what’s new with citrix adc/adm/swg?€¦ · 2 © 2018 citrix | confidential agenda adm what’s...

© 2018 Citrix | Confidential

What’s new with Citrix ADC/ADM?

NOVEMBER 16, 2018

2 © 2018 Citrix | Confidential

Agenda

ADM What’s New

TLS/SSL Update

Traffic Management

Citrix Gateway

Gateway Service

ADMWhat’s New


ADM Service

• Pooled Licensing

• Provisioning VPX on AWS

• Customizing User Experience– Search & Tagging enhancements

• Slack Notifications

• Release notes here:– https://docs.citrix.com/en-us/netscaler-mas/netscaler-management-

and-analytics-service/release-notes.html

https://docs.citrix.com/en-us/netscaler-mas/netscaler-management-and-analytics-service/release-notes.html


–Learning baseline against customers actual traffic enables more accurate and relevant anomaly detection• Handles normal traffic variance compared to static course grained static thresholds that need

manually set up

–Initial Use Cases

• Anomaly Detection

–Slowness in Server Response Time

–Uneven Load Balancing Detection

–DNS Flood Attacks

• Plus

–Service Flaps/Suboptimal Virtual Server Health

–Server Errors

ADM Service - Advanced AnalyticsAdvanced Analytics

• Assess App Infra anomalies and get to the root case of performance issues.

In Tech Preview

Tech Preview: Advanced analytics based on Citrix Analytics

http://docs.citrix.com/en-us/netscaler-mas/netscaler-management-and-analytics-service/advanced-analytics/slowness-server-response-time.html

http://docs.citrix.com/en-us/netscaler-mas/netscaler-management-and-analytics-service/advanced-analytics/uneven-load-balancing-detection.html

http://docs.citrix.com/en-us/netscaler-mas/netscaler-management-and-analytics-service/advanced-analytics/detecting-dns-flood-attacks.html

http://docs.citrix.com/en-us/netscaler-mas/netscaler-management-and-analytics-service/advanced-analytics/service-flaps.html

http://docs.citrix.com/en-us/netscaler-mas/netscaler-management-and-analytics-service/advanced-analytics/server-errors.html


• Improved HA• Disaster Recovery support• Multi Site Agent Support

NetScaler 1

NetScaler X

Agent 1

Data center B

Recovery Site

MASRecovery

ReplicationMAS

Primary

DB

HA-M&M

MAS Secondary

DB

HA-M&M

NetScaler 1 NetScaler 2 NetScaler n-1 NetScaler n

Client

On Failover

Heartbeat

Replication

Data Center A (Primary)

FIP

Compressed data over WAN

…..

NS1’ NSn’

Agent 2

…….

Infra Improvements


ADM 12.1 HA Deployment - Increased Supported ScaleListed Features Enabled Together: 8vCPU; 32GB; SSDs

NetScaler : 300

Vservers :40,000

SNMP :300 Syslog: 300

HDX insight :40,000 CCU

Gateway insight :40,000 CCU

Security insight :7500 violations/sec

Webinsight : 40K transactions/sec, URL – 280K, Client – 300K, Domain - 1, Server – 150, App -1

Note: Above results are without remote agent. Use of remote agents will improve scale


Custom Network Reporting Dashboard

• Network Reporting now supports Customized Dashboards & much more

Customize duration Selection

Add New Reports

Add Multiple Instances

Create Multiple Dashboards


Various Forms of Licensing Classic, CICO, Pooled, vCPU

Dimension Term Platform(s) License Host Application

Bandwidth Perpetual MPX, SDX, VPX Local -

Name

Classic

Bandwidth Perpetual VPX MAS On-prem* Roadmap - MA Service

AutomationCICO

Bandwidth Subscription MPX, SDX, VPX, CPX MAS On-prem* Roadmap - MA Service

Traffic shiftPOOLED

vCPU Subscription VPX, CPX MAS On-prem* Roadmap - MA Service

Lots of Little Things vCPU NEW

TLS/SSL


DTLS support on Coleto platforms

End-to-end DTLS (EDT) support on Coleto MPX/SDX models is coming in 12.1 50.x

Coleto models are 59xx, 89xx, 15xxx, 26xxx

DTLS already supported on Cavium MPX/SDX, VPX and FIPS


New SSL action - PickCACert

• Use case: Strict client cert validation in multitenant environments.

• Problem: In case of SNI enabled multitenant VIPs, multiple CA certs are bound where client validation can be compromised.

• Solution: Policy driven CA cert selection as per client hello SNI information.

• Example: Gateway service is multitenant and needs to send only a fixed set of CA certs in Client certificate request.

