what’s new with citrix adc/adm/swg?€¦ · 2 © 2018 citrix | confidential agenda adm what’s...
TRANSCRIPT
© 2018 Citrix | Confidential
What’s new with Citrix ADC/ADM?
NOVEMBER 16, 2018
2 © 2018 Citrix | Confidential
Agenda
ADM What’s New
TLS/SSL Update
Traffic Management
Citrix Gateway
Gateway Service
ADMWhat’s New
4 © 2018 Citrix | Confidential
ADM Service
• Pooled Licensing
• Provisioning VPX on AWS
• Customizing User Experience– Search & Tagging enhancements
• Slack Notifications
• Release notes here:– https://docs.citrix.com/en-us/netscaler-mas/netscaler-management-
and-analytics-service/release-notes.html
5 © 2018 Citrix | Confidential
–Learning baseline against customers actual traffic enables more accurate and relevant anomaly detection• Handles normal traffic variance compared to static course grained static thresholds that need
manually set up
–Initial Use Cases
• Anomaly Detection
–Slowness in Server Response Time
–Uneven Load Balancing Detection
–DNS Flood Attacks
• Plus
–Service Flaps/Suboptimal Virtual Server Health
–Server Errors
ADM Service - Advanced AnalyticsAdvanced Analytics
• Assess App Infra anomalies and get to the root case of performance issues.
In Tech Preview
Tech Preview: Advanced analytics based on Citrix Analytics
6 © 2018 Citrix | Confidential
• Improved HA• Disaster Recovery support• Multi Site Agent Support
NetScaler 1
NetScaler X
Agent 1
Data center B
Recovery Site
MASRecovery
ReplicationMAS
Primary
DB
HA-M&M
MAS Secondary
DB
HA-M&M
NetScaler 1 NetScaler 2 NetScaler n-1 NetScaler n
Client
On Failover
Heartbeat
Replication
Data Center A (Primary)
FIP
Compressed data over WAN
…..
NS1’ NSn’
Agent 2
…….
Infra Improvements
7 © 2018 Citrix | Confidential
ADM 12.1 HA Deployment - Increased Supported ScaleListed Features Enabled Together: 8vCPU; 32GB; SSDs
NetScaler : 300
Vservers :40,000
SNMP :300 Syslog: 300
HDX insight :40,000 CCU
Gateway insight :40,000 CCU
Security insight :7500 violations/sec
Webinsight : 40K transactions/sec, URL – 280K, Client – 300K, Domain - 1, Server – 150, App -1
Note: Above results are without remote agent. Use of remote agents will improve scale
8 © 2018 Citrix | Confidential
Custom Network Reporting Dashboard
• Network Reporting now supports Customized Dashboards & much more
Customize duration Selection
Add New Reports
Add Multiple Instances
Create Multiple Dashboards
9 © 2018 Citrix | Confidential
Various Forms of Licensing Classic, CICO, Pooled, vCPU
Dimension Term Platform(s) License Host Application
Bandwidth Perpetual MPX, SDX, VPX Local -
Name
Classic
Bandwidth Perpetual VPX MAS On-prem* Roadmap - MA Service
AutomationCICO
Bandwidth Subscription MPX, SDX, VPX, CPX MAS On-prem* Roadmap - MA Service
Traffic shiftPOOLED
vCPU Subscription VPX, CPX MAS On-prem* Roadmap - MA Service
Lots of Little Things vCPU NEW
TLS/SSL
11 © 2018 Citrix | Confidential
DTLS support on Coleto platforms
End-to-end DTLS (EDT) support on Coleto MPX/SDX models is coming in 12.1 50.x
Coleto models are 59xx, 89xx, 15xxx, 26xxx
DTLS already supported on Cavium MPX/SDX, VPX and FIPS
12 © 2018 Citrix | Confidential
New SSL action - PickCACert
• Use case: Strict client cert validation in multitenant environments.
• Problem: In case of SNI enabled multitenant VIPs, multiple CA certs are bound where client validation can be compromised.
