Netscaler Knowledgebase

Hello,

I'm new to this board, and have some feature and functionality questions about the Netscaler platform as it relates to F5.  I'm working for an organization that is migrating away from a huge Terminal Server environment to XenApp.  We have been presented with a design that includes a pair of netscalers in the main datacenters where the TS farms exist today.  We are getting pushback from the networking team, because they deployed an F5 solution to load balance the TS farms as well as some other web based apps.  As I understand it, Netscalers can now do ICA compression, in addition to the GSLB and AGE features. 
Can someone provide some details around the ICA compression piece, and possibly any other features that diferentiate the NS platform from F5? 

I can't speak to the ICA compression aspects, but we use both F5 and Netscaler in our environment.

The Netscaler's pros: better dashboard, easier SSL offloading, better logging, more flexibility with service groups and content switching.  I've also found Citrix's support staff more responsive and effective than F5's.

F5's pros:  the iRule system is superior to the Netscaler's "policies for everything" approach.  Their online community is a big benefit for iRule writers. 

As an IT shop, we are increasing our investment in Netscalers while marginalizing the F5s... but either one works pretty well, depending on what you want to do with it.

Considering the role of an ADC in the overall Citrix landscape, the issues you may have with either platform will be similar and likely few.

The publicly available documentation from both vendors is inconsistent just in different areas.  F5 is certainly pushing you to the latest greatest version of their firmware to get all the bells and whistles.  And yes the F5 docs for the general sustainability releases (aka Safe Harbor) do not necessarily cover all of the needs for the xenapp 5 or 6 environments. 

A general organizational challenge with the deployment of ADCs is how organizations structure the support.  Frequently they land in the networking departments, who have little experience or desire to know about what makes an app tick.  This means that many networking departments treat the ADCs as a fancy router and ignore the advanced features.  If you find yourself fighting these kinds of battles, then NS for your Citrix deployment might make sense as long as you retain the support of the NS devices. 

If you need CAG funtionality, then take an honest look at the Citrix solution landscape and then the F5 APM solution for this functionality.  The CAG citrix solution is more complex (firewall and citrix configs) and can be more expensive if you need true SSL VPN or endpoint analysis than the F5 APM based solution.

My org faced the NS versus F5 discussions based on the one throat to choke and supposed cost savings.  Yes, F5 had made some mis-steps in their support, but are improving significantly these days.  If you are a self starter then the F5 user community is a HUGE resource to tap into.  I did not find much for real indepth NS user community or support, as well as so few of the resources that I did find are manned/staffed by Citrix to ensure that the guidance is proper.  As Citrix is not the only app in our environment, I found Citrix support for other apps to be lacking.  To see this illustrated, compare these two pages:
http://community.citrix.com/display/ns/AppExpert+Templates
http://www.f5.com/solutions/resources/deployment-guides.html

The NS GUI and visualization tools are AWESOME when compared to what the F5 Big IP platform offers.  F5 still lacks comparable visualization tools, but their management GUI has greatly improved with version 10.x. 

The NS all in one approach is an interesting concept that appeals to the financial and data center people, however the reality is much different depending on your use case.  Consider the multi-function printer at your house, if the scanner goes out and you have to send it in for repairs, you cannot do any printing while it is out.  Before you jump on that, it was a strawman to illustrate a point, that if all your ADC eggs are in the single HA pair of NS devices, a failure of one device places your enterprise at a greater overall risk.  Some NS features are more costly(processing) than others and will impact overall platform performance, but they fail to disclose this unless pressed.  The App firewall is the worst player in this space as it can quickly consume a significant chunk of NS cpu and degrade throughput while increasing latency.  F5 chooses to selectively match hardware and modules to ensure that users get the most bang for the buck out of their respective platforms.  Additionally in the later F5 Firmware releases, you can provision resource for the various modules/features should you have a multitasking box, and ensure it's primary functionality are granted the memory, cpu and disk to work at peak performance.

The choices are up to you and your org to decide what makes the most sense, for support, cost, and configuration.  I have managed a few flavors of ADCs (cisco, redline, and F5) for some time, so the concepts are similar, just worded and executed  differently for the most part.  In full disclosure we chose a F5 solution for CAG and general NS functions using the latest firmware. 

Feel free to contact me if you would like to discuss...

Carl B
 

What are the specific special features of AGEE that one should be wary of?

Empirical, objective data to evaluate the platforms does not exist sadly.  The Tolley report used all of the latest Citrix gear and latest firmware, while using an older chassis(yes F5 was shipping newer devices in the timeframe of the report) from F5 with a newer firmware loaded on it.

In my eval. looking at the NS/AGEE versus F5 APM solution in the DMZ for remote users, I determined that the F5 APM solution was the better candidate overall.  I will dive into the specifics of that here and please feel free to question or challenge me on anything that I got wrong.

