 count from INSTANCE pool and 4Gbps from Platinum bandwidth pool, 1 Gpbs is free (continuing the earlier behavior)

• CPX can checkout only from Platinum bandwidth pool.

• User need to ensure that CPX is started with sufficient Packet engines to achieve the licensed capacity.

Support Multicore CPX

https://docs.citrix.com/en-us/netscaler-mas/12-1/license-server/netscaler-virtual-cpu-licensing.html#netscalercpx

https://docs.citrix.com/en-us/netscaler-mas/12-1/license-server/netscaler-virtual-cpu-licensing.html#netscalercpx

Optional subtitle

Multi-Zone HA in AWS


Multi-Zone HA in AWS w/ EIP Support

Same AZ,Same Subnet

Not Applicable *Different AZ,Same Subnet

Same AZ,Different Subnet

Different AZ,Different Subnet

Availability zone

Sub

net

* In the same VPC, different AZs cannot have the same subnet


Initial Configuration to setup EIP Movement

.

.

.

.

.

.

VPC

Internet

MgmtEIP

EIP. 1

EIP. n

Primary Secondary

MgmtEIP

IGW

• Both primary and secondary have equal number of ENIs

• Other than the ENI meant for management, each ENI can have any one or more private IPs attached.

• A vserver should be configured to listen to one private IP on primary and one on secondary, using the ipset feature of the vserver.

• EIP is attached to the private IP on primary.

• On failover, the EIP should move to the secondary private ip the vserver is listening on.


EIP Migration in case of failover

VIP_1 VIP_1 ‘

VIP_2VIP_2’

EIP_1

EIP_2

Mgmt_Pvt_IP

Mgmt_Pvt_IP

Mgmt_EIP

Initial Primary Initial Secondary

IGW

Mgmt_EIP


Two HA Solutions: INC, & Non-INC

ENI Based HA

Same AZ,Same Subnet

Not Applicable *Different AZ,Same Subnet

EIP Based HASame AZ,

Different Subnet

EIP Based HADifferent AZ,

Different Subnet

Availability zone

Sub

net

Non INC mode

INC mode

* In the same VPC, different AZs cannot have the same subnet

NetScaler Provisioning from MA Service in AWS


Workflow: Provisioning of VPX(Standalone) in AWS

1. Provision1.1 Basic settings

1.2 Provision profileCitrix ADM(MA Service)

AWS2. New Standalone VPX

gets created

1 2Citrix ADC Auto-Scale

ConfigurationPre-Requisites

Create Site, Create cloud access profile, Attach site to

Agent

Provision

https://docs.citrix.com/en-us/netscaler-mas/netscaler-management-and-analytics-service/hybrid-multi-cloud-deployments/provisioning-vpx-aws.html

IAM Role, IAM instance profile

2. Define SLA_Service Package.mp41.Registration.mp41.Registration.mp4


Provisioning of VPX in AWS

AWS Backend Auto-Scale


AWS Backend Auto-Scale Flow


Scale OUTAutoscaleGroup

HIGH CPU >70

AMAZON CLOUD

New Servers Added in Autoscale

New Server added in the AS group. NS autodetects and load balance traffic to them


Scale INAutoscaleGroup

Low CPU


AWS Backend Auto-Scale GUI• Name of cloud profile

• Virtual IP for LB VIP to be created

• Protocol

• Autoscaling Group name

• Graceful

• Graceful is to make sure servers are not deleted

Immediately. Enabled means if connection are

Present then it won’t be deleted until 60 seconds

Graceful NO means they will be deleted when scale

Down event will occur

Azure Backend Auto-Scale


• Now NetScaler VPX instances deployed on Azure support autoscale with Azure virtual machine scale sets

• When integrated with the autoscale feature, NetScaler VPX instances provide improved:– Load balancing and load management

– High availability

– Network availability

Azure Back-End Auto Scaling

https://docs.citrix.com/en-us/netscaler/12-1/deploying-vpx/deploy-vpx-on-azure/Autoscale.html

https://docs.citrix.com/en-us/netscaler/12-1/deploying-vpx/deploy-vpx-on-azure/Autoscale.html


Backend Autoscaling Overview

Server 1

Server 2

Server 3

Server 4

min :2

max :4

scale outscale in

Virtual machine scale set(VMSS)

Server 1

Server 2

Server 3

Server 4

add server remove server

LBVserver

ServiceGroup

NetScaler Azure

Register for Scale In/Out Events

Scale In/ Scale Out Notifications


Autoscaling event registration and notification


NetScaler GUI Azure Credentials PageCloud Profile Creation Page New “Azure” tab on left hand side

VPX HA across Azure Availability zones


Availability Set vs Availability Zones

Availability Set Availability Zones

One DataCenter Three DataCenter

Unless the entire data center is down, your workload will keep running. Rack Level availability.

Even if one data center goes down, your workload will keep running. Datacenter level availability.

99.95 % 99.99 %

ThroughoutLimited (Only available in certain Azure Regions - More coming)


• Prefer HA using Availability Zones, when– Region supports at least two Availability Zones

• Azure SLA– 99.99% Availability for Zones instead of 99.95% for Set

• Citrix ADC VPX Experience– Same, no functional difference

Citrix ADC HA using Availability Zones vs HA using Availability Set


HA using Availability Zones


• Require Standard SKU instead of Basic for– Load Balancer

– Public IP (Static)

• Used managed disk for VMs (OS Disk)

• Require Public IP to be static

• Assign zones to VM instead of Availability Set

• Use different port for each VPX in load-balancing rule.

Note: These changes are taken care in the ARM template

Changes as compared to HA deployment using Availability Set

https://azure.microsoft.com/en-in/pricing/details/ip-addresses/https://azure.microsoft.com/en-in/pricing/details/load-balancer/


Microservice Update


Application Journey – Deployment Implementation

Static MPX/SDX/VPX with Automated OSS Proxy / CPX

Automated MPX/SDX/VPX

NGINX CPX

OJ OJTea Cola

Static MPX/SDXCPX or OSS LB as Ingress Device

MPX/VPX/SDX as advanced ingress device

GJ

KubeProxy

KubeProxy

OJ OJ

Tea Cola

Automated MPX (MPX as ingress device)

CPX/OSS LB as ingress device

KubeProxy

KubeProxy


• New Citrix Ingress Controller (CIC) – For low friction insertion

– Ingress controller as stand alone container for MPXs/SDXs/VPXs

– Built into CPX (CPX + CIC)

• Visibility using Open Source: Prometheus exporter container

– Polls Citrix ADCs for counters and sends to Prometheus server. Grafana can display stats.

New Enhancements – Available End of Sept.

