12. Smooth migration from IPv4 to IPv6 with Citrix NetScaler - Daniel Künzli
-
Upload
digicomp-academy-ag -
Category
Education
-
view
7.391 -
download
5
Transcript of 12. Smooth migration from IPv4 to IPv6 with Citrix NetScaler - Daniel Künzli
Citrix NetSclaer Service Delivery System smooth transition from IPv4 to IPv6
Daniel Künzli, Systems Engineer NG Citrix Systems GmbH, Switzerland
• Overview
• IPv6 integration and translation
• Basic features
• NetScaler for Citrix XenApp / XenDesktop
• NetScaler for SQL
• NetSclaer SDX
• Citrix Open Cloud
Citrix Confidential – For NDA use only
Agenda
Access Gateway
Branch Repeater
Citrix Receiver
XenApp
XenDesktop
XenServer
NetScaler
Secure access to Citrix app and desktop virtualization An integrated delivery infrastructure
Delivery
Network
Das Schweizer Messer für Ihre IT-Infrastruktur
Citrix NetScaler
5 wesentliche Begriffe zum Load Balancing
1. VServer: Nimmt Anfragen der Clients entgegen (14)
2. Service (Backend): Netzwerk Endpunkt an den der NetScaler weiter leitet (17)
3. Monitor: Prüft periodisch die Funktion des Backend-Services (29+)
4. Load Balancing Methode: Auswahl des Services zur Weiterleitung (15+)
5. Persistence (Stickiness): Client wird immer an selben Service geleitet (9+)
TCP Backend
Fu
ll P
rox
y
TCP Client
Der "Full Proxy"
Ansatz
ermöglicht einen
deutlich höheren
Funktionumfang!
IPv6 - NetScaler ist durch und durch ready
IPv4 and IPv6 Mixed Mode
Prefix Based IPv6-IPv4 Translation
IPv4 Internet
IPv6 Enterprise
Netscaler NAT prefix: 2000::/96
V4IP: 20.20.20.20
IPv6 IPv6
IPv4 Server V4IP:30.30.30.30
9900::1
IPv6: 9900::1 <->2000::30.30.30.30
IPv4: 20.20.20.20<->30.30.30.30
IPv6
IPv6 DB Server
• In 9.3, NS can translate packets sent from private IPv6 servers into IPv4 packets, using an IPv6 prefix configured in the NetScaler appliance.
• IPv6 packets addressed to this prefix have to be routed to the NS so that the IPv6-IPv4 translation is done by the NetScaler.
Citrix Confidential – For NDA use only
Prefix Based IPv6-IPv4 Translation
The first 96 bits of the destination IP address field are set as the IPv6
NAT prefix.
The IPv6 servers embed the destination IP address of the IPv4 servers or hosts in the
last 32 bits of the destination IP address
field of the IPv6 packets.
The NS compares the first 96 bits of the destination IP address of all the
incoming IPv6 packets to the
configured prefix.
If there is a match, the NS generates an IPv4 packet and sets the
destination IP address as the last 32 bits of
the destination IP address of the
matched IPv6 packet.
Citrix Confidential – For NDA use only
IPv6 Support in INAT
The following Inbound Network Address Translation (INAT) configurations are now supported:
IPv4-IPv6 Mapping: A public IPv4 address on the NetScaler appliance listens to connection requests on behalf of a private IPv6 server. The NetScaler
appliance creates an IPv6 request packet with the IP
address of the IPv6 server as the destination IP address.
IPv6-IPv4 Mapping: A public IPv6 address on the NetScaler appliance listens to connection requests on behalf of a private IPv4 server. The NetScaler
appliance creates an IPv4 request packet with the IP
address of the IPv4 server as the destination IP address.
IPv6-IPv6 Mapping: A public IPv6 address on the NetScaler appliance listens to connection requests on behalf of a private IPv6 server. The NetScaler
appliance translates the packet's public destination IP address to the destination IP
address of the server and forwards the packet to the
server at that address.
