Archive
#Citrix #NetScaler #SDX Installation Overview Video
This is a pretty good “quick” video of the SDX installation! Have a look at it, and remember not to use 1Gbps interfaces only if you want to run more than 7 VPX’s on the SDX! Then go for 10Gbps interfaces or many channels/interfaces of 1Gbps to not hit the SR-IOV limit of 7/1Gbps interface! 😉
Description
12:45 screen capture with PPT overview on IP Addressing, and walking through install, IP Change for SDX’s SVM and XS IPs, licenses, and then the install of a NetScaler instance with NSIP and SNIP. This is intended to be a quick overview before you set out on a first SDX install, and is in compliment with the SDX Quick Install Guide.
See the video here!
//Richard
Access Gateway Licensing Demystified
Ok, this is a good blog post from Prashant Batra and touches an area that I get so many questions about!
Access Gateway Licensing Demystified
Access Gateway discussed in this blog is the Access Gateway based on NetScaler, which is popularly referred to as Access Gateway Enterprise. Citrix has recently announced End of Life for all non-NetScaler based Access Gateway platforms, which then makes Enterprise edition, the de-facto Access Gateway.
In this blog, we will discuss the two license types used on your Access Gateway appliance, the two kinds of vServers you can set up to leverage these licenses to provide standard / advanced functionalities, and an example scenario towards the end, to help illustrate these concepts in a real scenario.
License Types
Access Gateway is licensed at two levels:
- Platform License
- Universal License
Platform Licenses
Every Access Gateway (VPX/MPX) comes with a… continue reading here!
//Richard
#NetScaler #SDX design and best practise
Ok, I understand that this is something that I’ve touched upon before as well and received some comments on (NetScaler MPX vs. SDX dilemma). But I’ll still continue the reasoning behind why I think that the NetScaler SDX architecture is great, and that is needs to be offered on all the different platforms/appliance types/sizes!
To kick off the reasoning I recommend that you read this post; #NetScaler #AAA on NS 10.00 Build 70.7 = watch out!. When you’ve read both previous posts I hope that you see where I’m now going with all of this…
Just have a look at this picture where I’m trying to illustrate two design options for how you could build your NetScaler service for a tenant;
And if you then keep in mind about the AAA bug that caused the whole NetScaler engine to crash, what happens in the top scenario if this VPX had been affected? Think about if that NetScaler hosted network connectivity to you public cloud services with workloads, all SSL VPN users connected to the enterprise, all ICA/HDX proxy users into XenApp/XenDesktop, and also provided AAA features to the enterprise web apps used by customers and partners etc.? Wow, that would actually mean that one single 401 basic authentication could have taken down EVERYTHING!
But; if you would have separated your capabilities/features into separate VPX’s then you wouldn’t have had that issue. The “only” thing that would have happened if you ran into an issue that caused the NetScaler to crash then it would only affect that VPX (AAA VPX in the scenario above).
So my personal view is that it’s great that Citrix provides all the features on one appliance/instance. But it also adds quality and test efforts on Citrix to ensure that they perform testing of ALL features and functions before releasing a new build. And that may affect the lead-time to get fixes and new builds released and quality may also be impacted… and that’s what I’m afraid of is happening. So a little word of advice; separate workloads/features when you can and when you don’t want this big of a risk, and prey that Citrix soon delivers the SDX architecture on all appliances! And they would of course perhaps not just sell the larger boxes like they force us into today even if the bandwidth capabilities of that box isn’t required. But they would instead sell more VPX’ on top of the HW, that’s at least what I think.
Comments?
Cheers!
//Richard
NetScaler SDX – value add, #CitrixSynergy #NetScaler
Sitting here listening to the SDX model and its capabilities etc. And I must agree that the concept is great in terms of isolation, flexibility, density and other added values that the platform provides…
But I still see the need for the same SDX model on the smaller appliances where you may need the capabilities of feature isolation etc but where you don’t need the performance/throughput etc. of the larger appliances where the SDX model starts.
If you look at the NetScaler data sheet I can’t understand why you don’t get the SDX model option on for instance the 8200 box and why not down to the 5500?
More on my thoughts on this from my previous blog can be found here.
//Richard
Please contribute – What do we expect from Citrix? – Citrix community enhancement list
Ok, there are a lot of things that I think we all expect Citrix to deliver now in Barcelona when Synergy soon kicks off! But so far I’ve not seen someone that has been combining a community list yet…
And the most important part I feel is that I get more and more information from companies out there that have enhancement requests and issues that they have a hard time expressing and getting into Citrix. The larger enterprises can of course through their channels get more information and also make their voice heard, but the SMB’s have a hard time to do so!
So this is my attempt to start a dialogue with all of U out there on what we expect to see from Citrix in the future! I think it would be interesting to see if the items I’m waiting for a change on is aligned with the rest of the community!