• Using CSG/CAG requires additional Citrix components such as the STA, further complicating the Citrix deployment. The F5 APM solution handles this inside the APM with a set of IRULES.
• Using CSG/CAG requires a different WI configuration, increasing the configuration items to deploy and troubleshoot in any issue that may arise. The F5 APM solution does not require any modifications to the Citrix WI configurations, simplifying the buildout and troubleshooting steps needed.
• Using CSG/CAG for network access control/endpoint analysis requires a License - the Access Gateway Universal License ( unsure if per user or per concurrent, but still a cost).  The F5 APM has this included for all users, no additional fees.
• Using CSG/CAG for SSL VPN requires a License - the Access Gateway Universal License ( unsure if per user or per concurrent, but still a cost).  The F5 APM has this included for all users, no additional fees.

So even if this was a Citrix only solution, CSG/CAG versus F5 APM, it is ultimately more expensive, in direct license costs and maintenance and upkeep of the environment needed to sustain the CSG/CAG deployment.

So what exactly does the STA do?  My understanding is that it is a stateful token manager for users that the WI has to be configured to use.  When a STA is configured, it keeps track of users connected, an encryption key used for obfuscation of certain data like the actual IP of the Xenapp servers for use in the ICA file, right?  Then you have AGEE acting as a proxy in the DMZ, with the dependency on a WI that uses the STA.

So the F5 APM also acts like a proxy in the DMZ as well.  It then uses their TCL based scripting system to track user connections and obfuscate the XenApp server names in the ICA files.  Oh yeah the APM is what accepts the user credentials and then authenticates the user before allowing them in, also caching these credentials for future resource requests if needed. 

So with the Citrix only solution, you need a separate WI/pnagent config(which means you need STA server/s) to support the AGEE infrastructure, but the F5 APM solution does not require any of this. 

We chose a simpler Citrix implementation  that would work for nearly anything.  The qualifier refers to challenges we are having with Wyse C10LE devices and XenApp.  Seems that the Wyse ThinOS PNLite client is very special...

By default all ADCs act as a TCP proxy for the services that they balance.  The idea of a "ICA Proxy" is simply the additional processing surrounding the obfuscation and marshaling of connections to a tertiary set of services, which most ADCs could probably do with some careful configuration.

The F5 BigIP LTM with the APM or their Edge Gateway device can do all of the "ICA Proxy" functions.  F5 calls this Secure Proxy Mode, and they have Citrix specific configurations available for this.  Authentication is done against AD/LDAP and the Citrix AD store, just as AGEE would do it, however the STA functionality is built into the APM via a TCL based Irule.  The user only needs their Citrix receiver/PNAgent software to connect to their Citrix infrastructure.

This doc from Citrix does a great job of explaining the role that STA plays in the grander scheme of things - http://support.citrix.com/article/CTX101997

This doc from F5 shows how to deploy their APM for XenApp and XenDesktop to handle the AGEE/CSG/SG functions within your Citrix environment - http://support.citrix.com/article/CTX101997

Regards,

CarlB

Hi Ron,
  Never looked into Smart card authentication so I cannot say one way or the other definitively if you are correct.  OOB a LTM may need an additional module(ACA- Advanced Client Authentication) to facilitate the smartcard PKI type of solution you speak of, or maybe use the new APM (Access Policy Manager).  So likely without the proper licenses and base version, it is very likely that you could be correct.

  If you only need an ADC for Citrix, then definitely use a Netscaler, as it appears easier at first blush(yes one vendor maintenance).  I would suggest you really read the APM deployment guide that I linked in an earlier post, as it talks through how it does the ICA Proxy and STA functions, without the need for WI servers configured for STA/CAG/CSG.   Better security is a strawman as well as the smart monitors for XML and WI.  As of version 10, the smart monitors are built in to the LTM for the XML Brokers and WI, and for earlier versions, the Deployment Guides show you how to build them.  And for the record, the base functionality from a request/response perspective, the inputs and outputs have change little since the metaframe days.  A post to the right dll with the proper payload whose fields have not changed for many versions will net a response with certain valid strings to parse and know that all is well.  I have spent far too many hours looking at all of the traffic involved in getting a config, enumerating apps, and then launching an app while debugging issues with a custom ICA client from a certain thin client vendor.  AAC, EPA, and SSL VPN are all features included in the F5 APM system for one cost, and does not require a per user license or force you to buy a higher cost platinum license. 

F5 is a committed player in the ADC space, so they work to deliver not only updates to Citrix, but many other vendors applications.  To get a feel for that, just head over to check out their library of deployment guides (Adobe, Angel learning systems, Apache, BEA Weblogic, Citrix, VMWARE, etc)- http://www.f5.com/solutions/resources/deployment-guides.html  Sure they rested on their laurels for a while, but those days are long gone.

I will do some research about the smart card integration for my own edification, but I find it hard to believe that they cannot deliver a similar solution.

Regards,

Carl B