Product Documentation

Application Firewall Support for Cluster Configurations

Jan 28, 2011

Note: Application firewall support for Striped and partially striped configurations was introduced in NetScaler release 11.0.

A cluster is a group of NetScaler appliances that are configured and managed as a single system. Each appliance in the cluster is called a node. Depending on the number of nodes the configurations are active on, cluster configurations are referred to as striped, partially striped, or spotted configurations. The application firewall is fully supported in all configurations.

The two main advantages of striped and partially striped virtual server support in cluster configurations are the following:

  1. Session failover support—Striped and partially striped virtual server configurations support session failover. The advanced application firewall security features, such as Start URL Closure and the Form Field Consistency check, maintain and use sessions during transaction processing. In ordinary high availability configurations, or in spotted cluster configurations, when the node that is processing the application firewall traffic fails, all the session information is lost and the user has to reestablish the session. In striped virtual server configurations, user sessions are replicated across multiple nodes. If a node goes down, a node running the replica becomes the owner. Session information is maintained without any visible impact to the user.
  2. Scalability—Any node in the cluster can process the traffic. Multiple nodes of the cluster can process the incoming requests served by the striped virtual server. This improves the application firewall’s ability to handle multiple simultaneous requests, thereby improving the overall performance.

Security checks and signature protections can be deployed without the need for any additional cluster-specific application firewall configuration. You just do the usual application firewall configuration on the configuration coordinator (CCO) node for propagation to all the nodes.

Cluster details are available at http://support.citrix.com/proddocs/topic/ns-system-11-map/ns-cluster-home-con.html.

Note: The session information is replicated across multiple nodes, but not across all the nodes in the striped configuration. Therefore, failover support accommodates a limited number of simultaneous failures. If multiple nodes fail simultaneously, the application firewall might lose the session information if a failure occurs before the session is replicated on another node.

Highlights

  • Application firewall offers scalability, high throughput, and session failover support in cluster deployments.
  • All application firewall security checks and signature protections are supported in all cluster configurations.
  • Character-Maps are not yet supported for a cluster. The learning engine recommends Field-Types in learned rules for the Field Format security check.
  • Stats and learned rules are aggregated from all the nodes in a cluster.
  • Distributed Hash Table (DHT) provides the caching of the session and offers the ability to replicate session information across multiple nodes. When a request comes to the virtual server, the NetScaler appliance creates application firewall sessions in the DHT, and can also retrieve the session information from the DHT.
  • Clustering is licensed with the Enterprise and Platinum licenses. This feature is not available with the Standard license.