Networks for Applications: Next generation of application delivery & security

Networks for Applications: Next generation of application delivery & security Cisco and Citrix Damjan Mirtič, Channel Manager Citrix SEE Ondrej Krkoska, Lead Networking Engineer Citrix EE Grega Zoubek, Lead Mobility Engineer Citrix SEE

Agenda Next generation of application delivery & security in modern cloud environments Integrated solutions Cisco & Citrix Cisco / Citrix NetScaler capabilities Mobile workstyle solutions Demo 2

Our Beliefs The Entire Network must be intelligent 7 6 3 2 1 Networks exist to deliver applications Context trumps connectivity Virtualization 5 user app service will device / is location disruptive 4 The transport network will be flat 3

A LOT of Different Applications 4

Applications Have Different Owners and Needs Desktop Admin Throughput Finance Commerce Collaboration Manufacturing Commerce Sales/ Service Functionality Administration Sales/ Service Finance LoB Specialists LoB Specialists LoB Specialists LoB Specialists Policies Sales/ Service Collaboration Network Comms Manufacturing Service Levels Commerce Commerce 5

Pair per Application/Tenant LB 6

Networks are Evolving Traditional Cloud Centric Virtualized Datacenter = Consolidation 7

Virtualized Data Centers Drive Flat Networks Traditional Pod per App Inefficient Cloud centric Any App, Any Pod Segmented Hierarchical Network Most data flows North/South Network services deployed by pod Much East/West traffic Network Services Layer must Span Pods Driving virtualization and consolidation App A App B App C 8

Consolidation Challenges Application Independence App Requirements throughput, functionality, policies, service levels Tenant Independence Lifecycle requirements maintenance windows, infrastructure change frequency, app change frequency, new features Compliance requirements government regulations, network instability / service interruption, security risks, dmz best practices Separation Policy Organizational Efficiency Financial requirements time-to-revenue, operational cost, capital expense 9

Partition per App/Tenant Shared Instance 10

And L4 7 is Different Resource consumption is independent of number and size of packets Pushing Packets Processing Payloads 11

Partitions / Contexts Fail for True Isolation All tenants Share a single instance Rate limits, RBA and ACLs partition the instance Partitions NOT fully isolated No CPU or memory isolation No version independence No high availability independence No lifecycle independence 12

NetScaler SDX CPU, memory, IO virtualization XenServer Service VM NetScaler VPX NetScaler VPX Palo Alto VM Series XenServer + Intel + SR IOV NICs Independent instances, versions Direct hardware access Service VM Single point for management NetScaler Hardware HW level SSL isolation 13 2012 Citrix Confidential Do Not Distribute HA across devices

NetScaler SDX Isolated instance per tenant Memory, CPU hardwalling Separate entity spaces Version independence Maintenance independence Hardware level SSL isolation Completely isolated networks Single point of control (SVM) HA across devices Fully contained networking appliance 14

3 rd Party Support Now open for 3 rd party services 15

Cisco and Citrix work together to enable SDN and data center transformation 16

NetScaler 1000V Cisco OEM Virtual NetScaler Nexus 1000v vpath Virtual Network Overlay Nexus 7000 RISE Integration Nexus 9000 ACI APIC VMDC CVD VSA 1.0 VMDC CVD DCI 1.0 Mobile Workspaces CVD 1.0 Prime Network Services Open Daylight FlexPod Cisco, Citrix NetApp VCE Vblock Cisco, Citrix, EMC 17

NetScaler 1000V Sold and Supported by Cisco NetScaler 1000V Cisco OEM Virtual NetScaler

Citrix NetScaler 1000V ADC from Cisco Virtual NetScaler ADC Available as Cisco software Sold and supported by Cisco Sold and supported by Cisco ADC for Nexus 1000V Virtualized Data Center 19

Citrix NetScaler 1000V Platform Options Citrix NetScaler 1000V on ESXi (e.g. UCS) Up to 4 Gbps throughput Works on any commodity server Citrix NetScaler 1000V on Nexus 1110 Nexus 1110 Cloud Services Platform (CSP) Platform for multiple Virtualized Network Services NetScaler SW + Nexus HW = Cisco ADC NetScaler 1000V 20