VPX Express


• VPX Express is license-less variant on NetScaler VPX.

• Both on-premise VPXs and Cloud.

• No up-front cost commitments.

• Aimed at prospective IT teams and our customers.

• Quickly deploy their applications and get a feel of our features.

• Testing and prototyping needs.

VPX Express


GSLB


Enterprise: US-

west

GLB node

MA-SVC

GLB node

GLB node

LB node

LB node

LB node

Metric exchange

protocol (MEP)

communication

AWS VPC:

singapore

Azure

VNet: India

Monitoring

• Stylebook enhanced

for multi-cloud/hybrid

cloud use-cases

• Supports static and

proximity based GLB

methods

Multi-cloud GLB: Phase 1


Enterprise: US-

west

GLB node

MA-SVC

GLB node

GLB node

NS-LB

Metric exchange

protocol (MEP)

communication

AWS VPC:

singapore

Azure

VNet: India

NS-LB NS-LB

NS-LB

NS-LB

NS-LB

- Statistics collected from

LB nodes using MEP

- LB nodes should be NS

- Needs GSLB

configuration even on

LB node

Conventional Parent-child Topology


• Eases the firewall configuration

• Single window for managing all the GSLB sites– Eases GSLB configuration

• For a 2 GSLB site Deployment – Time taken for config sync using GSLB autosync 90 seconds

– Time taken for config sync using stylebook : 25 seconds

– Savings will be more pronounced with larger config

Multi-Cloud GLB StylebookMotivation


• Enables easy and quick configuration across the data centers that are distributed geographically.

• Enables you to create, manage, and monitor GLB nodes across geographic locations from a single, unified console.

• Provides the flexibility of moving part of your infrastructure to the cloud.

• Supports various load balancing solutions such as NetScaler load balancer, ELB for AWS, or other third-party load balancers.

• Supports active-passive topology for disaster recovery and ensures continuous availability of applications by protecting against points of failure.

• Supports multiple global load balancing methods such as Round Robin, Static Proximity, Leastconnection, and Round-Trip Time (RTT).

• Supports sitePersistence ConnectionProxy and HTTPRedirect.

Multi-Cloud GLB StylebookIntroduction


Single Management Console • Key Benefits– Cloud transitions made easier

– Cloud service provider agnostic management console

– Eases the GSLB and firewall configuration


GSLB Service Groups (Enables Cloud Migration)

AWS-singapore

ELB

Application

AWS-N.virginia

ELB

Application

Netscaler-

LB

Application

On - prem

GSLB

ELB-1

ELB-2


GSLB Domain Named Auto Scale Service Groups

GSLB1 Singapore

GSLB2 N.California

LDNS

Load Balancer

AWS Auto-scaling domain based

ELB

Backend Servers

MEP

Client

Site B: AWS Cloud

Site A: On-Prem

Auto-scaling Backend Servers


GSLB vserver

GSLB DBS Servicegroup –Singapore ELB

domain

GSLB DBS Servicegroup –Nvirginia ELB domain

HTTPS monitor

HTTPS monitor

www.vzdemo.com

ADNS Service

ELB-Singapore-IP1

ELB-Singapore-IP2

ELB-Nvirginia-IP1

ELB-Nvirginia-IP2

GSLB Auto-Scaling Service GroupsComponents of the Solution


Latest GeoDB• IPv4 geolocation database shipping with build to be renewed. GeoLite

2 IPv4 database to be used.

• IPv6 geolocation database will be shipped with the build

Incremental improvements

• DNS name server support over TCP• O365 domain names resolves to >512 bytes packet size; TC-bit is set and

name server retries over TCP (which fails today)

GeoIP Database & DNS Features


Convert Maxmind Geolocation DB to NetScaler Format

Where is Geolocation database used?

• Location based custom policies. Ex. Block when CLIENT.IP.SRC.matches_location(“Asia.India.*.*”)

• GSLB static proximity

We ship IPv4 and IPv6 Maxmind DB, then why do customers want their own DB?

• Full version database

• Geolocation database changes frequently. Customers want the latest version of the database

How customers use their own DB today?

• Buy/download the latest/full DB from Maxmind

• Write code or outsource to convert Maxmind format to NetScaler format ($$$)

What’s new?

• Support for a script to convert Maxmind format to NetScaler format for easy conversion


Networking


• Amazon has an IPv4 address shortage– Wants to use Class E IP range for internal clients

• 240.x.x.x to 253.x.x.x can now be used

• 254.x.x.x to 255.x.x.x still reserved (for internal purposes)

• Note: NetScaler will support Class E IP address range (aka IPSET)

Class E IP address support


• NetScaler must drop the packets from Internet for which the clients didn’t initiate

Old Behaviour

One has to add forwarding sessions or add ACLs to allow responses from Internet for which the clients requested

New Behaviour

ACL will have a knob “-stateful” which if enabled, will create sessions for the traffic hitting the ACL in stateful fashion

Stateful ACL

ACL with DENY action is configured for the packets coming from server for which the clients did not initiate or request, those ACLs will drop the packets (Packet P1’). As P1’ packet is not related to any of the client initiated connections

InternetClients


• BGP MD5 authentication support added to the NS/ZebOS – to enhance security of BGP• Since BGP uses TCP as its transport, using this option significantly reduces the danger from certain security attacks on BGP.

• Possible to configure md5 passwords for BGP neighbor using NITRO APIs

• BGP md5 password configuration is now synd/propagated between HA nodes.

• BGP md5 password configuration is now synd/propagated between cluster nodes

Routing (BGP MD5) Authentication


Clustering


• Allow nodes of different platform but with same number of PEs

• Helps customer to expand cluster with out depending on legacy platforms

Clustering : Heterogeneous Clustering

No. of PEs

MPX Hardware Platforms

Supported MPX Hardware Platforms to form Heterogeneous Cluster

5MPX 11500 MPX 14020

7MPX 11515 MPX 14040

9MPX 11530 MPX 14060

Things to be noted

The extra management CPU setting should be same on all the cluster nodes.

The newly added node should have the same capacity on the data planes and backplane, as that of existing cluster nodes.

