NetScaler MPX vs. SDX dilemma
Hi again!
Ok, I may be totally off and wrong here but I see a bit of a problem with the Citrix product packaging and offering around the whole NetScaler product.
I love the fact that the product is available as virtual appliances (VPX) and physical appliances (MPX) and the lovely “mix-product” which is the SDX platform. The SDX is a lovely addition and I see so many reasons for why you want to go towards that platform, so bear with me.
The NetScaler product itself is a great product and the feature set it rich! It’s definitely rich in terms of what features it offers from the same appliance! Some of the marketing of the product against competitors is that you can do it all (GSLB, LB, SSL offloading, SSL VPN, Application Firewall, ICA/HDX proxy etc.) on one appliance instead of purchasing several. Have a look at the editions of the product and the rich feature offering;
But I must challenge this whole idea of putting all features/capabilities on one appliance! What if you decide to build a service on the NetScaler product and decide to provide these capabilities;
- Access Gateway
- Network Connect (SSL VPN access)
- Network Proxy (ICA/HDX proxying)
- End-to-end Web Security (AAA etc.)
- Load Balancing (LB, GSLB)
So imagine that if for some reason you need a new version of the NetScaler appliance or if Citrix provides a fix for a bug/issue that is related to one of the capabilities. Then you have to stop your whole service delivery of all of them just to apply a patch/update targeted for one of them. Is that good from an incident, problem, change management point of view? I guess that’s why I like the SDX platform where I then can put the capabilities on different VPX instances on the same SDX HW platform.
This then also leads you to the whole cost of the service if you also like this idea of separation of duties, how much does the SDX cost and what does the VPX instances cost (they are purchased in bundles of 5 where 5 is included with the SDX purchase). And except for the cost of the HW, SW and SA you have the complexity that you have to select which of the SDX platforms to choose (see a more detailed NetScaler Datasheet here). And this is the biggest issue as I see it! I’d like to recommend the SDX platform to more customers than the enterprise segment. But then you have an issue, the SDX platforms starts on the 11 500 appliance.
Why doesn’t Citrix offer the SDX model on the smaller appliances?? I’d like to understand that because I think that most customers out there will not require that much throughput or CCU etc that the 11 500 delivers….
And there are more reasons to why you would like an SDX model other than separation of duties.. but more on that in another post.
Cheers!
//Richard
Leave a comment
The IT Melting Pot! 
Hi Richard — (Disclaimer: NetScaler person here) Our customers of all sizes (small to large) leverage our HA capabilities to provide continuous availability. This means no downtime during upgrades. The benefits of consolidation outweigh the risks by a huge margin.
On a purely practical basis, I remember the days of having each of those as individual boxes. I happened to be at another load balancing vendor at the time (Alteon) and when you stacked the functions up the end-to-end latency was absolutely horrific. Plus, the added complexity of trying to keep everything up and coming up with failover models ended up making things more complex instead of less and arguably a greater risk towards failure. Call it a single person’s memory, but it was what we saw during the heyday of trying to add a lot of application function to the network as a series of individual function boxes.
Your comments about the SDX model options is great feedback. Let me digest that a bit. I might reach out to you with a few more questions.
Thanks for the love. The NetScaler is an awesome product and I’m pretty lucky to get to work with it daily. Glad you like yours.
Cheers.
Hi Steve,
Thanks for the feedback and I’d be happy to discuss different ideas and experiences that myself and colleagues have around the NetScaler platform. And the main one has been around the logical design of how you build the capabilities on the platform. For instance some of the features like AAA are more an Identity & Access Management feature and usually organizationally belongs to one team, and then the AG parts are more a Client Service and belong to another team and is a part of a completely different service delivery.
