Product Documentation

How NetScaler insight Center is Deployed in a Network

May 04, 2017

NetScaler Insight Center monitors NetScaler ADCs when these appliances are deployed in transparent mode. It monitors NetScaler Gateway appliances when these appliances are deployed in single-hop mode or double-hop mode. Currently, in a CloudBridge deployment, NetScaler Insight Center does not monitor branch office traffic.

NetScaler Insight Center in a NetScaler ADC Transparent Mode

When a NetScaler ADC is deployed in transparent mode the clients can access the servers directly, with no intervening virtual server. The user is local to the server, and no NetScaler Gateway is used. That is, the ICA traffic is not transmitted over a VPN.

The following figure shows the network deployment of a NetScaler Insight Center when a NetScaler ADC is deployed in a transparent mode:
Figure 1. NetScaler Insight Center deployed in Transparent Mode


The NetScaler ADC resides between the clients and the servers. Typically, the NetScaler Insight Center and NetScaler ADC reside on the same subnet.

To monitor NetScaler ADCs deployed in this mode, you must add NetScaler Insight Center as an AppFlow collector on each NetScaler ADC, configure an Appflow policy to collect all or specific ICA traffic that flows through the ADC, and then view the reports on the NetScaler Insight Center dashboard. For details, see Enabling Data Collection for Monitoring NetScaler ADCs Deployed in Transparent Mode.

NetScaler Insight Center in a NetScaler Gateway Single-Hop Mode

Updated: 2015-05-14

When NetScaler Gateway is deployed in single-hop mode, the NetScaler Gateway is at the edge of the network and proxies ICA connections to the desktop delivery infrastructure. This is the simplest and most common deployment. This mode provides security if an external user tries to access the internal network in an organization.

For more details, see Deploying NetScaler Gateway in the DMZ.

The following figure shows the network deployment of a NetScaler Insight Center when a NetScaler Gateway is deployed in a single-hop mode:
Figure 2. NetScaler Insight Center deployed in single-hop mode


In this mode, users access the NetScaler ADCs through a virtual private network (VPN).The setup requires two firewalls and a NetScaler Gateway to be deployed in a Demilitarized zone (DMZ) to secure access to the XenApp or XenDesktop environments. The NetScaler Gateway and the NetScaler Insight Center reside in the same subnet

To monitor NetScaler Gateway appliances deployed in this mode, you must first add the NetScaler Gateway to NetScaler Insight Center inventory, enable AppFlow on NetScaler Insight Center and then view the reports on the NetScaler Insight Center dashboard.

NetScaler Insight Center in a NetScaler Gateway Double Hop Mode

Updated: 2015-05-14

The NetScaler Gateway double-hop mode provides additional protection to an organization's internal network because an attacker would need to penetrate multiple security zones or Demilitarized zones (DMZ) to reach the servers in the secure network.

For more details about double-hop mode, see Deploying NetScaler Gateway in a Double-Hop DMZ

If you want to analyze the number of hops (NetScaler Gateway appliances) through which the ICA connections pass, and also the details about the latency on each TCP connection and how it fairs against the total ICA latency perceived by the client, you must install NetScaler Insight Center so that the NetScaler Gateway appliances report these vital statistics.

The following image illustrates the network deployment of a NetScaler Insight Center in a NetScaler gateway double-hop setup.
Figure 3. NetScaler Insight Center deployed in double-hop mode


The NetScaler Gateway in the first DMZ handles user connections and performs the security functions of an SSL VPN. This NetScaler Gateway encrypts user connections, determines how the users are authenticated, and controls access to the servers in the internal network.

The NetScaler Gateway in the second DMZ serves as a NetScaler Gateway proxy device. This NetScaler Gateway enables the ICA traffic to traverse the second DMZ to complete user connections to the server farm.

The NetScaler Insight Center can be deployed either in the subnet belonging to the NetScaler Gateway appliance in the first DMZ or the subnet belonging to the NetScaler Gateway appliance second DMZ.

In the above image, the NetScaler Insight Center and NetScaler Gateway in the first DMZ are deployed in the same subnet.