Cluster join does not work when there is a mismatch in PE count between CCO and node joining the Cluster

Note: The platforms mentioned in the table are officially validated by us. For other platforms please verify feasibility with PM/Engineering team


Traffic Management Features in 12.1 49.23 build

Use case: Customers want to independently scale GSLB and LB nodes

• A-A, A-P GSLB already supported in cluster

• From 12.1 49.23 build Parent-child also supported in cluster

Support for parent-child topology in cluster

Use case: Customer wants to gracefully shutdown services on NetScalers in cluster

• TFORS monitors solves the purpose for HTTP services

NetScaler Cluster to support graceful

shutdown of services


• Take backup on CLIP and Restore on individual NS nodes

To Save Config

>save ns config [To be executed on CLIP]

To create backup

>create system backup -level basic/full [To be executed on CLIP]

To restore the remote package on the Cluster Nodes

1) Copy or upload the backup tar file to /var/ns_sys_backup directory

2) add the tar file using

>add system backup .tgz [To be executed on individual node]

3) then use restore command using

>restore system backup .tgz [To be executed on individual node]

To Reboot the NS appliance [Reboot is required after restore]

>reboot [command to be executed on individual node]

Clustering : Cluster Backup/Restore

NOTE: Cluster Backup/restore doesn’t work with CLAG and SDX deployments


Traffic Management


Multi-IP vserver Support

• Support multiple ip address as part of lb vserver and cs vserver configuration

Old Behaviour

• We can mention ip address in vserver configuration to create a vserver entity with single ip address

• We can also mention iprange option to create network vservers in which a single vserver entity will be listening to consecutive range of ip addresses

• We can neither mention non-consecutive ip address nor ipv4/ipv6 combinations as part of vserver configuration

New Behaviour

• Allows creating a single vserver with multiple non-consecutive/consecutive ipv4 and ipv6 addresses


• Description– In a nutshell, DTLS or Datagram TLS is a protocol which

provides SSL/TLS support for datagram(UDP) based application. So basically DTLS is SSL over UDP.

– Previously NetScaler appliances only supported DTLS as a frontend virtual server(vserver).

• Configuration– CLI: add service DTLS port

– GUI: Navigate to Traffic Management > Load Balancing > Services

DTLS Backend Service Support


• Introduction– NetScaler appliance allows you to add external name servers to which it can forward the name resolution queries that cannot be

resolved locally.

– A name server can be configured by specifying its IP address or by configuring an existing LB virtual server as the name server.

• The Challenge– Presently NetScaler Nameserver does not support DNS resolution over TCP.

– Cannot use a DNS_TCP type LB vserver as a Nameserver.

– NetScaler is unable to support scenarios where the response size greater than 512 bytes or where the ‘Truncated Bit’ is set in response.

• The Solution– NetScaler Nameserver support DNS resolution over TCP.

– Support for two modes:• IP based Nameserver support (TCP and UDP_TCP type)

– A TCP type nameserver will use only TCP for DNS resolution.

– A UDP_TCP types nameserver will use UDP by default and fall back to TCP if size of response exceeds 512 bytes

• Configure an existing DNS_TCP LB vserver as a Nameserver

NetScaler Nameserver TCP Support


• CASE 1: Explicitly Specified Name of the DNS virtual server for the user session.– Default nameserver will retry over TCP if response size exceeds 512 bytes.

– Presently cannot specify DNS_TCP vserver in vpn parameter.

• add service s1 10.102.81.173 DNS 53

• add lb vserver v1 DNS 1.1.1.1 53

• bind lb vserver v1 s1

• set vpn parameter -dnsVserverName v1

• add dns nameServer 10.102.81.173 -type TCP

• CASE 2: Use Default Nameserver Type UDP_TCP– Use UDP first and if the response exceeds more than 512 bytes retry over TCP.

• add dns nameServer 10.102.81.173 -type UDP_TCP

• CASE 3: Use Default Nameserver Type TCP– Always use TCP for name resolution.

• add dns nameServer 10.102.81.173 -type TCP

Use Cases: Name Resolution in VPN


• Customer can configure responder policy, which will invoke the stream Identifier, to collect statistics at packet level and limit the number of packets flowing through a connection.

• Responder policy can be configured for Burst and Smooth mode of traffic.

• Configured Action(DROP/RESET) is applied if number of packet per second exceeds the configured threshold value.

• Supports SNMP traps and event messages in SYSLOG.

• Packets of all types are considered, irrespective of packet size.

• ‘trackAckOnlyPackets’ parameter can be enabled in stream identifier to prevent attack with zero payload packets.

PPS Rate Limit For DSR VServers


PPS Rate Limit : CLI Configs(contd.)


PPS Rate Limit : GUI Configs


SSL


Secure SSL Profile for GradeEases getting A+ grade from SSL Labs

Before 12.1 From 12.1

Disable SSL3, Enable TLS 1.2

Bind AEAD ciphers

Remove CBC and RC4 ciphers

Implement HSTS

Bind SHA2 signed server certificate

and intermediate certificates

Prefer ECDHE/DHE

Bind SECURE Profile

Bind SHA2 signed server certificate

and intermediate certificates


• SECURE cipher alias include only ECDHE KyEx AEAD ciphers.– > sh ssl cipher SECURE

– Cipher Name: TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 Priority : 1

– Cipher Name: TLS1.2-ECDHE-RSA-AES128-GCM-SHA256 Priority : 2

– Cipher Name: TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384 Priority : 3

– Cipher Name: TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256 Priority : 4

– 1) Profile Name: ns_default_ssl_profile_secure_frontend

– Done

Secure Cipher Alias


Hybrid ECDSA on N3-MPX/SDX Models

Hyb

rid

EC

DSA

ECDSA is advanced signature algorithm based on Elliptic Curves

From 12.1, ECDSA computation can be done in both CPU and SSL chips (Hybrid ECDHE computation support available since Q4 2016)

Increases the performance (TPS) significantly. Performance tests in progress


Protocol Updates

DTLS

Required for EDT

Supported on VPX and Cavium MPX

FIPS support released in 12.1 49.23

TLS 1.3

TLS 1.3 released in 12.1 49.23 GA build

Supported in VPX and N3 based MPX

FIPS support is dependent on NIST approval


• 1. Faster Connections

– Handshake requires only one round trip time(1 RTT)

– Resumption is Zero RTT

– Allows clients to open multiple parallel connections with fresh session ticket for each connection.

• 2. Improved Security

– Over padding oracle, protocol downgrade, etc.