Nexus 1000V Integration using vpath Virtual Network Overlay through Service Chaining Nexus 1000v vpath Virtual Network Overlay

NetScaler 1000V in the Nexus 1000V Virtualized Data Center Tenant A vwaas ASA 1000V Cloud Firewall Cisco Virtual Security Gateway Cloud Services Router 1000V NetScaler 1000V Zone A Zone B Nexus 1000V Distributed Virtual Switch vpath VXLAN Multi Hypervisor (VMware, Microsoft*, RedHat*, Citrix*) Nexus 1000V vwaas ASA 1000V VSG CSR 1000V (Cloud Router) NetScaler 1000V Distributed switch NX OS consistency WAN optimization Application traffic Edge firewall, VPN Protocol Inspection VM level controls Zone based FW WAN L3 gateway Routing and VPN Citrix NetScaler Application Delivery Controller Citrix NetScaler Web App Firewall 22

vpath Service Chaining Virtual Network Overlay Policy based traffic steering through virtualized network services Cisco VSG VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM 5 4 Cisco Nexus 1000V Distributed Virtual Switch Cisco vpath 3 Citrix NetScaler 1 2 23 vpath Encapsulation Logical packet flow

Use Cases for Service Chaining Multiple Network Topologies Driven by Application Every application has its own network requirements and virtual topology Enables a policy based network topology that can vary by client and application Business Agility Changing networks to reflect new business conditions typically takes weeks to execute thus limiting how quickly a business can react A software defined topology can be imposed almost instantly without any physical reconfiguration. 24

VMDC CVD VSA 1.0 VMDC CVD DCI 1.0 Cisco Validated Designs Virtualized Multiservice Data Center (VMDC)

Cisco VMDC: Virtual Multi Service Data Center CVDs incorporating NetScaler VMDC Virtual Services Architecture (VSA) 1.0 Logical topology optimized for higher tenancy Incorporates NetScaler VPX VMDC Data Center Infrastructure (DCI) 1.0 Virtual private cloud tenant containers in shared data center Incorporates NetScaler SDX Available on www.cisco.com/go/vmdc 26 Citrix NetScaler is ADC for VMDC CVDs

Cisco Prime Network Services Controller NetScaler Integration via OpenStack Prime Network Services

Cisco Prime Network Services Controller Able to configure NetScaler using Openstack APIs 28

Cisco Prime Network Services Controller Configures NetScaler using Openstack APIs NetScaler VPX supported today Configuration from Prime NSC NetScaler 1000V Q2 2014* Configuration from Prime NSC Virtual NetScaler instance creation from Prime controller using Openstack NetScaler 1000V is part of Cisco Cloud Service Cisco Intercloud http://blogs.cisco.com/news/introducing ciscos global intercloud/ 29

Nexus 7000 RISE Integration Cisco RISE N7K Integration with Citrix NetScaler Data Center Automation

Data Center Switching and L4-L7 ADC Services L4-L7 ADC services haven t kept up with L2-L3 switching speeds Switching speeds are Terabit / sec ADC speeds are Gigabit / sec Rules out inline ADC deployments One-arm NetScaler deployments are typical 70-80% of deployments are one-arm 31

One Arm Deployment Challenges Managing traffic flows to the NetScaler is challenging Managing static routes on N7K for application or VIP traffic can be tedious to maintain Manually maintaining Policy Based Routing rules is time consuming, complex, and error prone SNAT rewrites client Source IP, causing loss of Client IP visibility Audit / compliance issue NetScaler services and Nexus switching are configured independently Increases the complexity for deploying and maintaining networks Configuring multiple appliances individually can be a burden Requires additional change control windows Challenge: Provide low touch, automated mechanism to overcome these issues 32

http://www.cisco.com/c/dam/en/us/products/collateral/switches/nexus-7000-series-switches/white-paper-c11-731370.pdf 33

NetScaler Nexus 7000 Integration Benefits Simplification Data Center Automation Simplified Out of Box Experience Signification OPEX Reduction Automated Route Updates Internet 34 Reduces Initial Deployment Steps Simplifies One Arm Mode, Optimizes Traffic Flows in DC, Preserves Client IP Improves Availability, Reduces Downtime vs Dynamic Routing Protocols Integrates L2 L3 Network and ADC in Data Center