• Solution: Policy driven CA cert selection as per client hello SNI information.
• Example: Gateway service is multitenant and needs to send only a fixed set of CA certs in Client certificate request.
CA list
ADC
SNI = abc.comSNI = def.com
abc.com
CA_Cert_List1 = CA1, CA2, CA3
CA_Cert_List2 = CA4, CA5, CA6
Send a CA list based on SNI
Traffic Management
14 © 2018 Citrix | Confidential
• Use case: Customer wants to log the country from which users are coming
• Use case: Customer wants to insert the user location information in HTTP header when the request is sent to the backend server
• Features supporting this function:
–Responder
–Rewrite
–Audit logging
Getting User Location from Geolocation DatabaseCurrently one can get only Boolean response about location
MPX | VPX | SDX | FIPS
14
GeoDB
Input: 1.2.3.4 Output: Asia.India.KA.Bangalore
2 3
Citrix Gateway
16 © 2018 Citrix | Confidential
End User Experience
Experience Choice Security
Password Expiry Notification OpenID Connect - Use Gmail/facebookcredentials
Citrix Gateway – Enhancements Summary
Administrator
Experience
Security
SaaS App CatalogueSAML Simplification RDP Auto population of links
Choice nFactor for Windows Plugin
AlwaysOn + Captive Portal
OpenID Connect - oAuth Provider
OPSWATv4 - Better support for Latest AV Products and upgrade OPSWAT library independent of NetScaler
17 © 2018 Citrix | Confidential
Current CVPN implementation
What is CVPN:Used to publish web apps and enable access from web clients instead of VPN plugin
Current Implementation:Citrix Gateway rewrites the original url to CVPN url. Below is one example
https://website.com/folder/file.html https://nsg.citrix.com/cvpn/https/website
.com/folder/file.html
Indicates to Gateway that it is CVPN
Challenge : Finding the relative urls in HTTP Body/JavaScript and doing rewrite
18 © 2018 Citrix | Confidential
CVPN 2.0 – Uniquely rewriting the hostname
‘https://onebug.net’ abcd1234’.
https://cvpnabcd1234.nsg.citrix.com Only Hostname is changed and not the relative url
Pre-requisties :1. Wildcard DNS 2. Wildcard SSL Certificates.
Internally mapped to
19 © 2018 Citrix | Confidential
• OPSWAT 3rd party vendor provides library with support for latest version of AV/Security products–De-coupled NetScaler release and EPA library update. No need to Upgrade NetScaler for EPA updates
EPA - OPSWATv4
NS 12.0.56.xOPSWAT - 4.0.0.1600
New EPA library available 4.0.1.1600
NS 12.0.57.xOPSWAT - 4.0.1.1600
NS 12.0.56.xOPSWAT - 4.0.0.1600
NS 12.0.56.xOPSWAT - 4.0.1.1600
20 © 2018 Citrix | Confidential
AlwaysOn - SSLVPN - Tunnel establishment without user intervention
User Logs into device
Other authentication
methods
Authentication -Active Directory
or User CertSeamless Launch
Manual intervention
Tunnel Establishment
Feature User Experience Security
Connect to Internet in case gateway connectivity failure
Yes No
Option for user to change the gateway URL
Yes No
21 © 2018 Citrix | Confidential
Use Case
• Plugin/Receiver for nFactor flow
• SAML Authentication/Native OTP using Plugin/Receiver
Feature Description:
• Authv3 is added for plugin/Receiver.
