Getting started with Citrix ADC

Intended for system and network administrators who install and configure complex networking equipment, this section of the library describes initial set-up and basic configuration of the Citrix ADC.

Understanding the Citrix ADC

The Citrix ADC product is an application switch that performs application-specific traffic analysis to intelligently distribute, optimize, and secure Layer 4-Layer 7 (L4–L7) network traffic for web applications. For example, a Citrix ADC bases load balancing decisions on individual HTTP requests instead of on long-lived TCP connections, so that the failure or slowdown of a server is managed much more quickly and with less disruption to clients. The ADC feature set can be broadly categorized as consisting of switching features, security and protection features, and server-farm optimization features.

Switching features

When deployed in front of application servers, a Citrix ADC ensures optimal distribution of traffic by the way in which it directs client requests. Administrators can segment application traffic according to information in the body of an HTTP or TCP request, and on the basis of L4–L7 header information such as URL, application data type, or cookie. Numerous load balancing algorithms and extensive server health checks improve application availability by ensuring that client requests are directed to the appropriate servers.

Security and protection features

The Citrix ADC security and protection features protect web applications from Application Layer attacks. An ADC appliance allows legitimate client requests and can block malicious requests. It provides built-in defenses against denial-of-service (DoS) attacks and supports features that protect against legitimate surges in application traffic that would otherwise overwhelm the servers. An available built-in firewall protects web applications from Application Layer attacks, including buffer overflow exploits, SQL injection attempts, cross-site scripting attacks, and more. In addition, the firewall provides identity theft protection by securing confidential corporate information and sensitive customer data.

Optimization features

Optimization features offload resource-intensive operations, such as Secure Sockets Layer (SSL) processing, data compression, client keep-alive, TCP buffering, and the caching of static and dynamic content from servers. This improves the performance of the servers in the server farm and therefore speeds up applications. An ADC appliance supports several transparent TCP optimizations, which mitigate problems caused by high latency and congested network links, accelerating the delivery of applications while requiring no configuration changes to clients or servers.

Understanding policies and expressions

A policy defines specific details of traffic filtering and management on a Citrix ADC. It consists of two parts: the expression and the action. The expression defines the types of requests that the policy matches. The action tells the ADC appliance what to do when a request matches the expression. As an example, the expression might be to match a specific URL pattern to a type of security attack, with the action being to drop or reset the connection. Each policy has a priority, and the priorities determine the order in which the policies are evaluated.

When an ADC appliance receives traffic, the appropriate policy list determines how to process the traffic. Each policy on the list contains one or more expressions, which together define the criteria that a connection must meet to match the policy.

For all policy types except Rewrite policies, a Citrix ADC apppliance implements only the first policy that a request matches, not any additional policies that it might also match. For Rewrite policies, the ADC appliance evaluates the policies in order and, in the case of multiple matches, performs the associated actions in that order. Policy priority is important for getting the results you want.

Processing order of features

Depending on requirements, you can choose to configure multiple features. For example, you might choose to configure both compression and SSL offload. As a result, an outgoing packet might be compressed and then encrypted before being sent to the client.

The following figure shows the DataStream packet flow in the Citrix ADC appliance. DataStream is supported for MySQL and MS SQL databases. localized image

The following figure shows the DataStream packet flow in the Citrix ADC appliance. DataStream is supported for MySQL and MS SQL databases. For information about the DataStream feature, see DataStream.

Figure 2. DataStream Packet Flow Diagram

localized image

Note: If the traffic is for content switching virtual server, the appliance evaluates policies in the following order:

  1. bound to global override.
  2. bound to load balancing virtual server.
  3. bound to content switching virtual server.
  4. bound to global default.

This way, if policy rule is true and gotopriorityexpression is END, we stop further policy evaluation. In the case of content switching, if there is no load balancing virtual server selected by the content switching policy and also there is no load balancing virtual server bound to the content switching virtualserver, then we evaluate responder policies bound only to the content switching virtual server.