TLSv1.3 Cipher group

Hex Code OpenSSL Name

0x13,0x01 TLS13-AES-128-GCM-SHA256

0x13,0x02 TLS13-AES-256-GCM-SHA384

0x13,0x03 TLS13-CHACHA20-POLY1305-SHA256

TLS 1.3 Delivers Considerable Improvements Over TLS 1.2


• Platforms and entities supportedVPX and MPX

Front end entities

• CLI Commands to enable TLS 1.3– > set ssl profile ns_default_ssl_profile_frontend -tls13 ENABLED

> sh cipher TLSv1.3

– > set ssl profile ns_default_ssl_profile_frontend -sessionticket ENABLED

– > set ssl profile ns_default_ssl_profile_frontend -zeroRttEarlyData ENABLE

– > set ssl profile ns_default_ssl_profile_frontend -dheKeyExchangeWithPsk YES

– > set ssl profile ns_default_ssl_profile_frontend -tls13SessionTicketsPerAuthContext [1-10]

• GA dateTargeted Q3 for support on VPX and software MPX

Available in Beta currently. Register – https://podio.com/webforms/19812471/1342437

TLS 1.3 (continued)

https://podio.com/webforms/19812471/1342437https://podio.com/webforms/19812471/1342437


GUI CLI


Cipher Support Matrix

Cipher/Protocol Platforms

N3 MPX/SDX

ColetoMPX/SDX

VPX Frontend

FIPS 14000 series

TLS 1.1/1.2 Frontend ✓ ✓ ✓ ✓

TLS 1.1/1.2 Backend ✓ ✓ ✓ ✓

ECDHE Frontend ✓ ✓ ✓ ✓

ECDHE Backend ✓ ✓ ✓ ✓

GCM, SHA2 Frontend ✓ ✓ ✓ ✓

GCM, SHA2 Backend ✓ ✓ ✓ ✓

ECDSA Frontend ✓ ✓ ✓ ✓

ECDSA Backend ✓ ✓ ✓ ✓

Chacha-Poly Frontend ✓ ✓ ✓

Chacha-Poly Backend ✓ ✓

Updated with 12.1 49.23 build release


• IETF RFC6176 SSLv2 does not provide sufficiently high level of security

• DeficienciesMessage Authentication uses MD5

Handshake Messages not protected

Message Integrity and Message Encryption use the same key

Sessions can be easily Terminated

• CLI Behaviour – show warning and remain disabled.> set ssl vserver v1 –ssl2 enabled

Warning: SSLv2 not supported in this release

Done

> show ssl vserver v1

. . . . . . .

SSLv2 : DISABLED

Deprecated SSLv2Why SSLv2 Support Removed


• Removed RC2, DES(40), DES(56), EXPORT Ciphers from DEFAULT_BACKEND

• ciphers list removed from DEFAULT_BACKEND group:– SSL3-DES-CBC-SHA

– SSL3-EXP-DES-CBC-SHA

– SSL3-EXP-RC2-CBC-MD5

– SSL3-EDH-DSS-DES-CBC-SHA

– TLS1-EXP1024-DHE-DSS-DES-CBC-SHA

– SSL3-EXP-EDH-DSS-DES-CBC-SHA

– SSL3-EDH-RSA-DES-CBC-SHA

– SSL3-EXP-EDH-RSA-DES-CBC-SHA

– TLS1-EXP1024-RC2-CBC-MD5

– SSL3-ADH-DES-CBC-SHA

– SSL3-EXP-ADH-DES-CBC-SHA

Removal of Weak ciphers From DEFAULT_BACKEND


• What is Session Ticket ?

• Session Ticket is an information of the Session State issued in the form of an Encrypted Ticket ( NewSessionTicket TLS Handshake Message ) by server to client.

• Client and Server both should support the Session Ticket by sending empty Session Ticket extension

• Sever issues Session Ticket as NewSessionTicket Handshake message before the ChangeCipherSpec.

• Client can subsequently resume the session using the obtained Session Ticket

• Why Session Ticket ?

• Avoid the burden of keeping per client session state on TLS server.

Secure Session Tickets


SourceIP As Backup Persistence For SSL SESSIONID

• Client/Server Renegotiations breaks the SSLSESSION ID Persistence which is a known limitation.

• When the Netscaler is not able to match SSLSESSION ID from the persistence table it falls back to SOURCEIP persistence

• Applicable for SSL-Bridge vserver.


• With the SSL log profile, you can log SSL-related information, such as client authentication and SSL handshake failures, for only a specific virtual server or group of virtual servers.

• Configuration– Depending on where you use an SSL log profile, you can configure it to log a combination of the following for a virtual

server or a group of virtual servers:

• Only client authentication success and failures

• Only client authentication failures

• Only SSL handshake success and failures

• Only SSL handshake failures.

• An SSL log profile can be attached to an SSL profile or to an SSL action

Selective SSL Logging


• To add an SSL log profile by using the NetScaler command lineadd ssl logprofile [-ssllogClAuth ( ENABLED | DISABLED

)] [-ssllogClAuthFailures ( ENABLED | DISABLED )] [-ssllogHS ( ENABLED

| DISABLED )] [-ssllogHSfailures ( ENABLED | DISABLED )]

Configuration Steps Through CLI & GUI


• To attach an SSL log profile to an SSL profile by using the NetScaler command line

add ssl profile [-sslProfileType ( BackEnd | FrontEnd )]

[-ssllogProfile ]

Example:

add ssl profile fron-1 –ssllogprofile ssllog10

set ssl profile fron-2 -ssllogProfile ssllog10

• Navigate to System > Profiles > SSL Profile

Attaching an SSL Log Profile to an SSL Profile


• To attach an SSL log Profile to SSL action by using the NetScaler command line

add ssl action [-ssllogProfile ] [-clientAuth (

DOCLIENTAUTH | NOCLIENTAUTH )]

Example :

add ssl action act1 -clientAuth DoCLIENTAUTH -ssllogProfile ssllog10

add ssl policy pol1 -rule true -action act1

Attaching an SSL Log Profile to an SSL Action


Hybrid ECC on Cavium N3 based NetScaler

• Enable the hybrid model by using the NetScaler GUI or CLI

set ssl parameter -softwareCryptoThreshold

• NetScaler CPU utilization threshold (as a percentage) beyond which crypto operations are not done in software. A value of zero implies that CPU is not utilized for doing crypto in software.

Default = 0

Min = 0

Max = 100


• SSL policies now support actions based on client hello details. Example – SNI, client hello ciphers, etc.

• Use case: Customer in Russia wants to block clients coming with a particular cipher

• Use case: Customer wants to save IP address and use a single VIP for multiple applications. Also, customer wants to send traffic to appropriate backend server for client authentication.