How NetScaler Insight Center Collects Statistics in a NetScaler Gateway Double-Hop Mode

In a double-hop mode, NetScaler Insight Center collects TCP records from one appliance and ICA records from the other appliance.

After you add the NetScaler Gateway appliances to the NetScaler Insight center inventory and enable data collection, each of the appliances export the reports by keeping track of the hop count and connection chain ID.

For NetScaler Insight Center to identify which appliance is exporting records, each appliance is specified with a hop count and each connection is specified with a connection chain ID. Hop count represents the number of NetScaler Gateway appliances through which the traffic flows from a client to the servers. The connection chain ID represents the end- to end connections between the client and server.

NetScaler Insight Center uses the hop count and connection chain ID to co-relate the data from both the NetScaler Gateway appliances and generates the reports.

To monitor NetScaler Gateway appliances deployed in this mode, you must first add the NetScaler Gateway to NetScaler Insight Center inventory, enable AppFlow on NetScaler Insight Center and then view the reports on the NetScaler Insight Center dashboard.

NetScaler Insight Center in a NetScaler LAN User Mode

External users who access XenApp or XenDesktop applications must authenticate themselves on the NetScaler Gateway. Internal users, however, might not require to be redirected to the NetScaler Gateway. Also, in a transparent mode deployment, the administrator must manually apply the routing policies, so that the requests are redirected to the NetScaler appliance.

To overcome these challenges, and for LAN users to directly connect to XenApp and XenDesktop applications, you can deploy the NetScaler appliance in a LAN user mode by configuring a cache redirection virtual server, which acts as a SOCKS proxy on the NetScaler Gateway appliance.

The following figure shows the network deployment of a NetScaler Insight Center virtual appliance when a NetScaler appliance is deployed in LAN user mode:
Figure 4. NetScaler Insight Center deployed in LAN User Mode


NetScaler Insight Center and NetScaler Gateway appliance reside in the same subnet.

To monitor NetScaler appliances deployed in this mode, first add the NetScaler appliance to the NetScaler Insight inventory, enable AppFlow and then view the reports on the dashboard.

NetScaler Insight Center in a CloudBridge Setup

CloudBridge appliances optimize WAN links, and gives users maximum responsiveness and throughput at any distance. NetScaler Insight Center monitors the traffic flowing through the CloudBridge appliances deployed at the datacenter, and provides key insights into the WAN user experience.

For accelerating traffic over the link, CloudBridge appliances work in pairs, one at the datacenter and the other at the branch office. NetScaler Insight Center is deployed in the datacenter to monitor datacenter CloudBridge appliances.

The following figure shows the network deployment of a NetScaler Insight Center when CloudBridge appliances are deployed in between a client and a server:
Figure 5. Network Deployment of NetScaler Insight Center monitoring CloudBridge Datacenter appliance


In this setup, you must add both the branch appliance and the datacenter appliance to the NetScaler Insight Center inventory, and enable AppFlow for ICA traffic on the datacenter appliance.

Figure 6. Network Deployment of NetScaler Insight Center Monitoring a CloudBridge Datacenter Appliance and a CloudBridge Branch Appliance


In this setup, you must add both the branch appliance and the datacenter appliance to the NetScaler Insight Center inventory, enable AppFlow for ICA traffic on the branch appliance, and enable AppFlow for TCP, ICA, and WAN traffic on the datacenter appliance.

Figure 7. Network Deployment of NetScaler Insight Center Monitoring CloudBridge Plug-ins


In this setup, you must add both the branch appliance and the datacenter appliance to the NetScaler Insight Center inventory, enable AppFlow for ICA traffic on the branch appliance, and enable AppFlow for TCP, ICA, and WAN traffic on the datacenter appliance.

NetScaler Insight Center in a Multi-Hop Setup

To accelerate the ICA proxy mode in NetScaler Gateway, you must configure and deploy the CloudBridge appliance.

In this setup, you must add the branch CloudBridge appliance, the datacenter CloudBridge appliance and the NetScaler Gateway appliance(s) to the NetScaler Insight Center inventory.

After you add the appliances to the NetScaler Insight center inventory and enable data collection, each of the appliances exports the reports by keeping track of the hop count and connection chain ID.