Cisco ACI / APIC Nexus 9000 ACI APIC

ACI DRIVING BUSINESS TRANSFORMATION APPLICATIONS BYOD MOBILE COMMON POLICY DECOUPLE APPLICATION & POLICY FROM IP INFRASTRUCTURE CIO IP NETWORK BUSINESS DECISIONS Time Governance SLA Audit Cost 36

APPLICATION CENTRIC INFRASTRUCTURE Nexus 9500 APIC Nexus 9300 and 9500 Physical Networking Hypervisors and Virtual Networking Compute L4 L7 Services Storage Multi DC WAN and Cloud Nexus 7K Nexus 2K Integrated WAN Edge 37

APIC Application Policy Infrastructure Controller Open APIs APIC ACLs PCI Compliant Services Chaining Is Automated Manage Policy Via API and Can Export Policy via API Policy Is Separate from the Network Easy to Isolate with Full Scalability and Security Engineering / Dev and Testing Legal HR Sales Finance Marketing 38

APIC Application Policy Infrastructure Controller Cisco APIC is single point of automation and fabric element management Common policy, management and operations interface Application control and automation over both physical and virtual networking components 39 NetScaler integrates with Cisco APIC for L4 L7 ADC

CISCO APIC CITRIX NETSCALER INTEGRATION NetScaler configured from APIC, based on APIs Deep NetScaler integration for per app, per tenant L4 L7 policy configuration Cisco service chaining and service insertion Telemetry information exchange Intelligent telemetry and visibility for applications and tenants 40

Available Now. In Development. Prime Available Now. Nexus 1k Integration Available Now. Available Now. Available Now. Nexus 7k Integration In Development. ACI / 9k Available Now. Code Donated to Linux Foundation Available Now. 41

Citrix NetScaler Preferred ADC for Cisco Nexus Sold and supported by Cisco Nexus 1000v vpath Integration Nexus 7000 RISE Integration Nexus 9000 ACI Integration 42

ACE migration program Eligible Cisco Products Cisco ACE Module or Appliance Cisco Contetn Services Switch (CSS) Cisco Content Switch Module (CSM) Cisco Global Site Selector (GSS) 43

NetScaler and the 4 Feature Buckets Clients Internet NS Server 44 Acceleration Security Availability Offload TCP Optimization Web Compression Cache (Static and Dynamic) DDos Protection Content Filtering and Redirection Web Application Firewall SSL VPN Load Balancing Layer 4 and Layer 7 Global Server Load Balancing Content Rewrite and Redirection Surge Protection and Sure Connect TCP Multiplex and Reuse SSL Offload Cache (Static and Dynamic) Consolidated Web Logging TCP Buffering

Layer 4 Load Balancing TCP and UDP Client Requests Maintaining User Sessions Distributing Traffic Monitoring Server Health and Availability Source IP Cookie SSL Session ID Server-ID in URL Query Customer Server-ID Token (header or body) Least Connections Lowest Response Time SNMP-based IBM SASP Hash-based Many more TCP Connection HTTPS Connection Extended Content Verification Scriptable Health Checks 45

Content Switching: Load Balancing on Steroids HTTP Requests Client Attributes Anything in request body Device Type Language Cookie Browser Capability XML XPath support Request Protocol Any TCP Request HTTP Get HTTP Post Request Method Any TCP payload value Any HTTP payload value Domain Wildcard URL 46

Global Application Availability Site A B2C B2B Site B P2P 47

Accelerated Application Delivery CUSTOMERS SSL PARTNERS EMPLOYEES Advanced TCP Optimization Static and Dynamic Caching Hardware Compression Enhanced User Productivity 48

Reduced Load on Servers CUSTOMERS SSL PARTNERS EMPLOYEES SSL Offload TCP Multiplexing and Buffering Static and Dynamic Caching Hardware Compression Supports greater user capacity and more apps with minimal investment 49

Common issues Connection handling Ability to modify DB query contents Scalability Performance Distributing access to replicated databases Securing SQL queries against injection/other attacks Availability Databases Security Need for caching the query results 50