IPv6 Support in INAT
Internet IPv6 IPv4
IPv4 Server
192.168.1.100
74.125.91.100
IPv6
IPv6 DB Server
IPv6
Public IP Private IP
2009:ffff:1000::100 192.168.1.100
2009:ffff:1000::200 3ffe:100::100
74.125.91.105 3ffe:100::100
74.125.91.106 192.168.1.100
NAT Table
2009::100:1
IPv6 Support in INAT IPv4 public
address to
IPv6 private
address
IPv6 public
address to
IPv4 private
address
Schlüsseltechnologien für Anwendungsbereitstellung
B2C
B2B
P2P
Verfügbarkeit Performance Sicherheit
• Load Balancing
Information auf Layer 3 (IP) / Layer 4 (TCP/UDP) entscheiden, auf welche Services weitergeleitet wird
• Content Switching
Information auf Layer 7 (HTTP, FTP, DNS, RADIUS, TCP, UDP…) entscheiden auf welche Gruppe von Backend-Services weitergeleitet wird
• Surge Protection + Sure Connect
Server arbeiten effektiver: Vermeidung von Lastgrenzen und Warteschlangen (Surge Queue)
• Global Server Load Balancing (GSLB)
Verteilung des Verkehrs durch intelligente Namensauflösung des NetScalers
NetScaler Surge Protection
100%
0%
REQUESTS
SURGE
QUEUE
100%
0%
REQUESTS
Mit NetScaler Surge Protection
Ohne NetScaler – Server-Überlastung
Server arbeiten effektiver: Vermeidung von Lastgrenzen und Warteschlangen (Surge Queue)
GSLB – Site Load Distribution“ & „Global Naming”
100%
0%
100%
0%
100%
0%
Wenn ein vordefiniertes Traffic Load Limit erreicht wurde, wird
der User Traffic an alternative Rechenzentren weitergeleitet.
www.abc.de
www.abc.de
GSLB – Desaster Recovery
Im Falle eines Site-Ausfalls wird der Client an das
nächst gelegene Rechenzentrum umgeleitet.
www.abc.de
www.abc.de
• Incoming Traffic steht dabei für eine User-seitig initiierte Verbindung – wird über das GSLB-Feature realisiert.
• Outgoing Traffic hingegen beschreibt eine Server-seitig initiierte Verbindung – wird über das LLB-Feature realisiert.
• Funktion: NetScaler antwortet auf eine vom ADNS der Haupt-Domain an ihn "delegierte" DNS-Anfrage mit der VServer-IP des Providers A oder B (im Bild A)
GSLB – Load Balancing von „Incoming Traffic" über Providerzugänge
ADNS
(gslb.cps.com)
LLB: Link Load Balancing
Schlüsseltechnologien für Anwendungsbereitstellung
B2C
B2B
P2P
Verfügbarkeit Performance Sicherheit
• TCP Offload
Befreit Server vom Verbindungs-Management
• HTTP Compression
Daten-Komprimierung vor Daten-Auslieferung
• Integrated Caching
NetScaler als Caching Instanz im Netzwerk
• Erweiterte TCP-Optimierung
Wesentlich effizientere Verbindungen durch TCP-Windows Scaling, SACK und TCP-Buffering
• SSL Offload
Übernimmt CPU intensive Entschlüsselungs-Aufgaben für Backend-Server
…wird möglich durch die NetScaler Full Proxy Architektur
TCP Connection Offload
• Interrupts an den Server CPUs werden reduziert
• Server wird vor SYN-Floods geschützt (Zombie Connection Schutz)
• Vorhandene TCP-Verbindungen werden „re-used“
• Summe der TCP-Verbindungen am Server werden reduziert
Client Web Server NetScaler
SYN
ACK
SYN+ACK
GET
FIN
ACK
ACK
GET
Data
Data
Data
FIN
Data
Data
Data
Bestehender Pool
an Server Verbindungen
• Ermöglicht applikationsnahe NetScaler Konfiguration
• Funktionen: Import, Export, Create, Endpoint Definition, Match Rule pro App-Unit
• Vereinfachung und Portierbarkeit der Konfiguration für 6 Basis Funktionen
• Templates z.Z. verfügbar für EasyCall, OWA, Sharepoint, SAP NetWeaver, Oracle, Gereric Web-App
• http://community.citrix.com/display/ns/AppExpertTemplates
Application Templates
Network Visualizer
Grafische
Netzwerk-
Übersicht
Konfiguration
und Statistiken
Schlüsseltechnologien für Anwendungsbereitstellung
B2C
B2B
P2P
Verfügbarkeit Performance Sicherheit
• Schutz auf Application Layer
Schutz vor Datendiebstahl und Ausnutzung von Sicherheitslöchern
• DoS-Abwehr
DoS-Schutz durch Full-Proxy-Architekur, Verhinderung von HTTP-DoS-Angriffen
• Filtering, Rewriting und Responder
Granularer Filter in Hin- und Rückrichtung. HTTP Inhalte können modifiziert, direkt beantwortet oder umgeleitet werden – NetScaler als „Simultan Dolmetscher“
• SSL-VPN (AGEE)
Verschlüsselung, Authentifizierung, Autorisierung und Endgeräte-Scan VOR dem Einlass in das Netzwerk
DATEN
Web Apps
Network
Firewalls Internet
Web App Users
Cross-Site Scripting
SQL Injection
Information Leakage
HTTP Response Splitting
Path Traversal
Warum Sicherheit für Web Applikationen?
