- SSL Offloading
offloads SSL encryption and decryption from web servers, freeing server
resources to service content requests. SSL places a heavy burden on an
application's performance and can render many optimization measures
ineffective. SSL offload and acceleration allow all the benefits of Citrix
Request Switching technology to be applied to SSL traffic, ensuring secure
delivery of web applications without degrading end-user performance.
For more information, see "SSL Offload and
- Access Control
incoming packets to Access Control Lists (ACLs). If a packet matches an ACL
rule, the action specified in the rule is applied to the packet. Otherwise, the
default action (ALLOW) is applied and the packet is processed normally. For the
appliance to compare incoming packets to the ACLs, you have to apply the ACLs.
All ACLs are enabled by default, but you have to apply them in order for the
NetScaler to compare incoming packets against them. If an ACL is not required
to be a part of the lookup table, but still needs to be retained in the
configuration, it should be disabled before the ACLs are applied. A NetScaler
does not compare incoming packets to disabled ACLs.
For more information, see "Access Control
- Load Balancing
- Load balancing
decisions are based on a variety of algorithms, including round robin, least
connections, weighted least bandwidth, weighted least packets, minimum response
time, and hashing based on URL, domain source IP, or destination IP. Both the
TCP and UDP protocols are supported, so the NetScaler can load balance all
traffic that uses those protocols as the underlying carrier (for example, HTTP,
HTTPS, UDP, DNS, NNTP, and general firewall traffic). In addition, the
NetScaler can maintain session persistence based on source IP, cookie, server,
group, or SSL session. It allows users to apply custom Extended Content
Verification (ECV) to servers, caches, firewalls and other infrastructure
devices to ensure that these systems are functioning properly and are providing
the right content to users. It can also perform health checks using ping, TCP,
or HTTP URL, and the user can create monitors based on Perl scripts.
To provide high-scale WAN optimization, the CloudBridge
appliances deployed at data centers can be load balanced through NetScaler
appliances. The bandwidth and number of concurrent sessions can be improved
For more information, see "Load Balancing."
domains provide a way to create logical ADC partitions within a single
NetScaler appliance. They enable you to segment network traffic for different
applications. You can use traffic domains to create multiple isolated
environments whose resources do not interact with each other. An application
belonging to a specific traffic domain communicates only with entities, and
processes traffic, within that domain. Traffic belonging to one traffic domain
cannot cross the boundary of another traffic domain. Therefore, you can use
duplicate IP addresses on the appliance as long as an addresses is not
duplicated within the same domain.
For more information, see "Traffic Domains."
address translation (NAT) involves modification of the source and/or
destination IP addresses, and/or the TCP/UDP port numbers, of IP packets that
pass through the NetScaler appliance. Enabling NAT on the appliance enhances
the security of your private network, and protects it from a public network
such as the Internet, by modifying your network's source IP addresses when data
passes through the NetScaler.
NetScaler appliance supports the following types of network address
INAT—In Inbound NAT (INAT), an IP address (usually public) configured on
the NetScaler appliance listens to connection requests on behalf of a server.
For a request packet received by the appliance on a public IP address, the
NetScaler replaces the destination IP address with the private IP address of
the server. In other words, the appliance acts as a proxy between clients and
the server. INAT configuration involves INAT rules, which define a 1:1
relationship between the IP address on the NetScaler appliance and the IP
address of the server.
RNAT—In Reverse Network Address Translation (RNAT), for a session initiated
by a server, the NetScaler appliance replaces the source IP address in the
packets generated by the server with an IP address (type SNIP) configured on
the appliance. The appliance thereby prevents exposure of the server's IP
address in any of the packets generated by the server. An RNAT configuration
involves an RNAT rule, which specifies a condition. The appliance performs RNAT
processing on those packets that match the condition.
NAT46 Translation—Stateless NAT46 enables communication between IPv4 and
IPv6 networks, by way of IPv4 to IPv6 packet translation and vice versa,
without maintaining any session information on the NetScaler appliance. A
stateless NAT46 configuration involves an IPv4-IPv6 INAT rule and an NAT46 IPv6
NAT64 Translation—The stateful NAT64 feature enables communication between
IPv4 clients and IPv6 servers through IPv6 to IPv4 packet translation, and vice
versa, while maintaining session information on the NetScaler appliance. A
stateful NAT64 configuration involves an NAT64 rule and an NAT64 IPv6 prefix.
- For more information, see "Configuring Network
appliances support Multipath TCP (MPTCP). MPTCP is a TCP/IP protocol extension
that identifies and uses multiple paths available between hosts to maintain the
TCP session. You must enable MPTCP on a TCP profile and bind it to a virtual
server. When MPTCP is enabled, the virtual server functions as an MPTCP gateway
and converts MPTCP connections with the clients to TCP connections that it
maintains with the servers.
For more information, see "MPTCP (Multi-Path
- Determines the
server to which to send the request on the basis of configured content
switching policies. Policy rules can be based on the IP address, URL, and HTTP
headers. This allows switching decisions to be based on user and device
characteristics such as who the user is, what type of agent is being used, and
what content the user requested.
