Whitehat Virtual Blog

Discover best practices, product information, and IT tips that you can use to help your business.

What does a Citrix NetScaler Actually do?

Val King
Posted by Val King on Feb 12, 2017 8:52:23 PM

In 2005 it was estimated that 75% of all Internet traffic passed through a NetScaler every day, but that has done nothing to help the confusion the average person has understanding what NetScaler's actually do from then until now.

At a high level, Citrix NetScaler’s have become a huge part of Citrix’s business by helping customers do three big things. 

1. Cut the cost of delivering applications by reducing the number of servers required to serve a given number of end users.

2. Cut Internet bandwidth costs by reducing web application bandwidth requirements through web traffic optimization.

3. Improve security and resiliency.

At its most basic, a Citrix NetScaler is an Application Delivery Controller.  If you are like most, that bit of information is not helpful in understanding what a NetScaler actually does.  Even among those that know and work with Citrix NetScaler, the most common way it is described is as a Swiss Army knife.  Still not very helpful if you just want to know what the thing does.NetScaler.png

A NetScaler is...

1. A Load Balancer

Load balancing is an effective tool for sharing a workload or providing system resiliency.  Load balancing is just what it sounds like, taking a single workload (serving up email, webpages, etc.) and dividing that work up among more than one server to either improve performance, making sure no one server is overloaded, or to provide resiliency, making sure your email or the webpage you want to visit is still there if one server fails.

2. A Server Health Monitor

If we are load balancing application traffic to make sure each end user gets the best experience, we need to know how healthy the servers are that we are balancing the traffic for.  If one of the servers is not healthy, we want our Application Delivery Controller to be smart enough to limit or suspend the traffic it sends that server so the person at the other end making the request has a good experience.

3. A Middleman Offloading TCP Connections (TCP Multiplexing) from Application Servers

Surfing the web is hard, if you are the devices making all of the connections to the web pages you want to see and then subsequently breaking those connections when you move on to the next page.  All of this connecting and disconnecting adds overhead which can show up as delay and slowness to the person making the request.  TCP Multiplexing lets a NetScaler make a quick check to see if it has an existing connection can be used instead of creating a brand new connection each time.  The ADC can act as the middle man, taking care to both answer the request from the person and not overwhelm the server containing the information.  The result is a better user experience and getting more performance from each application server, reducing hardware costs.

Explaining TCP Multiplexing.png

4. A Middleman Offloading the Wrapping/Unwrapping of Secure Traffic (SSL Offload) from App. Servers

When you send something securely, each little packet of information has to be wrapped up in a special package and encrypted before it goes across the Internet.  When each little packet of information arrives at its destination, it has to be unwrapped and delivered to the person making the request.  All of this wrapping and unwrapping takes a considerable amount of time and resources to execute.  By moving this functionality to the Application Delivery Controller (ADC) we reduce the burden on the servers, freeing them up to churn out more data and again giving them more capacity potentially reducing the number of servers needed for the task..

5. A Middleman Centralizing & Offloading User Authentication from Application Servers

In another effort to offload any task from servers that introduce overhead and risk negatively impacting the end user experience, ADC’s can manage all user authentication.  The ADC becomes responsible for verifying proper authorized authentication instead of the application server.  This allows the application servers to do what they do best, deliver applications.

6. Capable of Improving Application Performance

The concept is a simple one.  What is between an end user typing in whitehatvirtual.com in their browser and the actual web server holding the Whitehatvirtual.com website is essentially a really long wire.  Not actually, but for practical purposes this is a great way to think about it.

Think of this wire as a water hose with the spigot wide open, pushing out as much water as possible.  If you want more water, you either have to buy a bigger water hose or somehow compress the water so you can fit more in the hose at one time.

Forgive the simple analogy, but NetScaler’s improve application performance in a similar way.  Compress the web traffic to get more data in the wire, use Caching to store some frequently used data (or a water tank/bottles of water in this analogy) near the end user.  Data requested frequently can be stored locally, or cached, so that when you request the data it can come from this reserve instead of having to send the same data down the wire again, slowing other requests down.

7. Is a Global Server Load Balancer (GSLB)

Global Server Load Balancing (GSLB) is a fancy way of saying that applications can be load balanced across multiple data centers across any geography, so that if something goes stupid in one location, the applications, data, etc. will be immediately available from a different location behind the curtain.  End users might notice a slight pause, but will by-in-large have no idea what massive transition has happened behind the scenes.

8. Prevents Distributed Denial of Service (DDoS) Attacks

Distributed Denial of Service (DDoS) attacks are web attacks that try to flood servers with traffic to the point that they can no longer respond and thus have to deny requests for access.

Application Delivery Controllers like NetScaler handle the DDoS attack before it can reach the targeted servers, preventing the servers from going offline or reporting errors.

9. A Web Application Firewall (WAF)

This is another defensive feature designed to prevent some very specialized types of attacks. 

Two Examples:
1. Cross-site scripting (XSS) attacks inject malicious scripts into legitimate websites & applications.  One example of this could be a virus injected into an ad on a legitimate news website like CNN, Fox, etc. that is activated when someone clicks on the ad.

2. Cookie Poisoning attacks compromise a cookie stored in a web browser so an attacker can gain personal information about the end user for any number of nefarious activities, including identity theft.

10. An Appliance that Provides Multi-Tenancy Support for Service Providers

Service Providers by definition offer their applications and other capabilities to many different customers simultaneously.  NetScaler ADCs understand the concept and satisfy this need by being able to provide additional Virtual Application Delivery Controllers  (vADC’s) configured within the appliance, effectively walling off one customer from another or allow Service Providers to segment their products to as it makes sense for their business.  Large organizations in some cases have this same need to have unique workloads segmented for different constituencies in the organization.

Today, Citrix NetScaler ADC’s can have as many as 115 virtual Application Delivery Controllers running within one physical appliance.

NetScaler’s are available in either a hardware or software-based appliance. Hardware options include single and multi-tenant appliances.  NetScaler’s are FIPS compliant and high SSL appliances. Software-based options include virtual hypervisor-based and containerized micro service offerings.

Hopefully this has helped give you a basic understanding of what NetScaler ADC’s actually do.

Have more questions? 
Get In Touch with Us

Topics: Citrix, Tools and Technology, NetScaler