Apr 14 2009

Control the Flow

Citrix NetScaler 9 takes on load balancing and application delivery so you don't have to.

With the release of the NetScaler 9 network appliances, Citrix has again crafted a line of full-featured application delivery controllers. Beyond enhancements to the previous release, the NetScaler 9 devices feature AppExpert, which lets administrators create (or import) templates for particular applications.

Network engineers are constantly under pressure to get the most out of the bandwidth they have, but users — agency employees, contractors and citizens alike — want data more quickly and easily than ever. NetScaler 9 includes integrated caching and compression to help meet those demands.


First and foremost, NetScaler 9 is a load balancer. In a simple example, consider two web servers with identical content, with users outside the firewall. NetScaler 9 keeps track of current connections to each server, so it knows which server is likely to be less busy and directs new users to that server. Of course, it also knows if a web server is down. That means that even if one of your server operators accidentally formatted the entire disk of Web Server 1, users can still get to their application on Web Server 2 without changing anything on their end — in fact, they may not notice you’re having server issues at all.

The integrated cache can store frequently delivered content, either static or dynamic, and deliver it quickly to a large number of users: for example, common headers and footers, your agency’s logos or a 10 megabyte document that HR just sent out via e-mail to all 150 remote employees. This relieves the server from doing repetitive tasks, letting it concentrate on other demands.

NetScaler 9’s compression works with modern browsers, such as Microsoft Internet Explorer, Mozilla Firefox, Safari and Google’s new Chrome browser. It uses HTML 1.1 specifications to compress HTML and text, thus decreases the amount of data that needs to be transmitted from the server to the user.

In a geographically distributed enterprise environment, NetScaler’s Global Server Load Balancing (GSLB) directs each user to the best-performing site available. On the user side, it responds to Domain Name System queries with the IP address of the best-performing location or system. On the back end, NetScaler determines which site is performing at peak by using the proprietary Metric Exchange Protocol. MEP lets a NetScaler device in any location exchange health information with devices in other locations.

NetScaler 9 also makes it easy for users to access the enterprise data, such as file shares and other applications that are not exposed to the Internet for security reasons. Being a Citrix product, NetScaler 9 integrates with Citrix Presentation Server and XenApp. Using NetScaler’s Redirector functions, website requests can be automatically translated to secure requests, forcing secure connections and making it so the user doesn’t have to remember whether the site is secure or not. NetScaler can also act as a Secure Sockets Layer virtual private network gateway, allowing employees to have secure, remote access to the agency’s local area network.

Employees can work from anywhere at any time, enjoying the same access to applications and data protected inside the network.

Why It Works for IT

At my organization, network engineers hear not only from the user side but also from application developers, and IT security folks as well. The SSL Offload feature is pleasing to all of them — an extremely rare occurrence, I assure you. The secure tunnel that SSL creates between the web user and an application is terminated inside the firewall at the NetScaler 9 appliance. It performs all the encryption/decryption tasks required by an SSL or secure HTTP connection. Encrypting and decrypting web traffic can be a processor-intensive task, but with NetScaler 9 that process no longer takes place on your servers. It frees them up to take on other processing jobs.

Where NetScaler 9C really shines is in its new AppExpert feature. In the past, a network engineer had to configure each app delivery policy separately. There are dozens of options — which files to compress, cache, redirect and rewrite; even for two similar applications, an administrator must painstakingly copy each configuration detail.

This leads to the possibility of faulty configuration (breaking the app). AppExpert lets you create a template for the apps. Once created or imported, you can apply the template to a particular app and then tweak it. Templates for apps such as Microsoft Outlook Web Access and SharePoint, SAP Enterprise SOA and Oracle E-Business Suite are available, or you can fashion your own. A list of AppExpert templates and tips can be found on the Citrix Community’s NetScaler Developer Network site.

NetScaler 9 also has other handy features:

  • It can act as an Authoritative Domain Name Server, which is useful in conjunction with the GSLB feature.
  • The Application Firewall feature examines traffic for evidence of attacks or misuse, and takes appropriate action to prevent them from succeeding.
  • It can prevent data loss by looking for credit card information or Social Security numbers, and has the ability to prevent cross-site scripting and SQL-injection web-application attacks.


One important caveat for buyers: Not all of the features are available in every edition of NetScaler 9. I test-drove a premium-licensed device that included all features.

Citrix slices the licensing into two cuts: features and number of transactions per second. Features are simply added to an existing device through a license key, which means that as you want more functionality, you pay for what you need. There are three editions of Citrix NetScaler 9: Standard, Enterprise and Platinum. NetScaler has six appliances, ranging from 50,000 transactions per second to 340,000. System and compression throughput increase with price. So you will want to make sure you understand what you need before you buy.

Many apps, especially custom ones, are not necessarily ready for load balancing. For example, if your developers keep a user’s session state in memory, what happens if they click a link and end up on a different web server? In this case, you need to configure NetScaler with persistence, which means that once a user starts on one web server, they stay there. (Or, you can fight with your application developers to store the session state in a database common to all the web servers.) You’ll need to work closely with the applications teams after deploying NetScaler because you’ve in essence become an extension of the each app’s logic.

Persistence is just one many complex ideas that come with automating load balancing. AppExpert makes it easy to jump in. In my lab, I configured Outlook Web Access and a SharePoint app in less than an hour. But deploying a network device like this in a large enterprise can quickly become complex. To remedy this, Citrix sends an engineer out with every appliance to demonstrate how to use the device.

While it’s great to have so many features in one box, the problem may be that some of them don’t quite meet your network architecture requirements. For example, perhaps you have some requirements that the Application Firewall or DNS server simply doesn’t meet. It might make more sense to buy a standalone device for this functionality. It’s a philosophical decision every IT department must make: best of breed or a homogeneous environment? But if you’re mainly looking for a load-balancer with Citrix synergy, NetScaler 9 should be on your short list.