aller Attacken zielen heute
auf Schwachstellen von Applikationen - Gartner
82%
• Finanzberichte
• Kreditkarten-Infos
• Kundendaten
• Mitarbeiterdaten
• Patientendaten
• Persönliche IDs
…
Optimaler Schutz durch NetScaler
Web Application Firewall (WAF) !!!
Negativ
•Schneller aktiver
Schutz vor
bekannten Angriffen
•Erfordert Pflege von
Signaturen
Positiv
•Schutz vor Day-0
Angriffen
•Erfordert Lernen
der Applikations
Strukturen
Optimaler Schutz durch Kombination beider Security Ansätze
WAF (Web Application Firewall) - Hybrid Security Model
Hybrid Schutz vor bekannten
und unbekannten
Angriffen mit über
1200 "on board"-
Signaturen
• Erhöhung der Sicherheit durch Verbergen von internen Informationen (vergleichbar einem IP-NAT auf Layer-7)
• Wechselnde oder historisch gewachsene Applikations-URLs werden zum Kinderspiel
• User wird unabhängig von • Applikations-Änderungen
• Infrastruktur-Änderungen
URL Transformation – vereinfachte Konfiguration beim Rewrite von URLs
http://AbCo/finance/default.asp
http://mktg/default.asp http://OldCo/cgi-bin/...
www.abco.com/corpinfo/
www.abco.com/products/
www.abco.com/empl/...
Rewrite – NetScaler als „Simultan Dolmetscher“ in Hin-(Request) und Rückrichtung (Response)
Mit dem "Rewrite Action Evaluator" wird der Test von von Rewrite Konfigurationen zum Kinderspiel…
NetS
ca
ler
Pe
rfo
rma
nc
e
100Gbps
40Gbps
20Gbps
1Gbps
100’s Apps / Multi-tenancy Applications
1 10 2 3
10Gbps
NetScaler for All
ENTERPRISE
SERVICE PROVIDER/TELCO/CLOUD +
INTERNET CENTRIC
SMB (ISV)
MPX 21500 50 Gb
MPX 19500 35 Gb
MPX 17500 20 Gb
MPX 15500 15 Gb
MPX 12500 10 Gb
MPX 10500 6 Gb
MPX 9500 3 Gb
MPX 7500 1 Gb
MPX 5500 500 Mb
License
Upgrade
License
Upgrade
License
Upgrade
VPX 10
VPX 200
VPX 1000
VPX 3000
VPX 15000
VPX 8000
How NetScaler Adds Value to XenApp and XenDesktop
• Huge Scalability
• Secure Access
• High Availability
• DR/BC
• Integrated Web Interface option
• IPv6 to IPv4 translation
Seamless access through Citrix Receiver
Citrix Confidential - Do Not Distribute
•Receiver for Windows
•Receiver for Mac
•Receiver for Linux
•Receiver for iPhone
•Receiver for Android (in development)
•Receiver for Blackberry (in development)
•Receiver for Java
Remote User
Branch Office
Home Office Tablet
Secure Gateway
Desktop
Delivery
Controller
HQ Office
XenDesktop Farm XenServer Resource Pool
Active
Directory Data Store
License
Server DHCP
Infrastructure
Virtual Desktop 1
Personalization: User A
Apps: Office
OS: Vista
Virtual Desktop 2
Personalization: User B
Apps: Office
OS: XP
Virtual Desktop 3
Personalization:
Apps:
OS:
F i r
e w
a l
l
F i r
e w
a l
l
Personalization
Applications
OS
Provisioning
Server
XenApp
Controller
File Share
Desktop
Delivery
Controller
Data
Collector
Vista Windows
XP
Windows
7
User
A
User
B
User
C
User
D
User
E
Web
Interface
Driving Customer Value and Citrix Differentiation
Remote User
Branch Office
Home Office Tablet
NetScaler
Desktop
Delivery
Controller
HQ Office
XenDesktop Farm XenServer Resource Pool
Active
Directory Data Store
License
Server DHCP
Infrastructure
Virtual Desktop 1
Personalization: User A
Apps: Office
OS: Vista
Virtual Desktop 2
Personalization: User B
Apps: Office
OS: XP
Virtual Desktop 3
Personalization:
Apps:
OS:
F i r
e w
a l
l
F i r
e w
a l
l
Personalization
Applications
OS
Provisioning
Server
XenApp
Controller
File Share
Desktop
Delivery
Controller
Data
Collector
Vista Windows
XP
Windows
7
User
A