CA list

ADC

SNI = abc.comSNI = def.com

abc.com

CA_Cert_List1 = CA1, CA2, CA3

CA_Cert_List2 = CA4, CA5, CA6

Send a CA list based on SNI

Traffic Management


• Use case: Customer wants to log the country from which users are coming

• Use case: Customer wants to insert the user location information in HTTP header when the request is sent to the backend server

• Features supporting this function:

–Responder

–Rewrite

–Audit logging

Getting User Location from Geolocation DatabaseCurrently one can get only Boolean response about location

MPX | VPX | SDX | FIPS

14

GeoDB

Input: 1.2.3.4 Output: Asia.India.KA.Bangalore

2 3

Citrix Gateway


End User Experience

Experience Choice Security

Password Expiry Notification OpenID Connect - Use Gmail/facebookcredentials

Citrix Gateway – Enhancements Summary

Administrator

Experience

Security

SaaS App CatalogueSAML Simplification RDP Auto population of links

Choice nFactor for Windows Plugin

AlwaysOn + Captive Portal

OpenID Connect - oAuth Provider

OPSWATv4 - Better support for Latest AV Products and upgrade OPSWAT library independent of NetScaler


Current CVPN implementation

What is CVPN:Used to publish web apps and enable access from web clients instead of VPN plugin

Current Implementation:Citrix Gateway rewrites the original url to CVPN url. Below is one example

https://website.com/folder/file.html https://nsg.citrix.com/cvpn/https/website

.com/folder/file.html

Indicates to Gateway that it is CVPN

Challenge : Finding the relative urls in HTTP Body/JavaScript and doing rewrite

http://website.com/

https://nsg.citrix.com/

http://website.com/


CVPN 2.0 – Uniquely rewriting the hostname

‘https://onebug.net’ abcd1234’.

https://cvpnabcd1234.nsg.citrix.com Only Hostname is changed and not the relative url

Pre-requisties :1. Wildcard DNS 2. Wildcard SSL Certificates.

Internally mapped to

https://onebug.net/

http://nsg.citrix.com/


• OPSWAT 3rd party vendor provides library with support for latest version of AV/Security products–De-coupled NetScaler release and EPA library update. No need to Upgrade NetScaler for EPA updates

EPA - OPSWATv4

NS 12.0.56.xOPSWAT - 4.0.0.1600

New EPA library available 4.0.1.1600

NS 12.0.57.xOPSWAT - 4.0.1.1600

NS 12.0.56.xOPSWAT - 4.0.0.1600

NS 12.0.56.xOPSWAT - 4.0.1.1600


AlwaysOn - SSLVPN - Tunnel establishment without user intervention

User Logs into device

Other authentication

methods

Authentication -Active Directory

or User CertSeamless Launch

Manual intervention

Tunnel Establishment

Feature User Experience Security

Connect to Internet in case gateway connectivity failure

Yes No

Option for user to change the gateway URL

Yes No


Use Case

• Plugin/Receiver for nFactor flow

• SAML Authentication/Native OTP using Plugin/Receiver

Feature Description:

• Authv3 is added for plugin/Receiver.

• Authv3 is new forms protocol by Citrix and it supports webview. Gateway forces webview for nFactor

• Will be available from 12.1 FR1 (Expected in August)

nFactor and EPA EnhancementsnFactor for Plugin / Receiver

• EPA policies can be applied to Web-apps without the requirement of SSLVPN client/Gateway client–Differentiator for NetScaler in Microsoft WAP

replacement use cases. In addition to load balancing Outlook etc NetScaler can pre-checks before allowing connection to outlook server

• EPA part of nFactor–Provides the flexibility to the administrator in having EPA

in both post and pre-auth flow

–Conditional access can be provided based EPA results

EPA for AAA-TM


• Provides the administrator an option to notify the end user about password expiry

• Based on the time left for the password to expire, an expiry notification is displayed on the portal page on Citrix Gateway. User then takes appropriate action to update the password

• > set aaa parameter -pwdExpiryNotificationDays 14

Password expiry notification


Use Case

• Simplify configuring and publishing a SaaS app for Single Sign On

Feature Description:

• Built-in catalogues of commonly used SaaS apps

• Both SP and IDP initiated flow as long the app supports the same

• NetScaler metadata can be imported if the app supports meta data import

• Available from NetScaler 12.1 GA release

SAML Simplification – App Catalogue Support


SAML Metadata Import/Export support

Import SAML IdP Metadata

Import SAML SP Metadata

Export Metadata from Citrix Gateway wizard


• With Advanced Threshold Management for HDX Insight, NetScaler MAS provides proactive alerting mechanism via SMS/e-mail, incase threshold(s) set in an threshold group are breached.

• What is a threshold Group?–A threshold group is comprised of one or more user defined threshold rules for metrics chosen from

entities such as users, apps & desktops against an expected value.

o An example of a threshold rule1: ICA RTT(metric) for users(entity) should be <= 100 ms

o An example of a threshold rule2: WAN Latency (metric) for users(entity) should be <= 100 ms

o An example of threshold group can be : {Threshold rule 1 + Threshold rule 2}

–An interval for monitoring & the notification mechanism incase of breach (SMS, e-mail) needs to be

selected

• Threshold groups can be bound to Geo locations for geo specific monitoring

• Navigate to System->Analytics Settings->Thresholds

Advanced Threshold Management for HDX Insight


• Gateway Insight support for SAML is now available on MAS

• Please note: –Incorrect credentials when entered at 3rd party IdP cannot be captured by NetScaler

Gateway Insight now supports SAML


Current Implementation:

• CPU/Memory intensive components in ICA stack- Task of Compression and Encryption

• Data is scattered over Multiple Virtual Channels

• Data is available only after Decryption and Decompression

New Solution:

• Data is available in a single Virtual Channel!

