Advanced load balancing: 8 must-have features for today s network demands

White paper Advanced load balancing: 8 must-have features for today s network demands Application availability and scalability are no longer enough. Today s enterprises require an integrated solution that also delivers the highest levels of security and performance for their business-critical Web applications.

Table of contents Overview Core load-balancing capabilities still an essential starting point 1. Layer 4 load balancing..........................................................4 2. Layer 7 load balancing..........................................................4 3. Global server load balancing......................................................5 Stepping up to application delivery 4. Application acceleration..........................................................5 5. Comprehensive application security.................................................6 Meeting and exceeding expectations 6. A purpose-built platform the key to superior scalability................................7 7. An integrated, modular design the key to superior agility..............................8 8. Unified, simplified management the key to superior usability............................8 Summary

Overview Early-generation server load-balancing technology has proven to be an invaluable asset, especially for organizations hosting widely utilized Web applications. By operating as a virtual entry point to such applications, load balancing provides an opportunity to execute a variety of algorithms for splitting the processing load among back-end servers. In addition, periodic polling to establish the status of participating nodes can be used not only to fine-tune the load distribution but also to avoid directing traffic to servers that are actually offline. In other words, server load balancers (SLBs) are a simple yet highly effective means to scale an application environment while simultaneously ensuring its availability. Time marches on, however. Business requirements evolve, as do the processes and technologies used to fulfill them. In fact, the following are just a handful of the key changes and trends that have taken hold since SLBs were first introduced: Citrix NetScaler in a nutshell Citrix NetScaler is an enterprise-class solution for server and global server load balancing. However, it is actually much more than that. Because NetScaler also incorporates comprehensive application performance and security functionality, it is appropriately classified as a full-featured Application Delivery Controller. A market-proven solution, NetScaler is used by 8 out of the 10 largest Web sites, with an estimated 75 percent of Internet users hitting a NetScaler daily. Moreover, more than 2,000 enterprises use NetScaler for their public-facing and intranet Web application delivery needs. Organizations have become heavily reliant on ecommerce/ebusiness and the use of the Internet, in general, as a legitimate business tool. Traffic volumes have risen dramatically, often creating contention for constrained resources (e.g., network bandwidth, system capacity). Applications have become more complex. Support for real-time interaction and multimedia content has placed even greater demands on computing infrastructure at the same time that sensitivity to latency has become the status quo. Computing resources have become increasingly centralized (e.g., due to datacenter consolidation) at the same time that users have become increasingly decentralized (e.g., due to mobility, globalization and offshoring). The proliferation of regulatory requirements has significantly elevated the business importance of ensuring data privacy and having a comprehensive information security program. And a shift in hacker motivation has led to a significantly more dangerous threat landscape characterized by a growing percentage of highly elusive application-layer attacks. What these changes and trends expose, in particular, is the need for enterprises to step up from a simple load-balancing solution to a more comprehensive application delivery solution a solution that addresses not just scalability and availability of the application environment, but application performance and security as well. Accordingly, this paper is intended to serve as a guide for organizations looking to replace their early-generation SLBs. Details on the top eight criteria to use during an evaluation process are provided, along with numerous examples of how Citrix NetScaler meets and often exceeds the associated requirements (see sidebar). 8 must have features for today s network demands 1 Layer 4 load balancing 2 Layer 7 load balancing 3 Global server load balancing 4 Application acceleration 5 Comprehensive application security 6 A purpose-built platform the key to superior scalability 7 An integrated, modular design the key to superior agility 8 Unified, simplified management the key to superior usability 3