User
B
User
C
User
D
User
E
Web
Interface
Secure
Access
Remote User
Branch Office
Home Office Tablet
NetScaler
Desktop
Delivery
Controller
HQ Office
XenDesktop Farm XenServer Resource Pool
Active
Directory Data Store
License
Server DHCP
Infrastructure
Virtual Desktop 1
Personalization: User A
Apps: Office
OS: Vista
Virtual Desktop 2
Personalization: User B
Apps: Office
OS: XP
Virtual Desktop 3
Personalization:
Apps:
OS:
F i r
e w
a l
l
F i r
e w
a l
l
Personalization
Applications
OS
Provisioning
Server
XenApp
Controller
File Share
Desktop
Delivery
Controller
Data
Collector
Vista Windows
XP
Windows
7
User
A
User
B
User
C
User
D
User
E
Web
Interface
Strong SLAs
Secure
Access
Remote User Branch Office
Home Office Tablet
NetScaler
Desktop
Delivery
Controlle
r
HQ Office
XenDesktop Farm XenServer Resource
Pool
Active
Directory Data
Store
License
Server
DHC
P Infrastructure
Virtual Desktop 1
Personalization: User A
Apps: Office
OS: Vista
Virtual Desktop 2
Personalization: User B
Apps: Office
OS: XP
Virtual Desktop 3
Personalization:
Apps:
OS:
F i r
e w
a l
l
F i r
e w
a l
l
Personalization
Applications
OS
Provisioning
Server
XenApp
Controller
File Share
Desktop
Delivery
Controlle
r
Data
Collector
Vista Windows
XP
Windows
7
User
A
User
B
User
C
User
D
User
E
Web
Interface
Strong SLAs
Secure
Access
Remote User
Branch Office
Home Office
Tablet
NetScaler
Desktop
Delivery
Controller
HQ Office
XenDesktop
Farm
XenServer Resource
Pool
Active
Directory Data
Store License
Server DHCP
Infrastructu
re
Virtual Desktop 1
Personalization: User A
Apps: Office
OS: Vista
Virtual Desktop
2
Personalization: User B
Apps: Office
OS: XP
Virtual Desktop
3
Personalization:
Apps:
OS:
F i
r e
w a
l l
F i
r e
w a
l l
Personalization
Applications
OS
Provision
ing
Server
XenApp
Controller
File Share
Desktop
Delivery
Controller
Data
Collector
Vista Windows
XP
Windows
7
User
A
User
B
User
C
User
D
User
E
Web
Interf
ace
Global
Availability
Remote User
Branch Office
Home Office
Tablet
NetScaler
Desktop
Delivery
Controller
HQ Office
XenDesktop
Farm
XenServer Resource
Pool
Active
Directory Data
Store License
Server DHCP
Infrastructu
re
Virtual Desktop 1
Personalization: User A
Apps: Office
OS: Vista
Virtual Desktop
2
Personalization: User B
Apps: Office
OS: XP
Virtual Desktop
3
Personalization:
Apps:
OS:
F i
r e
w a
l l
F i
r e
w a
l l
Personalization
Applications
OS
Provision
ing
Server
XenApp
Controller
File Share
Desktop
Delivery
Controller
Data
Collector
Vista Windows
XP
Windows
7
User
A
User
B
User
C
User
D
User
E
Web
Interf
ace
Driving Customer Value and Citrix Differentiation
Strong SLAs
Secure
Access
Remote User
Branch Office
Home Office
Tablet
NetScaler
Desktop
Delivery
Controller
HQ Office
XenDesktop
Farm
XenServer Resource
Pool
Active
Directory Data
Store License
Server DHCP
Infrastructu
re
Virtual Desktop 1
Personalization: User A
Apps: Office
OS: Vista
Virtual Desktop
2
Personalization: User B
Apps: Office
OS: XP
Virtual Desktop
3
Personalization:
Apps:
OS:
F i
r e
w a
l l
F i
r e
w a
l l
Personalization
Applications
OS
Provision
ing
Server
XenApp
Controller
File Share
Desktop
Delivery
Controller
Data
Collector
Vista Windows
XP
Windows
7
User
A
User
B
User
C
User
D
User
E
Web
Interf
ace
Global
Availability
Remote User
Branch Office
Home Office
Tablet
NetScaler
Desktop
Delivery
Controller
HQ Office
XenDesktop
Farm
XenServer Resource
Pool
Active
Directory Data
