-
Getting Started with Citrix NetScaler
-
Deploy a Citrix NetScaler VPX instance
-
Install a Citrix NetScaler VPX instance on Microsoft Hyper-V servers
-
Install a NetScaler VPX instance on Linux-KVM platform
-
Prerequisites for Installing NetScaler VPX Virtual Appliances on Linux-KVM Platform
-
Provisioning the NetScaler Virtual Appliance by using OpenStack
-
Provisioning the NetScaler Virtual Appliance by using the Virtual Machine Manager
-
Configuring NetScaler Virtual Appliances to Use SR-IOV Network Interface
-
Configuring NetScaler Virtual Appliances to use PCI Passthrough Network Interface
-
Provisioning the NetScaler Virtual Appliance by using the virsh Program
-
-
-
-
-
-
-
Overriding Static Proximity Behavior by Configuring Preferred Locations
-
Example of a Complete Parent-Child Configuration Using the Metrics Exchange Protocol
-
Configuring Global Server Load Balancing for DNS Queries with NAPTR records
-
Using the EDNS0 Client Subnet Option for Global Server Load Balancing
-
-
Persistence and persistent connections
-
Advanced load balancing settings
-
Gradually stepping up the load on a new service with virtual server–level slow start
-
Protect applications on protected servers against traffic surges
-
Use source IP address of the client when connecting to the server
-
Set a limit on number of requests per connection to the server
-
Configure automatic state transition based on percentage health of bound services
-
-
Use case 2: Configure rule based persistence based on a name-value pair in a TCP byte stream
-
Use case 3: Configure load balancing in direct server return mode
-
Use case 6: Configure load balancing in DSR mode for IPv6 networks by using the TOS field
-
Use case 7: Configure load balancing in DSR mode by using IP Over IP
-
Use case 10: Load balancing of intrusion detection system servers
-
Use case 11: Isolating network traffic using listen policies
-
Use case 14: ShareFile wizard for load balancing Citrix ShareFile
-
-
-
Ciphers available on the Citrix ADC appliances
-
Diffie-Hellman (DH) key generation and achieving PFS with DHE
-
Leverage hardware and software to improve ECDHE and ECDSA cipher performance
-
Support for Gemalto SafeNet Network hardware security module
-
-
-
-
Configuring a CloudBridge Connector Tunnel between two Datacenters
-
Configuring CloudBridge Connector between Datacenter and AWS Cloud
-
Configuring a CloudBridge Connector Tunnel Between a Datacenter and Azure Cloud
-
Configuring CloudBridge Connector Tunnel between Datacenter and SoftLayer Enterprise Cloud
-
Configuring a CloudBridge Connector Tunnel Between a NetScaler Appliance and Cisco IOS Device
-
CloudBridge Connector Tunnel Diagnostics and Troubleshooting
View PDF
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已动态机器翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
This content has been machine translated dynamically.
This content has been machine translated dynamically.
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.
Este artigo foi traduzido automaticamente.
这篇文章已经过机器翻译.放弃
Translation failed!
Leverage hardware and software to improve ECDHE cipher performance
Note:
This enhancement is applicable only to the following platforms:
- MPX/SDX 11542
- MPX/SDX 14000
- MPX 22000, MPX 24000, and MPX 25000
- MPX/SDX 14000 FIPS (from release 12.0-56.x)
Previously, ECDHE computation on a NetScaler appliance was performed only on the hardware (Cavium chips), which limited the number of SSL sessions at any given time. With this enhancement, some operations are also performed in the software. That is, processing is done both on the Cavium chips and on the CPU cores to improve ECDHE cipher performance.
The processing is first performed in software, up to the configured software crypto threshold. After this threshold is reached, the operations are offloaded to the hardware. Therefore, this hybrid model leverages both hardware and software to improve SSL performance. You can enable the hybrid model by setting the “softwareCryptoThreshold” parameter to suit your requirement. To disable the hybrid model, set this parameter to 0.
Benefits are greatest if the current CPU utilization is not too high, because the CPU threshold is not exclusive to ECDHE computation. For example, if the current workload on the NetScaler appliance consumes 50% of the CPU cycles, and the threshold is set to 80%, ECDHE computation can use an additional 30% of the cycles. After the configured software crypto threshold of 80% is reached, further ECDHE computation is offloaded to the hardware. In that case, actual CPU utilization might exceed 80%, because performing ECDHE computations in hardware consumes some CPU cycles.
Enable the hybrid model by using the CLI
At the command prompt, type:
set ssl parameter -softwareCryptoThreshold <positive_integer>
Synopsis:
softwareCryptoThreshold:
NetScaler CPU utilization threshold (as a percentage) beyond which crypto operations are not done in software. A value of zero implies that CPU is not utilized for doing crypto in software.
Default = 0
Min = 0
Max = 100
Example:
set ssl parameter - softwareCryptoThreshold 80
Done
show ssl parameter
Advanced SSL Parameters
SSL quantum size : 8 KB
Max CRL memory size : 256 MB
Strict CA checks : NO
Encryption trigger timeout : 100 ms
Send Close-Notify : YES
Encryption trigger packet c : 45
Deny SSL Renegotiation : ALL
Subject/Issuer Name Insertion Format : Unicode
OCSP cache size : 10 MB
Push flag : 0x0 (Auto)
Strict Host Header check for SNI enabled SSL sessions : NO
PUSH encryption trigger timeout : 1 ms
Crypto Device Disable Limit : 0
Global undef action for control policies : CLIENTAUTH
Global undef action for data policies : NOOP
Default profile : DISABLED
Disable TLS 1.1/1.2 for SSL_BRIDGE secure monitors : NO
Disable TLS 1.1/1.2 for dynamic and VPN services : NO
Software Crypto acceleration CPU Threshold : 80
Signature and Hash Algorithms supported by TLS1.2 : ALL
Enable the hybrid model by using the GUI
- Navigate to Traffic Management > SSL > Change advanced SSL settings.
- Enter a value for Software Crypto Threshold (%).
Leverage hardware and software to improve ECDHE cipher performance
Share