And if you have a situation where you run into an issue of the AAA feature then you Citrix might come up with a new release or a new sub-feature in newer release that the AAA delivery wants to use, but when implementing that will have an affect on the AG service delivery as well as potential downtime, testing of AG functionality on the new release… and imagine if you have most features enabled on one NS and then you need to upgrade and then all the test cases for all features needs to be triggered and that may have a huge cost impact in terms of service delivery costs and life-cycle management. This could then be reduced by leveraging the SDX platform and pace capabilities on different VPX’s which is very good. But all may not need the heavy 11500 appliances or above and the VPX may just be to small and not suited for instance for high number of AGEE CCU.
Have a great day!
/Richard
Richard I think you may be missing one of the most common use cases for the VPX and that is for test and staging. Citrix actually provides NetScaler customers with a free developer license for VPX Platinum for this exact use case so that you can test new versions and features before you push them live. This is something Citrix extends to customers of all sizes as you only need to own a NS product and you receive this entitlement. Have a read of this whitepaper which details this idea which you refer to as “life-cycle management”
Click to access nsvpxdevtest.pdf
I also concur with Steve’s comments here as well, but appreciate the ownership of management debocle. Truth is that these features are many times very interrelated. Your example of AAA is a good one but from a development perspective, it is something that is shared across features on the box. Enhancements thus can then be shared and not isolated to one function – very important notion for AAA since there are no less than 4 different on-box features that leverage that. Isloation of management is possible as well to deal with the dissimilar groups involved through the use of Command Polices, and Authorization otherwise referred to as RBA which provdes a mechanism to isloate adminstration to specific features. And if this is not suficcient, as you mention you have the holy grail SDX solution which gives you the best of both worlds. I do concur with your desire to have SDX functionality available on a lower end platform and has been something I have been requesting as well for the SMB space. Stay tuned!
Hi Jeff, Thanks for your comment!
And yes I agree with everything you stated above and use that methodology as well when it comes to test, staging and even use the standalone VPX for production in some use cases where the feature set and loads matches the appliance capabilities.
But what I was more after with this blog post is the MPX vs. SDX capabilities. I see a need out there of the SDX “model” but on smaller appliances. And the main reason behind it is the separation of features onto multiple virtual VPX on the same physical appliance like the SDX model. To get back to my example, if you deliver X number of internal web apps to the Intern by using the AAA feature of the NetScaler to thousands of users. These websites may be an online shop or whatever, and then at the same time you leverage the CloudBridge feature to connect your infrastructure to a public IaaS service where you have placed some workloads that are crucial for your business. And then you also leverage the Access Gateway feature to deliver remote working capabilities in the form of SSL VPN and ICA/HDX proxy to hosted client services. Then you have three totally different “services” provided by this NetScaler instance. And lets that this is a MPX appliance so you only have one instance.
What happens if you for run into issues with the AAA feature, like session handling is not working or something else, you talk to Citrix and try to troubleshoot it and you guys find out that there is a bug and after some time release a new build. Then the service owner for the web apps that are leveraging the AAA feature must upgrade for their needs. But they then have to talk to the other service owners that are relying on the CloudBridge and Access Gateway features to agree upon a change window where ALL services could be affected. And this is not that good I personally believe, I think that most would like to then run one instance of NetScaler per “service” instead like you can on the SDX platform. But in this case they would perhaps not need a large appliance with a lot of throughput, but want to use the 5500 or so.
And this way of splitting NetScaler features to NetScaler instances is a way that many will prefer to go to be able to quickly adopt new builds and functionality for their specific need on their NetScaler if needed where others aren’t affected. Or if an issue is identified with a specific feature then you can manage that and address it without having an impact to the other “services” if they run in their own instances. So what I’d recommend them to do then is to split the “services” and related features onto different VPX’s on the SDX platform. Just like you would split customers into different VPX’s in a multi-tenant setup if you are a service provider. So for an inhouse customer you may have an “Access Gateway VPX”, “LB, CSW & GSLB VPX”, “AAA VPX”, “CloudBridge VPX” so segregate the “services” and ensure that they can have their own LCM, change windows, and roadmaps on the SDX platform. Of course this “bundling” would differ from each customer and requirements….
Thanks again for the comment and have a great day!
//Richard
NetScaler SDX 8000 series …. coming soon!