• Authv3 is new forms protocol by Citrix and it supports webview. Gateway forces webview for nFactor
• Will be available from 12.1 FR1 (Expected in August)
nFactor and EPA EnhancementsnFactor for Plugin / Receiver
• EPA policies can be applied to Web-apps without the requirement of SSLVPN client/Gateway client–Differentiator for NetScaler in Microsoft WAP
replacement use cases. In addition to load balancing Outlook etc NetScaler can pre-checks before allowing connection to outlook server
• EPA part of nFactor–Provides the flexibility to the administrator in having EPA
in both post and pre-auth flow
–Conditional access can be provided based EPA results
EPA for AAA-TM
22 © 2018 Citrix | Confidential
• Provides the administrator an option to notify the end user about password expiry
• Based on the time left for the password to expire, an expiry notification is displayed on the portal page on Citrix Gateway. User then takes appropriate action to update the password
• > set aaa parameter -pwdExpiryNotificationDays 14
Password expiry notification
23 © 2018 Citrix | Confidential
Use Case
• Simplify configuring and publishing a SaaS app for Single Sign On
Feature Description:
• Built-in catalogues of commonly used SaaS apps
• Both SP and IDP initiated flow as long the app supports the same
• NetScaler metadata can be imported if the app supports meta data import
• Available from NetScaler 12.1 GA release
SAML Simplification – App Catalogue Support
24 © 2018 Citrix | Confidential
SAML Metadata Import/Export support
Import SAML IdP Metadata
Import SAML SP Metadata
Export Metadata from Citrix Gateway wizard
25 © 2018 Citrix | Confidential
• With Advanced Threshold Management for HDX Insight, NetScaler MAS provides proactive alerting mechanism via SMS/e-mail, incase threshold(s) set in an threshold group are breached.
• What is a threshold Group?–A threshold group is comprised of one or more user defined threshold rules for metrics chosen from
entities such as users, apps & desktops against an expected value.
o An example of a threshold rule1: ICA RTT(metric) for users(entity) should be <= 100 ms
o An example of a threshold rule2: WAN Latency (metric) for users(entity) should be <= 100 ms
o An example of threshold group can be : {Threshold rule 1 + Threshold rule 2}
–An interval for monitoring & the notification mechanism incase of breach (SMS, e-mail) needs to be
selected
• Threshold groups can be bound to Geo locations for geo specific monitoring
• Navigate to System->Analytics Settings->Thresholds
Advanced Threshold Management for HDX Insight
26 © 2018 Citrix | Confidential
• Gateway Insight support for SAML is now available on MAS
• Please note: –Incorrect credentials when entered at 3rd party IdP cannot be captured by NetScaler
Gateway Insight now supports SAML
27 © 2018 Citrix | Confidential
Current Implementation:
• CPU/Memory intensive components in ICA stack- Task of Compression and Encryption
• Data is scattered over Multiple Virtual Channels
• Data is available only after Decryption and Decompression
New Solution:
• Data is available in a single Virtual Channel!
• New channel data is not compressed or multiplexed with other virtual channels
• NetScaler to ignore all the remaining virtual channels
PROBLEM STATEMENT:To scale up the number of HDX sessions supported on the NetScaler when HDX Insight is enabled
Citrix Gateway Service
29 © 2018 Citrix | Confidential
• Fully secure & highly available seamless access to all apps
• Simplified out-of-the-box setup
• Fully Managed by Citrix
• No firewall changes required
• Global Presence (12 POPs)
• Optimal end-user traffic routing
Secure access as a cloud service
CloudCitrix
Consumption pricing
Users
Apps
Data
Network
NGS
Gateway Service - Overview
30 © 2018 Citrix | Confidential
New enhancements to Gateway Service for SaaS app delivery alongside Web and Windows apps
SaaS and Web apps XenApp & XenDesktopon-premises support
Enhanced experience
New• Single Sign-On to SaaS & Enterprise Web
apps
• Pre-defined SaaS template library
• Access to SaaS & Enterprise Web Apps
New• Expanded global presence with 12 data
Points of Presence
• Stand-alone trials and new Citrix Cloud tile
• Two-factor authentication via native One Time Password (OTP)
New• Support for Storefront and Auth store
on-premises
• Enables hybrid deployments through Workspace site aggregation
© Citrix – CONFIDENTIAL – The development, release and timing of any features or functionality described for our products remains at our sole discretion and are subject to change without notice or consultation. The information provided is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making purchasing decisions or incorporated into any contract.