For more information, see "Content
- Global Server
Load Balancing (GSLB)
- Extends the
traffic management capabilities of a NetScaler to include distributed Internet
sites and global enterprises. Whether installations are spread across multiple
network locations or multiple clusters in a single location, the NetScaler
maintains availability and distributes traffic across them. It makes
intelligent DNS decisions to prevent users from being sent to a site that is
down or overloaded. When the proximity-based GSLB method is enabled, the
NetScaler can make load balancing decisions based on the proximity of the
client’s local DNS server (LDNS) in relation to different sites. The main
benefit of the proximity-based GSLB method is faster response time resulting
from the selection of the closest available site.
For more information, see "Global Server Load
- Dynamic Routing
- Enables routers
to obtain topology information, routes, and IP addresses from neighboring
routers automatically. When dynamic routing is enabled, the corresponding
routing process listens to route updates and advertises routes. The routing
processes can also be placed in passive mode. Routing protocols enable an
upstream router to load balance traffic to identical virtual servers hosted on
two standalone NetScaler units using the Equal Cost Multipath technique.
For more information, see "Configuring Dynamic
- Link Load
- Load balances
multiple WAN links and provides link failover, further optimizing network
performance and ensuring business continuity. Ensures that network connections
remain highly available, by applying intelligent traffic control and health
checks to distribute traffic efficiently across upstream routers. Identifies
the best WAN link to route both incoming and outbound traffic based on policies
and network conditions, and protects applications against WAN or Internet link
failure by providing rapid fault detection and failover.
For more information, see "
- You can use TCP
profiles to optimize TCP traffic. TCP profiles define the way that NetScaler
virtual servers process TCP traffic. Administrators can use the built-in TCP
profiles or configure custom profiles. After defining a TCP profile, you can
bind it to a single virtual server or to multiple virtual servers.
the key optimization features that can be enabled by TCP profiles are:
For more information on
TCP Profiles, see "Configuring TCP
- TCP keep-alive—Checks the
operational status of the peers at specified time intervals to prevent the link
from being broken.
- Selective Acknowledgment
(SACK)— Improves the performance of data transmission, especially in long fat
- TCP window scaling—
Allows efficient transfer of data over long fat networks (LFNs).
Interface on NetScaler
access to XenApp and XenDesktop resources, which include applications, content,
and desktops. Users access resources through a standard Web browser or by using
the Citrix XenApp plug-in. The Web Interface runs as a service on port 8080 on
the NetScaler appliance. To create Web Interface sites, Java is executed on
Apache Tomcat Web server version 6.0.26 on the NetScaler appliance.
Interface is supported only on NetScaler nCore releases.
For more information, see "Web
- The Citrix NetScaler
Connector feature, a fundamental part of the Citrix
OpenCloud framework, is a tool used to build a cloud-extended data center. The
OpenCloud Bridge enables you to connect one or more NetScaler appliances or
NetScaler virtual appliances on the cloud-to your network without reconfiguring
your network. Cloud hosted applications appear as though they are running on
one contiguous enterprise network. The primary purpose of the OpenCloud Bridge
is to enable companies to move their applications to the cloud while reducing
costs and the risk of application failure. In addition, the OpenCloud Bridge
increases network security in cloud environments. An OpenCloud Bridge is a
Layer-2 network bridge that connects a NetScaler appliance or NetScaler virtual
appliance on a cloud instance to a NetScaler appliance or NetScaler virtual
appliance on your LAN. The connection is made through a tunnel that uses the
Generic Routing Encapsulation (GRE) protocol. The GRE protocol provides a
mechanism for encapsulating packets from a wide variety of network protocols to
be forwarded over another protocol. Then Internet Protocol security (IPsec)
protocol suite is used to secure the communication between the peers in the
information, see "CloudBridge."
NetScaler DataStream feature provides an intelligent mechanism for request
switching at the database layer by distributing requests on the basis of the
SQL query being sent.
deployed in front of database servers, a NetScaler ensures optimal distribution
of traffic from the application servers and Web servers. Administrators can
segment traffic according to information in the SQL query and on the basis of
database names, user names, character sets, and packet size.
configure load balancing to switch requests according to load balancing
algorithms, or you can elaborate the switching criteria by configuring content
switching to make a decision based on SQL query parameters, such as user name,
database names, and command parameters. You can further configure monitors to
track the states of database servers.
advanced policy infrastructure on the NetScaler appliance includes expressions
that you can use to evaluate and process the requests. The advanced expressions
evaluate traffic associated with MySQL database servers. You can use
request-based expressions (expressions that begin with
MYSQL.REQ) in advanced policies to make request
switching decisions at the content switching virtual server bind point and
response-based expressions (expressions that begin with
MYSQL.RES) to evaluate server responses to
user-configured health monitors.
Note: DataStream is supported for MySQL and MS SQL databases.
For more information, see "DataStream."