Unlocking New Use Cases with SSL Policies

New policy execution point

Client HelloNew SSL policy

actionForward

From 12.1 49.23


• LB Vserver v1; Type SSL; Service s1 (HTTP/SSL)

• Dummy vserver d1; Type SSL_Bridge, Service s2 (SSL_Bridge)

• Dummy vserver d2; Type SSL_Bridge, Service s3 (SSL_Bridge)

• add ssl action act1 -forward d1

• add ssl action act2 -forward d2

• add ssl policy pol1 -rule ‘client.ssl.client_hello.sni.contains(“abc”)’ -action act1

• add ssl policy pol2 -rule ‘client.ssl.client_hello.sni.contains(“xyz”)’ -action act2

• bind ssl vs v1 -policyname pol1 -type CLIENTHELLO_REQ priority 1

• bind ssl vs v1 -policyname pol2 -type CLIENTHELLO_REQ priority 2

Sample config of new policiesFrom 12.1 49.23


DTLS Support Updates12.1 49.23 Build updates

DTLS support on MPX 14000 FIPS models (Q3)

PFS (ECDHE) support on DTLS MPX, VPX, FIPS (Q3)

Frontend SNI support on DTLS (Q3)


AAA


Under AAA top level, there would be USER and LOGIN entries in addition to current one

• LOGIN would represent pre-login aka login request.

• It could be regular gateway login or samlidp login or oauth login. AAA module will abstract that from policy configuration.

• AAA module will abstract that from policy configuration.

AAA

Pre authentication – aaa.login Post authentication – aaa.user


Enhancements

• SAML ServiceProvider– Metadata export of samlAction

• https:///metadata/samlsp/

• Querying this public link will generate metadata file.

– Metadata import of SAML IDP

• SAML IdentityProvider– Metadata export for SAML IDP

• Add samlaction testapp –metadata

– Metadata import for SAML SP

• SaaS App Simplification– SAML/SaaS App catalogue

– Simplified addition of apps

SAML Enhancements


SAML/SaaS App Catalogue


AAA enhancements

• Persistent Login Attempts

• OpenID Connect IDP - oAuth increasingly popular in Mobile app environment because of it’s lightweight nature compared to SAML– Authorization grant, implicit grant, hybrid grants

– Resource owner client credential grant

– Service to service APIs – for access tokens

– Encryption of OpenID tokens

Other AAA Enhancements


RP

NS IDP

3. GET /oauth/idp/login4. Validate source

1.GET /

5. Present Login Form

2. 302 redirect to

https://ngs.com/oauth/idp/login

6. Send Login Creds.

7. Validate Login Creds.Construct Oauth code.

8. 302 to

https://athena/oauth/login?code=ZZZ

9. GET /oauth/login?code=ZZZ

Oauth –OpenID Connect Flow

10. Is code proper?

11. YES

12. Verify token


• RDP Connection redirection

• RDP auto population of links using AD attributes

RDP Enhancements


Configuration for enabling RDP Redirection

Citrix Confidential - Do Not Distribute

RDP Redirection support in presence of connection broker or session directory can be enabled through rdpserverprofile

• add rdpserverprofile -psk -rdpRedirection ( ENABLE | DISABLE )

Note:

• Redirection is supported only when SSO is enabled and is supported in both single Gateway and Stateless/Dual Gateway mode along with enforcement(smart access).

• Currently redirection is not supported when SSO is disabled.

• RDPProxy feature is supported only with token based IP Cookies• http://www.jasonfilley.com/rdpcookies.html

• We can have dedicated redirectors for RDPProxy connection. Please refer to the below link for more details• https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc772418(v=ws.10)

http://www.jasonfilley.com/rdpcookies.htmlhttps://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc772418(v=ws.10)


Traffic Flow (RDP-Proxy-LB)– RDP Bookmark pointed to RDP-LB

Terminal Server 1

Session Directory/CB

Terminal Server 2

RDPProxy

RDPProxy cookie

RDPLB

Final connection


Traffic Flow (RDP-Proxy-LB for Existing connection) RDP Bookmark pointed to RDP-LB

Terminal Server 1


Terminal Server 2

RDPProxy

RDPProxy cookie

RDPLB

RDPLB cookieModify to RDPProxy cookie

Final connection


Traffic Flow (RDP-Proxy flow without LB) – Connection Broker Load Balancing Enabled. RDP Bookmark always pointed to Terminal Server-1 (i.e. Terminal Server-1 as redirector)

Terminal Server 1


Terminal Server 2

RDPProxy

RDPProxy cookie

Final connection


Traffic Flow (RDP-Proxy flow without LB) – Connection Broker Load Balancing Enabled. For session to be created/already existing on Terminal Sever-2 and RDP Bookmark always pointed to Terminal Server-1 (i.e. Terminal Server-1 as redirector)

Terminal Server 1


Terminal Server 2

RDPProxy

RDPProxy cookie

Modify to RDPProxy cookie

Final connection


• On rdpclientprofile, configuration of ‘rdpUrlLinkAttribute’ parameter is supported, which can be used to fetch a list of RDP servers(IP/FQDN) that a user can access, from an Authentication server attribute(Example: LDAP, SAML).

• Based on the list received, the RDP links will be generated and displayed to the user.

Configuration:

• add rdpclientprofile –rdpUrlLinkAttribute

RDP URL creation through authentication Attribute


• rdpUrlLinkAttribute = rdpServerNameForUser

• On LDAP Sever: rdpServerNameForUser has Server1, Server2

• Then once the user authenticates to Gateway, following links will be displayed.LinkName: Server1, Link: https:///rdpproxy/Server1

LinkName: Server2, Link: https:///rdpproxy/Server2

Note: The Attribute mentioned in the rdpUrlLinkAttribute should be fetched through corresponding authentication method on Netscaler. Currently this is supported only with LDAP.

Example

Manageability


vCPU Subscription licensing

• From this release customer will be able to consume VPX licenses based on vCPU in addition to bandwidth.

• Similar to pooled capacity licenses and CICO licenses, NetScaler MAS acts as a license server and manages a separate set of virtual CPU licenses.

• VPX instances will be able to checkout number of vCPU’s required from the license pool on MAS

https://docs.citrix.com/en-us/netscaler-mas/12-1/license-server/netscaler-virtual-cpu-licensing.htmlPND Launch Kit: https://citrix.savoinspire.com/nsacdvpxvcpupndlk/

https://docs.citrix.com/en-us/netscaler-mas/12-1/license-server/netscaler-virtual-cpu-licensing.htmlhttps://citrix.savoinspire.com/nsacdvpxvcpupndlk/


License Expiry enforcement (Local licenses)

• For local licenses/evaluation licenses ie for licenses that reside on VPX, license expiry enforcement is applied from this release. Before 12.1 release the behavior is until the VPX is rebooted license expiry enforcement is not applied.

• For non-CSP, When days to expiration hits 0– SNMP alarm is generated (NS-LICENSE-EXPIRY).

– NetScaler appliance automatically restarts to revoke the license

• No enforcement if NetScaler is licensed using CSP licenses.– SNMP alarm is generated every 24 hours.