Store License
Server DHCP
Infrastructu
re
Virtual Desktop 1
Personalization: User A
Apps: Office
OS: Vista
Virtual Desktop
2
Personalization: User B
Apps: Office
OS: XP
Virtual Desktop
3
Personalization:
Apps:
OS:
F i
r e
w a
l l
F i
r e
w a
l l
Personalization
Applications
OS
Provision
ing
Server
XenApp
Controller
File Share
Desktop
Delivery
Controller
Data
Collector
Vista Windows
XP
Windows
7
User
A
User
B
User
C
User
D
User
E
Web
Interf
ace
Consolidation
Driving Customer Value and Citrix Differentiation
Internet
Web/App
Tier
NetScaler in Database Tier
High
Availability
Scalability
App Security
High
Performance
HTTP ADC TCP Load
Balancer
HTTP Native SQL
Simple
HA
Simple
LB Microsoft
SQL Server
DB Tier
TCP
Conn Multiplexing
Content Switching
High Availability
NetScaler
ADC
Improved Availability
Optimal Scale-Out
Connection Scale-Up
NetScaler Solution
TDS Protocol aware
Scale Up Scale Out High-Availability
NetScaler Benefits
• SQL Multiplexing Scale TCP connections
Host more DBs on Server
Reduce # of SQL Licenses
• SQL Conn. Offload Spare memory/cpu
Faster Query execution
• Native SQL LB Request Switching
Fast App response
• SQL aware policies Read/Write Split
Granular Control
• Automated IP failover Virtual IP based
Lower cost HA
• Intelligent Monitoring
Replication state aware
NetScaler SDX
• Instances, not partitions
• Complete CPU isolation
• Complete memory isolation
• Version independence
• High availability independence
• Lifecycle independence
Introducing NetScaler SDX
50 Gb/s Single VIP
50 Gb/s 16 instances
Up to 18Gbps per instance
8M packets/second
NetScaler MPX 21500 NetScaler SDX 21500
Citrix Open Cloud
Evolutionary Path Forward to the Cloud
Traditional
Datacenter
• On premise
• High fixed cost
• Full control
• Known security
Public Cloud
• Off premise
• Low utility cost
• Self-service
• Fully elastic
Hybrid
Cloud
• On/off premise
• Low utility cost
• Self-service
• Fully elastic
• Trusted security
• Corporate control
Hybrid cloud model to access and manage resources and data that may live on or
off premise
Public Cloud Private Cloud
Choice of Many Cloud Models
Private
Cloud
Hybrid
Public
Cloud Apps
Public Cloud Infrastructure Managed
Cloud
So … Design for Any-to-Any Hybrid Architectures
L2 Tunnel
IPSec Tunnel Hybrid Cloud
Traditional
Datacenter
Network X
A truly network-transparent
WAN optimization solution that
doesn’t rely on disruptive
tunneling techniques.
Netscaler MPX / VPX
Optimizes application
availability through advanced
L4-7 load balancing and traffic
management.
Global load balancing improves
performance as remote users
have their sessions routed to the
closest or best performing
datacenter.
OpenCloud Bridge in a NetShell
Cloud Bridge
NEW!
Branch Repeater VPX
IAAS APPS
XENAPP /
XENDESKTOP
ENTERPRISE
APPS
SAAS APPS
…with different apps requiring different identities…
ActiveDirectory Private
Database
Cloud
ActiveDirectory
Multiple user databases.. Difficult to manage
iPa
d
Citrix
We
b
Enterprise Web Applications
SaaS/Cloud Web Applications
Internet
It may be impossible
to change this.
BYOC makes
the desktop tricky
It’s expensive to
change this.
One control point but where?
Sometimes desktop
can’t be changed
Especially when
standards.. Aren’t
OpenCloud Access
Corporate Enterprise Web Applications
SaaS/Cloud Web Applications
Remote
SSL-VPN
Corporate
ActiveDirectory
One
Identity
Many
Applications
Citrix Open Cloud Access