This image cannot currently be displayed. This image cannot currently be displayed. This image cannot currently be displayed. This image cannot currently be displayed. NetScaler DataStream in Database Tier Web/App Tier DB Tier NetScaler DataStream TM TDS Protocol aware Internet Custom Scripts Connection Scale Up Optimal Scale Out Native HTTPSQL TCP Improved Availability High Availability Scalability Conn Multiplexing App Security Content Switching High High Performance Availability No Simple HA HA Simple No LB LB Custom Monitors Microsoft SQL Server HTTP NetScaler ADC ADC TCP Load Balancer 51

Expanded IPv6 Support Best IPv6 performance IPv4 IPv6 Gateway Facilitates transition from IPv4 to IPv6 Mixed IPv4/IPv6 Support 52

Action Analytics NetScaler Insight Center Visibility and Control NetScaler App Delivery Fabric Mobile Devices Netscaler Command Center Management and Orchestration Virtual desktops Web apps Cloud services Data services 53

Achieving Application Visibility with NetScaler 3 rd Party Analysis Tools NetScaler Insight Center Cloud Enterprise Combining NetScaler with Analysis Tools NetScaler generates a wealth of application visibility data by way of AppFlow NetScaler Insight Center is the best way to view Citrix specific data Desktop 54

Web Insight Analytics for Enterprise Applications Break down detailed reporting on enterprise application use, even for SSL encrypted traffic Correlate network metrics with application behavior Determine end user experience without agents NetScaler Insight Center AppFlow 55

NetScaler WAF Web application security & DDoS protection Comprehensive ICSA certified web application security solution Hybrid security model PCI compliance and auditing requirements Protection vs XML based threats Integration with 3rd party vulnerability testing tools for simplified deployment Cenzic Qualys Whitehat IBM AppScan 56 56

Physical Price Performance Virtual Run Anywhere Platform Multi Service Multi Tenant 57

Cisco / Citrix Mobile Workspaces CVD Mobile Workspaces CVD 1.0

Cisco Mobility Workspace Solution with Citrix Infrastructure ShareFile Managed StorageZone CT 5760 NAT Shared Svcs. 6500 Core 6500 AD ISE CA UCS C Series 1 UCS C Series 2 Remote Users ASA Out Remote users appear to be local when AC Client used. AC Client required for access to WorxStore and StoreFront. XenMobile Device Mgr ASA In & SSLVPN I Edge 6500 Dist 6500 DC Core/Agg 7000 XenMobile App Ctl used for AD SSO with ShareFile StoreFront 2.0 XenDesktop 7.0 XenMobile 8.6 App Cntl ShareFile 2.0 Local SZ Ctl Local Users Access 59

This image cannot currently be displayed. This image cannot currently be displayed. This image cannot currently be displayed. Cisco Mobility Workspace Solution w/citrix 1.0 Components AnyConnect SZ CTL ShareFile StorageZone XenMobile Enterprise Edition NAT ASA Firewall External Firewall NAT translation for SAML Asserts Internal Firewall AnyConnect Remote Access VPN Clientless WEBVPN Full Access both cert and AD required for AuthC Partial Access via AD for AuthC DMZ MDM XenDesktop 7.0 Accessed via StoreFront 2.0 Server OS Machine Catalogs Providing ShareFile access per desktop Role Based Apps Access from: Internal Users External Users via ASA/AnyConnect StoreFront PAN StoreFront 2.0 Access to XenDesktop 7.0 Receiver Client Several Windows Apps MnT ISE Deployment XenDesktop XenDesktop 7.0 Block with App Store PSN Data Center XenMobile Ent 8.6 Device Management Mobile application deployment Device Management Redirects device for AC download, pushes profile and cert for Auth App Controller 2.9 Providing: SAML AD integration for ShareFile Access to: ShareFile Evernote StoreFront Apps/Receiver Access from: Internal Users External Users via ASA/AnyConnect APP CTL SZ CTL CA AD BYOD Services ShareFile SAML FS with App Ctl. ShareFile StorageZone RSA DNS DHCP ShareFile 2.0 Enterprise File Sharing for XenDesktop VDI AD integration through App Contl 2.9 60

Demo Mobile Workstyles 61

Work better. Live better.