So why don’t we all contribute to a list that we all can share and prioritise over time? I can for a start moderate this list if you comment or send me items that you think should be on the list and then I’ll try to make sure that people within Citrix get the items and I’ll try to follow up! Of course we need help from the CTP’s (just to be clear; I’m not a CTP so don’t get me wrong here) and others as well to put pressure and assist in the governance of this activity.
So this is my first list of items that I think that we can build upon… It’s a first draft and far from the total number of items are there so bear with me! 😉
Please comment below to have your item(s) added to the list and let’s make a change!
ID | Product/Area | Enhancement request/Issue | Status |
1 | Licensing | Ensure that all products supports the license server (NetScaler etc.) | Not fullfilled |
2 | Monitoring & Reporting | Ensure that you can get historical concurrent user reports that spans across ALL products (NetScaler/AG, XenApp, XenDesktop etc.) | Not fullfilled |
3 | Monitoring & Reporting | Ensure that Citrix provides an end-2-end monitoring and reporting service for the whole Citrix stack. This to ensure that delivery organizations can deliver reports like “Service Availability in %” over time that includes all service components (NetScaler AGEE VIP, StoreFront/WI, PVS/MSC, XenServer, XenApp/VDA, Profile Server, etc. If Citrix isn’t going to do this; then please point on a product that does the job. | Not fullfilled |
4 | Monitoring & Reporting | Provide a monitoring solution to ensure health and best practise configurations of all products involved in a traditional “XenDesktop” stacked service. | Not fullfilled |
5 | Cross-product | Improve your testing!! There have been to many issues with updates to products in the “Citrix stack” that has caused issues in others, like update to XenServer that caused PVS issues, or updates to a specific NetScaler feature that caused others to fail. | Not fullfilled |
6 | Cross-product | Create an central update service for all products that can inform the admin about updates not applied or if components aren’t in synch in terms of SW versions etc. | Not fullfilled |
7 | Cross-product | Ensure that the end-user look & feel are the same across the products used in the stack (NetScaler AGEE login page, Web Interface/StoreFront, Receiver etc..). This should not require admins to do and should be a design principle. | Not fullfilled |
8 | Cross-product | Come on, simplify the administration of the products in the stack = reduce the number of consoles! | Not fullfilled |
9 | AppController | Multi-domain support | Not fullfilled |
10 | AppController | Support for multiple setups that can synch the DB. This to ensure that you can have an HA pair setup for instance in Europé and one in the North Americas and have the end-user be logged in against both and have their subscriptions etc follow them (as well as of course reporting, monitoring etc. etc.) | Not fullfilled |
11 | AppController | Support for really large AD domains with LARGE # of AD users and AD groups | Not fullfilled |
12 | AppController | Support for AD domain structure where the BASE DN is different to where AD users and the AD security groups you want to use for roles | Not fullfilled |
13 | EdgeSight | Ensure that EdgeSight or equivalent end-user monitoring and reporting is integrated and that works on both XenApp and XenDesktop VDA’s and that doesn’t increase the IOPS with rediciolous numbers… | Not fullfilled |
14 | NetScaler | Create SDX platform to run on all MPX appliances, for more info why see; NetScaler MPX vs. SDX dilemma; https://richardegenas.com/2012/10/03/netscaler-mpx-vs-sdx-dilemma/ | Not fullfilled |
15 | NetScaler | Provide out of the box integration with the Single Sign-On product (former CPM) so that Account Self-Service can be made directly from AGEE VIP login page. | Not fullfilled |
16 | NetScaler | Add support for AG session policies so that ICA proxy can be turned on for specific published apps and desktops and not per session. This for situations where you might have one app or desktop that sits behind an AGEE and others don’t. | Not fullfilled |
17 | NetScaler | The NetScaler/Access Gateway HTML/GUI pages used shall be able to be customized per AGEE/AAA Virtual Server. Today they are global pages so that specific modifications/customizations cannot be made and you have to buy an additional NetScaler unless major customizations are done and then life-cycle management becomes an issue. | Not fullfilled |
18 | NetScaler | Change so that you can specify different Authentication policies and requirements mapped to Session policies instead of to a Virtual Server, AAA group etc. This could then provide a way so that you could offer ICA proxy mode with single auth and two-factor if you launch/select to open an SSL VPN tunnel | Not fullfilled |
19 | NetScaler | It would be good if you on the Receiver could select what authentication you want to perform upon login and not just at setup of the Account. That would mean that you could pass that info the the NS VS and then in AGEE handle that to the authentcaiton policies and session policies. Then a user that has forgotten a hardtoken could still get access but only in ICA proxy mode and have all virtual channels disabled without having to have multiple accounts in the Receiver and admin doesn’t need multiple NS AGEE VS. | Not fullfilled |
20 | Merchandising Server | Ensure that it supports larger AD environments and multi-domain support | Not fullfilled |
21 | Merchandising Server | Create a central DB for config etc or ensure that MS is migrated into SF asap. | Not fullfilled |
22 | Provisioning Services | Improved/simplified support/update functionality for when you use KMS licensing | Not fullfilled |