• New channel data is not compressed or multiplexed with other virtual channels

• NetScaler to ignore all the remaining virtual channels

PROBLEM STATEMENT:To scale up the number of HDX sessions supported on the NetScaler when HDX Insight is enabled

Citrix Gateway Service


• Fully secure & highly available seamless access to all apps

• Simplified out-of-the-box setup

• Fully Managed by Citrix

• No firewall changes required

• Global Presence (12 POPs)

• Optimal end-user traffic routing

Secure access as a cloud service

CloudCitrix

Consumption pricing

Users

Apps

Data

Network

NGS

Gateway Service - Overview


New enhancements to Gateway Service for SaaS app delivery alongside Web and Windows apps

SaaS and Web apps XenApp & XenDesktopon-premises support

Enhanced experience

New• Single Sign-On to SaaS & Enterprise Web

apps

• Pre-defined SaaS template library

• Access to SaaS & Enterprise Web Apps

New• Expanded global presence with 12 data

Points of Presence

• Stand-alone trials and new Citrix Cloud tile

• Two-factor authentication via native One Time Password (OTP)

New• Support for Storefront and Auth store

on-premises

• Enables hybrid deployments through Workspace site aggregation

© Citrix – CONFIDENTIAL – The development, release and timing of any features or functionality described for our products remains at our sole discretion and are subject to change without notice or consultation. The information provided is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making purchasing decisions or incorporated into any contract.

What’s New with Gateway Service (GA launch in Q3)

Available in production Coming Soon


• Natively generated One-Time Password (OTP)

• Supports on-premises AD

• User device / app needs to be registered with Citrix Cloud

• OTP token generation and login–Self-service

–Citrix SSO app

–Public authenticator apps e.g. Google authenticator, Microsoft authenticator app

Two-Factor Authentication (2FA)

© Citrix – CONFIDENTIAL – The development, release and timing of any features or functionality described for our products remains at our sole discretion and are subject to change without notice or consultation. The information provided is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making purchasing decisions or incorporated into any contract.

*Support for RADIUS & 3rd party IdP to follow


• New Gateway Service tile on launchpad

• SaaS/Web apps support configurable by admin using NGS tile/ Admin UI

New Tile on Citrix Cloud

33 © 2018 Citrix | Confidential ACME Resource Location 1

Connector

Active Directory

VDAVDAVDA

Connector

Hypervisors

1

Connector finds the

closest POP

Client finds the closest

POP

Connector and client

rendezvous


POP

POP fails


POP

Gateway Service – Global POP Network


SSO to SaaS

InternetInternet


Single-Sign On (SSO) to SaaS Apps

• SaaS App delivery using NGS

• End-user access from Citrix Workspace

• SAML 2.0 based Single Sign On to SaaS App

• Simpler App publishing

• Pre-defined SaaS app templates

NetScaler GatewayService

SaaS Apps


• Simpler & faster way of onboarding of SaaS apps

• Template for popular SaaS apps

• Minimal configuration

• Initial launch with 29 templates

• Constantly expanding the catalog

• Option to configure any SaaS app, if template not available

App Catalog for SaaS Apps


• NetScaler Gateway Service

• SaaS Template (or custom)

• Organization-specific SaaS configuration

• SSO

SSO to SaaSConfiguration


SSO Configuration


Web Apps Access

InternetInternet


Secure Access to on-premises Web Apps

NetScaler GatewayService Customer on-Prem

• On-Prem Web App delivery using Gateway Service

• End-user access from Citrix Workspace

• Single Sign On to Web App

• Data Centre needs to have Gateway Connector and Web App Server

• Web App can be configured using NGS tile & Admin UIWeb Server

Gateway Connector


How to Publish WebApp Admin View• Create a new Resource Location and install a Gateway Connector


How to Publish WebApp Admin View• Installing a Gateway Connector • Copy and Paste the Activation Code on Connector UI


Monitoring the Gateway Connector


NGS Web App flow

Launch WebApp

Login

NGS

Web App Enumeration

Aggregated Apps

Login

sso

App Enumeration

Connect to Web Server

Gateway Connector(On-Prem)

Web Server(On-Prem)

SSL

Connect to Web Server

SSL

Web app traffic flow


Current Name New Name

NetScaler ADC Citrix ADC

NetScaler App Security Citrix Web App Firewall

NetScaler AppFirewall Citrix Web App Firewall

NetScaler Gateway Citrix Gateway(NetScaler Gateway and NetScaler Unified Gateway merge)

NetScaler Unified Gateway Citrix Gateway(NetScaler Gateway and NetScaler Unified Gateway merge)

NetScaler Management and Analytics System

Citrix Application Delivery Management

NetScaler SD-WAN Citrix SD-WAN

NetScaler Secure Web Gateway Citrix Secure Web Gateway

NetScaler Web App Security Citrix Web App Firewall

Branding and name changes

what’s new with citrix adc/adm/swg?€¦ · 2 © 2018 citrix | confidential agenda adm what’s...

Documents