For NetScaler Insight Center to identify which appliance is exporting records, each appliance is specified in terms of hop count and each connection is specified with a connection chain ID. Hop count represents the number of appliances through which the traffic flows from a client to the servers. The connection chain ID represents the end-to-end connections between the client and server.

NetScaler Insight Center uses the hop count and connection chain ID to co-relate the data from the appliances and generates the reports.

You must enable connection chaining on the CloudBridge appliances to co-relate the data from the appliances. For details, see

Figure 8. Network Deployment of NetScaler Insight Center monitoring CloudBridge Datacenter appliances and NetScaler Gateway appliance deployed in Single-Hop mode


In this setup, first add the branch appliance, datacenter appliance, and NetScaler Gateway appliance to the NetScaler Insight Center inventory. Enable AppFlow for ICA traffic on the branch appliance. On the datacenter CloudBridge appliance, enable AppFlow for TCP, ICA, and WAN traffic. On the NetScaler Gateway appliance, enable AppFlow for ICA traffic. For details see Enabling Data Collection for Monitoring CloudBridge Appliances and NetScaler Gateway Appliances in Single-Hop Mode.

Figure 9. Network Deployment of NetScaler Insight Center monitoring CloudBridge Datacenter appliances and NetScaler Gateway deployed in Double-Hop mode


In this setup, you must add both the branch appliance and the datacenter appliance to the NetScaler Insight Center inventory. Enable AppFlow for ICA on the branch appliance. On the datacenter CloudBridge appliance, enable AppFlow for TCP, ICA and WAN traffic. On one of the NetScaler Gateway appliance enable AppFlow for ICA , and enable AppFlow for TCP traffic on the other NetScaler Gateway appliance. For details see Enabling Data Collection for Monitoring CloudBridge Appliances and NetScaler Gateway Appliances in Double-Hop Mode.

NetScaler Insight Center in a NetScaler Gateway Multi-Hop Mode

With the multi-hop feature of NetScaler Insight Center, you can analyze the number of hops (NetScaler appliances, NetScaler Gateway appliances, or CloudBridge appliances) through which your ICA connections pass. You can also analyze the latency on each TCP connection and how it compares to the total ICA latency perceived by the client . The following figure shows the deployment of NetScaler Insight Center in a multi-hop setup.

The following image illustrates the network deployment of a NetScaler Insight Center in a NetScaler gateway multi-hop setup.
Figure 10. NetScaler Insight Center deployed in Multi-Hop Mode


In this type of setup, you must enable the multi-hop feature on NetScaler Insight Center, enable AppFlow on the NetScaler appliances, and enable connection chaining. Enabling the multi-hop feature is straightforward:

On the Configuration tab, click System. Then, in the right pane, click Configure Multi-Hop, and select the Multi-Hop check box.

However, if you enable NetScaler Insight Center to start collecting the ICA details from all the appliances, the collected details are redundant. All the appliances report the same metrics. To overcome this situation, you must enable AppFlow for ICA on one of the NetScaler Gateway appliances (preferably, the first appliance), and then enable AppFlow for TCP on the other appliances. One appliance then exports ICA AppFlow records, and the others export TCP AppFlow records. This also saves time in parsing the ICA traffic.

If you enable NetScaler Insight Center to start collecting the ICA details from all the appliances, the details collected are redundant. That is all the appliances report the same metrics. To overcome this situation, you must enable AppFlow for ICA on one of the NetScaler Gateway appliance (preferably, the first appliance), and then enable AppFlow for TCP on the other appliances. By doing so, one of the appliances export ICA AppFlow records and the other appliances export TCP AppFlow records. This also saves the processing time on parsing the ICA traffic.

To enable data collection on the first and second NetScaler Gateway appliances, see Enabling Data Collection for NetScaler Gateway Appliances Deployed in Double-Hop Mode.

To enable data collection on the third NetScaler appliance, see Enabling Data Collection for Monitoring NetScaler ADCs Deployed in Transparent Mode

To enable connection chaining on all the NetScaler and NetScaler Gateway appliances in the network, type:
set appFlow param -connectionChaining ENABLED
Note: If you are accessing the XenApp or XenDesktop application through the third NetScaler appliance (third hop), then enable AppFlow for ICA on that NetScaler appliance.