– No forced reboot.

https://docs.citrix.com/en-us/netscaler/12-1/licensing/netscaler-licensing-overview.html

https://docs.citrix.com/en-us/netscaler/12-1/licensing/netscaler-licensing-overview.html


Expiry enforcement (Local licenses)

• “sh ns license”

…Model Number ID: xxx

License Type: Platinum License

Licensing mode: Local

Days to expiration: 2

• “Days to expiration” is updated every 24 hours.

• For non-CSP, when days to expiration hits 0– SNMP alarm is generated (NS-LICENSE-EXPIRY).

– System initiates warm reboot to revoke the licenses.

•No enforcement if NetScaler is licensed using CSP licenses.– SNMP alarm is generated every 24 hours.

– No forced reboot.


StyleBook Automation• Seamless App analytics post

Stylebook creation.

• Stylebook Usability Improvements

• RBA for Stylebook

• Moving App Config across instances:

– VPX on SDX to VPX on Cloud

– Dev to Prod


• Default StyleBooks published on Github:

https://github.com/citrix/MAS-StyleBooks

• Open to contribution and sharing from community

StyleBook - Github Repository

https://github.com/citrix/MAS-StyleBooks


Telco


• NetScaler Cluster refers to a group ofNetScalers that can be configured andmanaged as a single system. It providesscalability and availability.

• Each NetScaler in Cluster acts as an independent CGNAT entity and is managed as single system.

• In cluster mode, LSN pool-IP/NAT-IP is owned by only one node at any point in time. (i.e spotted behaviour)

Large Scale NAT(LSN) in ClusterIntroduction


• In LSN cluster deployments, PBS with src-ip based hash is used to maintain stickiness of subscriber traffic to a given node.

• LSN Features In Cluster Mode– NAT44 and NAT64 are available in cluster mode of operation.

– Most of the LSN features that are supported prior to r12.1, are available in LSN Cluster

– All combinations of Mapping and Filtering are supported in cluster, as available earlier.

– Syslog, Compact Logging and IPFIX logging are supported.

– The log format are similar across HA & cluster mode.

– All profiles are supported i.e application-profile, transport-profile, log-profile.

• ALGs available in Cluster Mode– FTP

– TFTP

– ICMP

– PPTP

Policy Based Steering for LSN Cluster deployments


Traffic Flow When Flow Receiver Is Different Than Flow Processor

ECMP

Public

Network

Private Client

Network

Node-1 (10.102.53.14)

Node 2

192.168.1.1

192.168.1.2 Node -2 (10.102.53.11) PBS

applied and

owner node 1


Traffic Flow When Flow Receiver And Flow Processor Are SamePBS

applied and

owner node 1

ECMPPublic

Network

Private Client

Network

192.168.1.1

192.168.1.2

Node-1 (10.102.53.14)

Node-2 (10.102.53.11)


Pool configuration:add lsn pool poolV4

bind lsn pool poolV4 -ownerNode 1 20.20.20.1-20.20.20.2


Client network configuration:add lsn client clientV4

bind lsn client clientV4 -network 192.168.1.0 -netmask 255.255.255.0

Group configuration:add lsn group grpV4 -clientname clientV4

bind lsn group grpV4 -poolname poolV4

DFD-ACL(PBS) configuration:add ns acl b1 ALLOW -srcIP = 192.168.1.0-192.168.1.255 -type DFD -dfdhash SIP

apply ns acls -type DFD

Sample Configuration (NAT44)


Pool configuration:

add lsn pool poolV6



Client network configuration:

add lsn client clientV6

bind lsn client clientV6 -network6 2222::/64

Group configuration:

add lsn ip6profile ip6prfl_nat64 -type NAT64 -natprefix 2003::/96

add lsn group grpV6 -clientname clientV6 -ip6profile ip6prfl_nat64

bind lsn group grpV6 -poolname poolV6

DFD-ACL(PBS) configuration:

add ns acl6 nat64_dfd ALLOW -srcIPv6 = 2222:: -type DFD -dfdhash SIP -dfdprefix 64

apply ns acls6 -type DFD

Sample Configuration (NAT64)


• Session and port quota configured at the LSN group level, are applied on each node.

• Session synchronization across nodes isn’t supported.

• DS-Lite cannot be configured in cluster mode.

• IPsec-alg.

• Deterministic NAT.

• Static NAT.

• Hair-pinning.

• L3-Cluster.

• SIP ( target for r12.1-FR1)

• RTSP( target for r12.1-FR1)

LSN Limitations


• In the current NS cluster deployments internal traffic distribution (DFD) is based on the 4 tuple hash.

• Traffic from the same subscriber (client IP) can be distributed across the nodes.

• Use case 1– In telco deployments, the external server (PCRF) maintains the mapping of node to the subscriber ID for a specific

client.

– If multiple nodes process traffic from the same client ,external server (PCRF) has to maintain multiple sessions with different nodes for same client.

• Use case 2– Cluster aware LSN deployments will require PBS feature for source IP stickiness.

Policy based backplane steering (PBS)Use Cases


• Identify the traffic using the user defined policy based on parameters like source mac, source vlan, Source IP, Destination IP, Source port and destination port.

• Identify the flow processor for this specific flow using the user defined policy hash methods and steer the flow to the target node (flow processor).

• For the same subscriber (client IP), always one node will FP and external sever can maintain one session mapping for the one subscriber.

Policy based backplane steering (PBS)How It Works


PBS Packet Flow Illustration

Server

Client


Cluster Support For Subscribers• Use Case: This enhancement aims at

extending Gx interface support to cluster deployments.

• GUI Changes:


• Use Case: Default subscriber lookup method is IP only. With this enhancement, IPVLAN can be added as an additional lookup method.

• Only supported with GxOnly interface type.

IPVLAN As Key Type For Subscribers


IPFIX LOGGING

4 APRIL 2018


LSN uses the existing APPFLOW framework for logging purpose.

Logging can be controlled at two levels:

Global

LSN Group Level

New argument for appflow parameter has been introduced at global level for LSN logging purpose

set appflow param –lsnLogging ENABLED

LOGGING


Group level logging can be enabled/disabled by add/set command.add lsn logprofile 2 -logipfix enabled

If both syslog and IPFIX are enabled, IPFIX takes precedence over syslog.

