Want to know about the latest technology solutions that are driving customer success.
See our blog listings below and be sure to check back from time to time for the latest news.
Citrix Netscaler (ADC) – What else can it do?
Author: Mike Cleghorn
Solutions Architect – Dienst Consulting
12th November 2018
In this blog post I want to talk about something that I’ve had a number of informal discussions with customers over the last little while and that is; what else can I do with NetScaler?
I’ve been working with NetScaler (now Citrix ADC) since it was a new Citrix product called Citrix Access Gateway. The CAG UI was clunky and hard to use but it concealed an incredibly powerful tool. While the UI has improved and is now much easier to figure out, that hidden power remains. For many of us, the role that the Citrix ADC plays is still very much that of the original CAG, as a secure gateway to our App and Desktop Virtualisation. Perhaps a little load balancing if we’re feeling clever. What I’d like to talk about today is all the hidden power of the Citrix ADC, with some slight deviation into some of the other Citrix Networking products, and what else can we do with a NetScaler?
Lets start with the easy ones, SSL Offload, Content Switching and Global Server Load Balancing. These are all features literally listed in the brochure but which people are still unaware of or unsure about how or where to implement.
SSL Offload is a great way to reduce load on web servers. When I say “web server”, the first thing that pops into my head is the headline MyCompany.com public web page but in fact “web server” actually describes a lot of applications in the modern tech environment. Most third party apps that don’t have a fat client to be rolled out to desktops (and even some which do) run some kind of web service. Even Outlook/Exchange these days is almost entirely HTTP/S behind the scenes if you run and out-of-the-box configuration. For those third party apps, the certificate managent is often an afterthought at best and non-existent at worst so you end up hacking SSL/TLS support in as an afterthought. By offloading SSL onto the NetScaler, you get a known quantity in terms of certificate installtion and management, you can install your public or internal secure certificates quickly and easily, knowing that your client/NetScaler connectivity is secure whether the user is internal to your network or coming in across the Internet and whatever shady schenanigans you have to do on the back-end, you can limit the exposure to a well controlled and defined network segment.
Content Switching can be used in a similar situation. Who has rolled a web application into production with a /test/ in the URL? Or more seriously, who has found a web app that publishes its name proudly somewhere in the URL for all to see/exploit? The most trivial Content Switching virtual server can hide both of these sins from users internal and external. Also, providing an abstraction between application.mycompany.com and secretinternalservername.internaldomainname not only obscures internal structural information you might not like to be inadvertantly sharing but also provides a simple point of configuration for server changeover during upgrades or replacement.
GSLB is an incredibly useful tool that solves some intractable problems. The key is probably Data Centre HA/DR. It’s all well and good to have a failover Data Centre but the last thing you want to be doing in the wake of an event signifcant enough to unexpectedly remove a Data Centre from your IT landscape is calling EVERY SINGLE EMPLOYEE and explain to them the series of workarounds required to get them working from a new location. GSLB uses DNS to transparently fail over services due to outage or high load conditions so nothing needs to change for your users or customers. If you’re in a position to be able to use georedundancy, GSLB allows users to connect to the nearest location to give the best performance (assuming you have infrastructure in each location to support local users). Even East/West coast (which would also work for on-prem west/Azure, for example) can see an improvement using their nearest PoP.
So those are the easy ones, features of the Citrix ADC that are pretty core but that you might not have thought about. Now we start to get tricky.
Did you know that you can use the Citrix ADC as a SAML IdP? “You can use it as a what?” I hear you ask. SAML (and OAuth which the ADC also supports) is a way to provide a single point of authentication for multiple authentication consumers. It’s a way to implement a Single Sign-On mechanism for things that might not support (for example) clean Active Directory SSO integration. If you have a number of web apps or portals that don’t or can’t do SSO with AD, you can use the Citrix ADC as a single point of authentication. This also means that you can leverage the Nfactor auth, to allow multiple different layers of authentication depending on location, end-point analysis or user role to authenticate users to all internal web apps in a single authentication interaction. If you combine this with the Citrix Workspace features which link your Cloud SaaS apps, you can have a true single point of auth for all your apps, even those intransigent internal apps.
Conversely, if you’re already utilising some of the Cloud provided authentication services, like Azure AD, you con configure your Citrix ADC as a SAML SP and consume external authentication tokens. If you’ve consolidated all your SaaS app authentication using a single Azure login for example, you can make your on-premises Citrix ADC just another link on the home page and enable users to open their virtual desktop or apps without having to login all over again.
Did you know that the Citrix ADC has a bunch of application firewall features built in? There are even Citrix KB articles about how to configure your ADC to combat the OWASP Top 10. When you combine the WAF functionality of Citrix ADC with the Content Switching capabilities, there is a huge amount of power given into your hands to do conditional content delivery, cookie management and security based filtering.
Finally, the Citrix ADC platform has its own extension language. Unless you’re a Citrix networking guru it’s likely you didn’t know about this one. If you find you don’t have quite the right policy, or you’re passing authentication data off that isn’t in quite the right format or you need a protocol extension that isn’t supported, there is a scripting language available to be used to create your own. This is not something to be entered into lightly but the capability exists if you need it.
So hopefully there’s something there that you didn’t know about Citrix Networking. If something has piqued your interest, please reach out to the team at Dienst Consulting and we’d be happy to discuss these features and how they can be used in your network.
We look forward to hearing from you.
The Dienst Advantage - Why So Many Customers Continue to Choose Dienst Consulting.
These days customers have so many choices when it comes to solutions to their problems and every technology provider has a different approach providing different outcomes... read more.
Citrix Netscaler (ADC) – What else can it do?
In this blog post I want to talk about something that I’ve had a number of informal discussions with customers over the last little while and that is; what else can I do with NetScaler?... read more.
Why choose us
At Dienst Consulting we're bringing "Service" back to I.T. In fact the name Dienst (pronounced Dinst) is actually the Dutch word for service and the core to our philosophy in how we do business.
We start with you the customer, placing your requirements at the heart of every solution we propose, carefully seeking to understand your business and technical objectives before aligning the appropriate technology or service based on our vast industry knowledge and leveraging our key vendor partnerships.
We build trust with our customers by delivering professional and reliable outcomes, within the agreed timeframes and budgets; providing an extraordinary service time and time again. Don't believe us, we're happy to arrange reference discussions with one of our many satisfied customers.
Customer Service is our Core Philosophy
Highly Skilled and Certified Teams
Broad Range of Solutions and Services
History of Service Delivery Excellence
Experience Across Many Industry Verticals
We're Here To Help!
Level 6, 191 St Georges Tce, Perth Western Australia 6000
Suite 47, 50 St Georges Tce, Perth Western Australia 6000
1300 IT SERVICE (1300 487 378)