Core load-balancing capabilities still an essential starting point These days, placing greater emphasis on enhancing application performance and security is indeed appropriate. By no means, however, does this obviate the need to address fundamental requirements pertaining to application availability and scalability. To ensure these baseline objectives are met, it is recommended that organizations begin their evaluation of an SLB replacement by considering the presence and strength of the feature sets for layer 4 (L4) load balancing, layer 7 (L7) content switching and other L7 traffic management functionality, and global server load balancing. 1. Layer 4 load balancing The ability to direct traffic based on L2-L4 information (e.g., MAC/IP address and TCP port) should be considered a prerequisite for all load-balancing solutions. Related functionality that should also be present is concerned with health monitoring, session persistence and network integration. Health monitoring entails using various mechanisms (e.g., ping, SNMP, scripts) to continuously establish the availability and relative health from a performance perspective of virtually every part of the application infrastructure: intermediate network links and devices, server hardware, operating system services, and even individual modules of the application itself. The gathered information can then be used to help distribute sessions in a manner that avoids bottlenecks and/or downed components. Session persistence is necessary for designs where back-end state information is not being shared and, therefore, any given user s session needs to be handled by the same server from start to finish. In this case, various options (e.g., source IP address, cookies, or hashing of various attributes) should be available to ensure follow-on requests continue to be directed to the server node chosen to process the initial request. Network integration and compatibility are easy to overlook, but equally important. Put succinctly, the load-balancing platform should simply fit in to the existing environment without the need for modifications. As a result, it should support a wide range of routing protocols (e.g., OSPF, RIP, BGP) and common networking techniques (e.g., 802.3ad link aggregation, 802.1q VLAN tagging). A leading solution such as NetScaler can be identified by its superior breadth of coverage, measured in terms of the protocols that are supported (e.g., TCP, UDP, FTP, HTTP, HTTPS, and SIP), the loadbalancing options/algorithms that are available to choose from (e.g., round robin, least packets, least bandwidth, least connections, response time, SNMP monitoring of back-end resources) and the scope of health attributes that can be monitored. 2. Layer 7 load balancing Also referred to as content switching, L7 load balancing is essentially an extension of the traffic distribution, health monitoring and session persistence capabilities discussed above. The difference is that routing decisions can also be based on application-layer data and attributes, such as HTTP header, uniform resource identifier, SSL session ID and HTML form data. This difference enables 4

more-efficient utilization of resources because all of the services and components that comprise an application no longer need to be implemented on all of the server nodes. As a result, each physical system can now be tailored to the functions it will be supporting. When evaluating solutions against this criterion, emphasis should be placed on the breadth and depth of L7 load-balancing/content-switching policies that can be established, as well as the ease with which they can be constructed or configured. Organizations should also consider the value of a variety of advanced L7 content features not strictly associated with distributing traffic. For example, NetScaler enables content to be rewritten (e.g., to mask sensitive data) and includes a responder module for configuring custom responses (e.g., redirects, error messages) to specified types of inbound requests. 3. Global server load balancing The general concept of global server load balancing is to extend the core L4 and L7 capabilities so that they are applicable across geographically distributed server farms. The primary objective is to provide an additional degree of availability by accounting for site-level disruptions and outages. Secondary benefits include: (a) being able to further enhance performance for remote users by routing their sessions to the closest and/or best-performing datacenter; and (b) being able to balance and optimize resource utilization on an enterprise-wide basis. Unlike many other solutions on the market, NetScaler incorporates global server load balancing as an optional feature. A separate, standalone device is not required. NetScaler s other distinct advantage, once again, is that it offers an extensive array of options when it comes to the site-level health attributes that can be monitored, as well as the mechanisms and algorithms that can be used to distribute sessions among an organization s different datacenters. Stepping up to application delivery The point has already been made that simple, early-generation load balancers are not sufficient. Overall, they leave organizations in the undesirable position of having to acquire and implement an additional set of products to achieve adequate levels of application performance and security. The deficiencies in these early load balancers also explain why leading industry analysts strongly encourage organizations to embrace advanced Application Delivery Controllers (ADCs) when replacing their server load balancers. The intent with ADCs in general, and Citrix NetScaler in particular, is to have a single device that incorporates not just a core set of load-balancing capabilities but a comprehensive set of application performance and security services as well. The next two sections elaborate on what this means in terms of specific functionality. 4. Application acceleration Compensating for obvious deficiencies and otherwise enhancing application performance can be a tricky proposition. Sub-optimal application performance can be the result of resource constraints at virtually any point in the path that a user s session traverses. A few of the more likely bottlenecks are inadequate client hardware, insufficient bandwidth at either the client or server end of the connection, and overloaded server infrastructure. Alternately, there can be problems with the application itself. This is frequently the case when the underlying protocols and/or application logic have not been optimized for operation over a wide area network. The resulting condition, referred to as chattiness, is a highly inefficient behavior whereby it takes numerous back-and-forth exchanges between client and server to complete a single, user-level action. 5