LOGGING


Field Name Size (in bits) Tag-value ( as per RFC

definition)observationPointId 64 138

exportingProcessId 32 144

timeStamp 64 323

natEvent 8 230

sourceIPv4Address 32 8

postNATSourceIPv4Address 32 225

protocolIdentifier 8 4

sourceTransportPort 16 7

postNAPTsourceTransportPort 16 227

destinationIPv4Address 32 12

TEMPLATE FOR NAT44 SESSION CREATION/DELETION


Field Name Size (in bits) Tag-value ( as per RFC

definition)observationPointId 64 138

exportingProcessId 32 144

timeStamp 64 323

natEvent 8 230

sourceIPv6Address 128 27

postNATSourceIPv4Address 32 225

protocolIdentifier 8 4

sourceTransportPort 16 7

postNAPTsourceTransportPort 16 227

destinationIPv4Address 32 12

destinationTransportPort 16 11

TEMPLATE FOR NAT64 SESSION CREATION/DELETION


enable ns feature AppFlow LSN

set appflow param -templateRefresh 60 -lsnLogging ENABLED

add appflow collector c1 -IPAddress 6.6.6.6 -port 6439 -netProfile net1

set audit nslogParams -logLevel ALL -lsn ENABLED

add lsn pool p1

bind lsn pool p1 50.0.1.1-50.0.15.254

add lsn client c1

bind lsn client c1 -network 12.0.0.0 -netmask 255.0.0.0

add lsn logprofile log1 -logipfix ENABLED

add lsn group g1 -clientname c1 -logging ENABLED -sessionLogging ENABLED

bind lsn group g1 -poolname p1

bind lsn group g1 -logProfileName log1

SAMPLE CONFIGURATION


Netscaler Video Optimization

Spiros VathisStaff Software Engineer


• Clear-text PD video

• Clear-text ABR video

• Encrypted ABR video

• QUIC ABR Video

• All clear-text & many top encrypted sites supported

Media Types & Sites SupportVideo Detection

new


#> enable feature videoOptimization

Done

#> show ns license | grep Video

Video Optimization: YES

#> show ns feature | grep Video

37) Video Optimization VideoOptimization ON

Basics

CBM Txxx & CBM Premium licenses required

Basics


#> add lb vserver vs-http HTTP * 80 -persistenceType NONE

Done

#> add lb vserver vs-ssl SSL_BRIDGE * 443 -persistenceType NONE

Done

#> add lb vserver vs-quic QUIC * 443 -persistenceType NONE -m MAC

Done

#> add service svc-quic QUIC *

Done

#> bind lb vserver vs-quic svc-quic

Done

LB vServersBasics

LB vServers


#> show videooptimization detectionpolicy | grep Name

1) Name: ns_videoopt_http_body_detection

2) Name: ns_videoopt_http_abr_netflix

3) Name: ns_videoopt_http_abr_netflix2

4) Name: ns_videoopt_http_abr_youtube

5) Name: ns_videoopt_http_pd_youtube

6) Name: ns_videoopt_http_pd_youtube2

7) Name: ns_videoopt_http_pd_youtube3

8) Name: ns_videoopt_https_abr_netflix

9) Name: ns_videoopt_https_abr_youtube

10) Name: ns_videoopt_http_abr_generic

11) Name: ns_videoopt_https_abr_generic

Detection policiesBasics

LB vServers

Detection Policies

Facebook video detection added in generic detection policies


#> add videooptimization pacingaction myOptENCAction -rate 2000

Done

#> add videooptimization pacingpolicy myOptENCPolicy -rule TRUE -action myOptENCAction

Done

#> bind lb vserver vs-ssl -policyName myOptENCPolicy -priority 100 -type REQUEST

Done

Optimization policiesEncrypted

Basics LB vServersDetection

PoliciesOptimization

Policies


#> add videooptimization pacingaction myOptQUICAction -rate 1500

Done

#> add videooptimization pacingpolicy myOptQUICPolicy -rule TRUE -action myOptQUICAction

Done

#> bind lb vserver vs-quic -policyName myOptQUICPolicy -priority 100 -type REQUEST

Done

Optimization policiesQUIC

Basics LB vServersDetection

PoliciesOptimization

Policies

new


#> shell

root@ns# nsapimgr -ys mediac_debug=1

Changing mediac_debug from 0 to 1 Done.

root@ns# cat /var/log/ns.log

Aug 22 10:15:39 T1100-PH-1 nsppe: PE:2:ns_mediaclassification.c:ns_mc_log_trans:899:Transaction log: session_type 100, Client IP:Port[VLAN] 172.31.100.10:49866[101], Server IP:Port[VLAN] 10.78.79.80:80[200], trans_id 2, ssl_domain_src 0, domain 10.78.79.80, start_time_sec 1503386131, start_time_usec 77743, last_data_time_sec 1503386139, last_data_time_usec 219215, end_time_sec 1503386139, end_time_usec219215, app_req_bytes 419, app_rsp_bytes 2581280, tot_req_bytes 419, tot_rsp_bytes 2581280, video_session_id 0x00030001, media_type 31, is_session_resume 0, opt_bit_rate 2000, is_rand_sampled 0, sessionization_status 2

Aug 22 10:16:40 T1100-PH-1 nsppe: PE:3:ns_mediac_sessionization.c:ns_mc_vs_generate_sess_summary:1636:vs[0x184d6100] client_ip[vlan]:172.31.100.10[101] video_session_id:0x00030001 transaction_count:2 media_type:31start_time_sec_abs:1503386129 start_time:273799 last_data_time:283179 (duration:9380) app_req_bytes:868 app_rsp_bytes:3374359 tot_req_bytes:868 tot_rsp_bytes:3374359 is_rand_sampled:0 opt_bit_rate:2000

LoggingBasics

LB vServers

Detection Policies

Opt Policies

Logging


> stat videooptimization -dVideo Optimization Statistics - detailVideo Optimization Transaction Statistics - summary

Rate (/s) TotalClearText PD Video 0 0ClearText ABR Video 0 12Encrypted ABR Video 0 0QUIC Video 40 230Other 0 8Video Optimization Session statistics

Rate (/s) TotalClearText ABR Video Sessions 0 4Encrypted ABR Video Sessions 0 0QUIC Video Sessions 2 2

Video Optimization Transaction Bytes ServedRate (/s) Total

ClearText PD Bytes 0 0ClearText ABR Bytes 0 16194022Encrypted ABR Bytes 0 0QUIC Bytes 47473 3400394Other 0 2965349

CountersCLI

BasicsLB

vServersDetection

PoliciesOpt

PoliciesLogging Counters


Connection Quality Analytics & AdaptiveTCP - Intro

AvailabilityBoth features introduced in 12.0 FR3

LicensingBoth features require a Premium (on T1 platform) or aPlatinum (on MPX platform - 12.0 FR4+) telco licenseinstalled.