23 | Provisioning Services | Create REAL update msp or msi files for updates, you can’t require admins to go in and replace DLL-files etc in 2012 | Not fullfilled |
24 | Provisioning Services | Implement replication of vDisk files (diff-files) etc so that it’s automated within the PVS solution so that you don’t have to rely on DFS-R etc. | Not fullfilled |
25 | ShareFile | Ensure that encryption on local devices are available for all device types and OS’s (iOS, Android, Windows Phone, Win XP/7/8, Linux, OS X) | Not fullfilled |
26 | ShareFile | Design the product so that you could leverage public storage providers for your storage but encrypt it using your own PKI service and proxy traffic to it through the Storage Center server(s) without having to invest in in-house storage solutions and reduce CAPEX. | Not fullfilled |
27 | ShareFile | Design the solution so that you can configure the plygin/Receiver functionality when it comes to StoreFront on groups/roles instead of just for the whole account. | Not fullfilled |
28 | Storefront | Support for multiple setups that can synch the DB. This to ensure that you can have an HA pair setup for instance in Europé and one in the North Americas and have the end-user be logged in against both and have their subscriptions etc follow them (as well as of course reporting, monitoring etc. etc.) | Not fullfilled |
29 | Storefront | Simplify configuration and branding of the StoreFront for Web sites like most other providers have and they had in Web Interface | Not fullfilled |
30 | Storefront | Add all features that where available in Web Interface | Not fullfilled |
31 | StoreFront | Design the product to allow the user to select whether he/she can group apps and desktops into folders or tabs in StoreFront for Web | Not fullfilled |
32 | Receiver | Ensure that email-enrollment to StoreFront stores can somehow support multidomain support (like if you have multiple users having the same email-address; name@company.com can be linked to different AD domains | Not fullfilled |
33 | Receiver | Corporate branding for the Receiver, logo, text etc. | Not fullfilled |
34 | Receiver | Ensure that all Receivers have the same look & feel and functionality. Like the secondary and primary password field names should be the same on a Mac and a Windows client, as well as other features. | Not fullfilled |
35 | Receiver | Add so that Receiver passes DOMAINNAME to NetScaler/AG VS so that it can be used to determine which AD domain to authenticate with. In todays version you have to either make one VS per domain or cascade through multiple domains on the same VS. And cascading is available as a workaround but triggers failed logins against AD and is not that nice and security/AD teams are not that happy… | Not fullfilled |
36 | XenDesktop | Support for Linux VDA’s (Ubuntu for example) | Not fullfilled |
37 | XenApp | Support for Linux Terminal Servers (Ubuntu for example) | Not fullfilled |
I’ll post an excel-spreadsheet as well for download soon, and then let’s see if there is an interest or not! 😉
Cheers!
//Richard
NetScaler MPX vs. SDX dilemma
Hi again!
Ok, I may be totally off and wrong here but I see a bit of a problem with the Citrix product packaging and offering around the whole NetScaler product.
I love the fact that the product is available as virtual appliances (VPX) and physical appliances (MPX) and the lovely “mix-product” which is the SDX platform. The SDX is a lovely addition and I see so many reasons for why you want to go towards that platform, so bear with me.
The NetScaler product itself is a great product and the feature set it rich! It’s definitely rich in terms of what features it offers from the same appliance! Some of the marketing of the product against competitors is that you can do it all (GSLB, LB, SSL offloading, SSL VPN, Application Firewall, ICA/HDX proxy etc.) on one appliance instead of purchasing several. Have a look at the editions of the product and the rich feature offering;
But I must challenge this whole idea of putting all features/capabilities on one appliance! What if you decide to build a service on the NetScaler product and decide to provide these capabilities;
- Access Gateway
- Network Connect (SSL VPN access)
- Network Proxy (ICA/HDX proxying)
- End-to-end Web Security (AAA etc.)
- Load Balancing (LB, GSLB)
So imagine that if for some reason you need a new version of the NetScaler appliance or if Citrix provides a fix for a bug/issue that is related to one of the capabilities. Then you have to stop your whole service delivery of all of them just to apply a patch/update targeted for one of them. Is that good from an incident, problem, change management point of view? I guess that’s why I like the SDX platform where I then can put the capabilities on different VPX instances on the same SDX HW platform.
This then also leads you to the whole cost of the service if you also like this idea of separation of duties, how much does the SDX cost and what does the VPX instances cost (they are purchased in bundles of 5 where 5 is included with the SDX purchase). And except for the cost of the HW, SW and SA you have the complexity that you have to select which of the SDX platforms to choose (see a more detailed NetScaler Datasheet here). And this is the biggest issue as I see it! I’d like to recommend the SDX platform to more customers than the enterprise segment. But then you have an issue, the SDX platforms starts on the 11 500 appliance.
Why doesn’t Citrix offer the SDX model on the smaller appliances?? I’d like to understand that because I think that most customers out there will not require that much throughput or CCU etc that the 11 500 delivers….
And there are more reasons to why you would like an SDX model other than separation of duties.. but more on that in another post.
Cheers!
//Richard