In any event, the diversity of potential issues is why an ideal solution should incorporate an overlapping set of features that enhance application performance. These include caching, compression, TCP communications management and SSL offload. Caching techniques enable frequently requested content to be served from the load-balancer platform. This technology accelerates delivery to the end user while relieving some of the processing demand placed on back-end servers. These gains are maximized with NetScaler, based on the fact that its AppCache functionality provides in-memory caching not just for static data, but for dynamically generated HTTP application content as well. Compression is all about reducing the amount of data that must traverse the connection in the first place even for encrypted sessions. The next generation of Web 2.0 applications frequently includes large numbers of cascading style sheets and JavaScript, making compression even more important. Compression helps alleviate network congestion and can accelerate transactions by 3X-5X. TCP communications management covers two major items. At the front end (i.e., between the client and ADC), TCP optimization techniques such as forward-error correction, window scaling and buffering help make more efficient use of available bandwidth and reduce the amount of chattiness. At the back end (i.e., between the ADC and server nodes), TCP multiplexing enables the aggregation of a large number of HTTP requests over a much smaller number of long-lived TCP connections. The impact on server load and response time can be quite dramatic, as this significantly reduces the processing demand associated with connection setup and teardown. SSL offload similarly relieves back-end servers by performing compute-intensive encryption and decryption processes on their behalf ideally, by taking advantage of hardware that is specialized to the task. Of course, having a comprehensive set of application acceleration features is really just table stakes. With NetScaler, organizations also benefit from having highly granular control over the configuration of these capabilities. This control is particularly important for caching and compression mechanisms since there are often scenarios where: (a) it is preferable to not cache certain content; or (b) the use of compression incurs a greater penalty than the benefit it provides (e.g., for low-latency, high-bandwidth connections). Pulling double duty All of the application acceleration capabilities discussed above contribute to a significant, secondary benefit. Specifically, by offloading network and server infrastructure these capabilities often enable organizations to make do with fewer resources, delaying the need for further investments in network bandwidth, routing/switching platforms and server hardware. 5. Comprehensive application security As an intermediary between users and back-end resources, the SLB/ADC is also an ideal place to implement much-needed security measures. Recalling the trends highlighted earlier especially those pertaining to the evolution of threats, user mobility, and inter-connectivity it should be clear that SSL VPNs and application firewalls are two countermeasures, in particular, that deserve attention. 6

Aside from facilitating remote access, the benefit of having SSL VPN technology as an integral component of an ADC is that it provides fine-grained control over which users have access to which functions in which applications, and under which conditions (e.g., based on type and configuration status of the client device). When properly utilized, this capability can substantially reduce the risk of providing application access to a vast population of remote, mobile and third-party users. The shortcomings of network firewalls, which concern themselves primarily with network addresses and port-level information, are well documented. In general, they do not understand the inner workings of protocols/languages such as HTML and XML; they do not understand HTTP sessions; they cannot validate user inputs to an HTML application; they cannot filter or obfuscate sensitive data included in server responses; they cannot detect maliciously modified parameters in a URL request; and they are incapable of inspecting SSL-encrypted traffic. In contrast, it is specifically this depth of visibility and control that enables an application firewall to protect Web applications against a wide range of both known and unknown attacks. Of course, having robust, application-layer controls does not obviate the need to provide protection at other layers of the stack. This is another area where NetScaler outshines the competition. For example, NetScaler features a customized TCP/IP stack that: (a) enforces a positive security model, dropping all traffic that deviates from common guidelines for packet formation and content; and (b) prevents leakage of low-level information by zeroing the unused portions of reused packets. In addition, NetScaler provides robust connection handling routines to automatically thwart many types of DDoS/flood attacks. Meeting and exceeding expectations The final three criteria are what set superior application delivery solutions such as NetScaler apart. Although many solutions may, in fact, incorporate all of the aforementioned functional capabilities, those that fail to thoroughly address the need for a purpose-built platform, an integrated, modular design and unified management will not be nearly as effective and efficient as those that do. 6. A purpose-built platform the key to superior scalability Application delivery is substantially more compute-intensive than ordinary load balancing. Not only is the scope of functionality greater, but so is the depth of processing that needs to be conducted to provide the requisite level of application visibility and control. Less clear, though, is how to account for this difference, especially in ensuring the solution is able to scale appropriately. The key is having a purpose-built platform: one whose hardware and more importantly, the systemlevel software has been constructed and optimized explicitly for the higher-level services that define an ADC. Some of the more significant, representative features of a purpose-built platform are: a customized hardware design. This does not imply that custom silicon (i.e., ASICs) should be used for everything. Indeed, when it comes to L7 operations, general-purpose hardware (e.g., the Intel x86 platform) has proven to be more efficient, adaptable, and therefore economical. However, it is appropriate for solutions to incorporate ASICs for accelerating lower-layer processes that are highly deterministic and repetitive (e.g., cryptographic functions or flow control). 7