Depedencies• AdaptiveTCP depends on CQA• Appflow Logstream reporting is required for CQA

reporting• Both HTTP and TCP LB Vservers are supported


Connection Quality Analytics & AdaptiveTCP - Overview

Objective• Enable mobile operators to analyze the overall behavior of their network, tracking network characteristics on a per

subscriber basis:• Network Type (2G, 3G, 4G)• Signal Quality (Poor, Fair, Good, Excellent)• Congestion Level (None, Low, Medium, High)

• Allow the adaptation of TCP optimization parameters of each connection, based on the current network conditionsthat the mobile subscriber is experiencing.

Use case

1. Analyze the overall behavior of the network, in terms of the conditions experienced by mobile subscribers.

• Network Analysis (Primary): Leverage analytics for forward planning.

• Market Analysis (Secondary): Track success in user adoption or churn for users with different devices andnetwork types.

2. Improve User Experience and/or Network Utilization


Connection Quality Analytics & AdaptiveTCP – Overview 2

Mobile

Network Internet

Distributed

User Experience Storage

(UXStore)

CQA Detection LogicAdaptive-TCP Logic

Lostream Collector

Machine LearningReporting

NetScaler

Classification

Model

CoefficientsAdaptive-TCP

Rules

MAS

SenseOptimise

Logstream

CLI

Nitro-APICLI


Connection Quality Analytics - Configuration

Enable Feature and configure CQA parametersenable ns feature cqa

set ns cqaparam -harqretxdelay 7 -net1label 2g -minRTTNet1 25 -lr1probthresh 6.00e-01

-net1cclscale "25,50,75" -net1csqscale "25,50,75" -net1logcoef "1.49,3.62,-0.14,1.84,4.83"

-lr1coeflist "intercept=4.95,thruputavg=5.92,iaiavg=-189.48,rttmin=…"

-net2label 3g -minRTTNet2 30 -net2csqscale “…" -net2logcoef “…“ -lr2coeflist "intercept=..."

-lr2probthresh 5.00e-01 -net2cclscale "25,50,75"

-net3label 4g -minRTTNet3 35 -net3cclscale "25,50,75" -net3csqscale "25,50,75" -net3logcoef “…“

Configure AppFlowenable ns feature appflow

enable ns mode ULFD

add appflow collector col1 -IPAddress xx.xx.xx.xx -port 5557 -Transport logstream

set appflow param -tcpBurstReporting 1000 -cqaReporting ENABLED

Note: For 12.1+ you need to configure a tcpinsight analytics profile:add analytics profile apcqa -type tcpinsight -collectors col1 -tcpBurstReporting

bind lb vserver tcplb -analyticsProfile apcqa


Adaptive TCP – Configuration 1

Setup a set of AdaptiveTCP ProfilesExisting TCP-profile management CLI is used to add AdaptiveTCP profiles. • That is, TCP Profiles that have is_adaptive_tcp parameter enabled.• is_adptive_tcp as well as AdaptiveTCP profiles are not exposed to customer (hidden)• Used as a mechanism to capture capture the TCP optimization parameter values that we want to apply for the

specific conditions. These are the TCP profile parameters that AdaptiveTCP is supposed to tweak are:1. TCP flavor2. TCP Max congestion window 3. Burst Rate Control4. TCP Rate5. TCP Rate Maximum Queue6. Nile parameters (currently hidden)7. Maximum TCP segments allowed in a burst

add ns tcpprofile nstcp_adaptive_tcp_profile_1 -isAdaptiveTcp ENABLED -flavor NILE -maxcwnd 8388608 -

tcprate 0 -rateqmax 0 -burstRateControl DISABLED -maxBurst 2 -nileAlphaMinPercent 100 -nileAlphaMax 64 -

nileBetaMinPercent 0 -nileBetaMaxPercent 25 -nileD1Percent 15 -nileD2Percent 30 -nileD3Percent 70 -

nileRttFactor 3 -nileRttFilter ENABLED



Configure cqarulesConfigure a set of cqarules that are used to define a proper AdaptiveTCP lookup table, which maps CQA parameters to AdaptiveTCP profiles. Cqarules are NOT exposed to customer and can be configured using the following hidden CLIs:

(add|set) adaptivetcp cqarule -netType

-signalQuality

-congestionLevel

-adaptiveTcpProfName

-priority

rm adaptivetcp cqarule

• adaptiveTcpProfName parameter is mandatory and should an existing AdaptiveTCP profile• netType, signalQuality and congestionLevel are optional and all default to the value "Any".• priority is optional, defaults to NORMAL, and defines the order by which the rules are applied when constructing

the lookup table (LOWEST gets applied first, whereas HIGHEST gets applied last and thus overrides previously applied rules). For rules with the same priority, the order by which they were added defines the order that will be used when applied.



Enable featureenable ns feature adaptivetcp

Configure when AdaptiveTCP logic will be triggeredConfigure a normal TCP profile to have the applyAdaptiveTcp parameter enabled and bind it to a vserver

(add|set) ns tcpProfile nstcp_profile_with_adtcp -tcpmode ENDPOINT -applyAdaptiveTcp ENABLED

set lb vserver tcplb -tcpProfileName nstcp_profile_with_adtcp

Whenever this TCP profile is utilized to handle traffic, the AdaptiveTCP logic will be triggered, i.e. 1. ux-store will be queried to retrieve CQA parameters, 2. AdaptiveTCP table will be looked-up to get an AdaptiveTCP profile, 3. respective TCP-optimization parameters will be applied for the rest of the connection).

It must be clear that when AdaptiveTCP logic selects an AdaptiveTCP profile to be applied there is NOT going to be any actual replacement of the normal TCP profile. Instead the logic will just tweek/adjust specific TCP profile parameters according to how the selected AdaptiveTCP profile is configured.


Using CQA-based PI Expressions

PI has been extended to support the use of CQA parameters in policy expressions.

NETWORK_TYPE: String value that matches the detected network type configured through cqaparam command

interface.

SIGNAL_QUALITY: Integer value ranging from 0 to 100 and matching the CQA signal quality parameter stored in the

subscriber store (lower values indicate better signal quality).

CONGESTION_LEVEL: Integer value ranging from 0 to 100 and matching CQA raw value of congestion level

parameter stored in the subscriber store (lower values indicate lower congestion).

ANALYTICS.CONNECTION_QUALITY.NETWORK_TYPE.EQ(\"2G\") &&

ANALYTICS.CONNECTION_QUALITY.SIGNAL_QUALITY.GT(60) &&

ANALYTICS.CONNECTION_QUALITY.CONGESTION_LEVEL.GT(80)

Documents

Citrix ADC 12.1 TDM - ОЛЛИ Дистрибуция ADC - 12.1... · 2019. 10. 1. · •New Citrix Ingress Controller (CIC) –For low friction insertion –Ingress controller