What’s New with Gateway Service (GA launch in Q3)
Available in production Coming Soon
31 © 2018 Citrix | Confidential
• Natively generated One-Time Password (OTP)
• Supports on-premises AD
• User device / app needs to be registered with Citrix Cloud
• OTP token generation and login–Self-service
–Citrix SSO app
–Public authenticator apps e.g. Google authenticator, Microsoft authenticator app
Two-Factor Authentication (2FA)
© Citrix – CONFIDENTIAL – The development, release and timing of any features or functionality described for our products remains at our sole discretion and are subject to change without notice or consultation. The information provided is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making purchasing decisions or incorporated into any contract.
*Support for RADIUS & 3rd party IdP to follow
32 © 2018 Citrix | Confidential
• New Gateway Service tile on launchpad
• SaaS/Web apps support configurable by admin using NGS tile/ Admin UI
New Tile on Citrix Cloud
33 © 2018 Citrix | Confidential ACME Resource Location 1
Connector
Active Directory
VDAVDAVDA
Connector
Hypervisors
1
Connector finds the
closest POP
Client finds the closest
POP
Connector and client
rendezvous
Client finds the closest
POP
POP fails
Client finds the closest
POP
Gateway Service – Global POP Network
34 © 2018 Citrix | Confidential
SSO to SaaS
InternetInternet
35 © 2018 Citrix | Confidential
Single-Sign On (SSO) to SaaS Apps
• SaaS App delivery using NGS
• End-user access from Citrix Workspace
• SAML 2.0 based Single Sign On to SaaS App
• Simpler App publishing
• Pre-defined SaaS app templates
NetScaler GatewayService
SaaS Apps
36 © 2018 Citrix | Confidential
• Simpler & faster way of onboarding of SaaS apps
• Template for popular SaaS apps
• Minimal configuration
• Initial launch with 29 templates
• Constantly expanding the catalog
• Option to configure any SaaS app, if template not available
App Catalog for SaaS Apps
37 © 2018 Citrix | Confidential
• NetScaler Gateway Service
• SaaS Template (or custom)
• Organization-specific SaaS configuration
• SSO
SSO to SaaSConfiguration
38 © 2018 Citrix | Confidential
SSO Configuration
39 © 2018 Citrix | Confidential
Web Apps Access
InternetInternet
40 © 2018 Citrix | Confidential
Secure Access to on-premises Web Apps
NetScaler GatewayService Customer on-Prem
• On-Prem Web App delivery using Gateway Service
• End-user access from Citrix Workspace
• Single Sign On to Web App
• Data Centre needs to have Gateway Connector and Web App Server
• Web App can be configured using NGS tile & Admin UIWeb Server
Gateway Connector
41 © 2018 Citrix | Confidential
How to Publish WebApp Admin View• Create a new Resource Location and install a Gateway Connector
42 © 2018 Citrix | Confidential
How to Publish WebApp Admin View• Installing a Gateway Connector • Copy and Paste the Activation Code on Connector UI
43 © 2018 Citrix | Confidential
Monitoring the Gateway Connector
44 © 2018 Citrix | Confidential
NGS Web App flow
Launch WebApp
Login
NGS
Web App Enumeration
Aggregated Apps
Login
sso
App Enumeration
Connect to Web Server
Gateway Connector(On-Prem)
Web Server(On-Prem)
SSL
Connect to Web Server
SSL
Web app traffic flow
45 © 2018 Citrix | Confidential
Current Name New Name
NetScaler ADC Citrix ADC
NetScaler App Security Citrix Web App Firewall
NetScaler AppFirewall Citrix Web App Firewall
NetScaler Gateway Citrix Gateway(NetScaler Gateway and NetScaler Unified Gateway merge)
NetScaler Unified Gateway Citrix Gateway(NetScaler Gateway and NetScaler Unified Gateway merge)
NetScaler Management and Analytics System
Citrix Application Delivery Management
NetScaler SD-WAN Citrix SD-WAN
NetScaler Secure Web Gateway Citrix Secure Web Gateway
NetScaler Web App Security Citrix Web App Firewall
Branding and name changes
46 © 2018 Citrix | Confidential