a customized operating system. General purpose-operating systems are interrupt-driven and designed to provide equitable treatment for the widest possible set of applications. However, because it has complete control over functions such as process timing, memory management and network access, the customized system in NetScaler is able to optimize resource allocation for the tasks at hand. The result is a far more deterministic processing model with lower latency and greater overall scalability. a customized TCP/IP stack. A logical extension of the previous item, this one ensures even greater processing efficiency, and also provides an opportunity to implement the aforementioned stack-level security mechanisms. an intelligent HTTP parsing engine. Ideally, packet-processing tasks should not need to be repeated for each individual function (e.g., caching, compression). 7. An integrated, modular design the key to superior agility For most organizations, having options is a firm requirement. So is having a solution that is adaptable and, therefore, future-proof. Consequently, a top consideration for an SLB replacement is that it feature a modular design. This way individual capabilities (e.g., application firewall, SSL VPN) can be added as needed when the organization is ready to take the next step in the evolution of its application delivery infrastructure. Furthermore, new modules that account for ever-changing conditions can be developed and implemented over time without having to resort to deploying a fleet of additional, standalone devices. Equally important is that the modules be truly integrated components of the overall system. For instance: each module should take full advantage of the embedded scalability, performance and security features of the purpose-built platform; the presence of any given module should not prevent other functional modules from taking advantage of the system s features (e.g., support for multi-core processing); modules should be intelligent and selective for example, if the application firewall requires full, deep-packet inspection of specific traffic flows, then it should not automatically force all other flows to be handled this way; and individual modules should not require their own, separate management consoles. NetScaler fully meets these requirements. Its design is highly modular, yet the individual functional capabilities are tightly integrated and completely compatible. Furthermore, all features are available on all units/models all of the time. 8. Unified, simplified management the key to superior usability Ultimately, the ability to unleash the full power of an ADC depends quite heavily on the strength and usability of the associated management capabilities. Three elements of the NetScaler solution are particularly helpful in identifying the specific features to look for when considering management capabilities. The intuitive AppExpert Visual Policy Builder enables application delivery policies to be created without having to code complex programs or scripts. In addition, the unification and consolidation of multiple capabilities in a single solution keep administrators from having to jump between different consoles and policy models. 8

Citrix EdgeSight transparently instruments HTML pages, providing granular visibility into how Web applications are behaving from the end user s perspective. Detailed results can then be used to fine-tune individual policies and take further advantage of the system s acceleration capabilities to ensure a superior application experience. NetScaler Command Center enables efficient, centralized administration of system configuration, event management and performance management for organizations that elect to operate multiple NetScaler appliances. Summary Early-generation server load balancers are tried and true solutions for improving the availability and scalability of an organization s application infrastructure. Nonetheless, enterprises that persist in using such products run the risk of exposing themselves and their customers to increasingly poor application performance and a seemingly endless stream of application-layer security threats. One option to overcome these shortcomings would be to implement additional, standalone devices that address each of the underlying issues. However, a much more efficient and effective approach is to replace old server load balancers with new Application Delivery Controllers. These tightly integrated appliances not only provide core load-balancing capabilities, but also deliver the highest levels of security and performance for today s business-critical Web applications. Furthermore, the eight criteria detailed in this paper can be used to help ensure that enterprises select a solution that is truly best of breed. 9

Citrix Worldwide Worldwide headquarters Citrix Systems, Inc. 851 West Cypress Creek Road Fort Lauderdale, FL 33309 USA T +1 800 393 1888 T +1 954 267 3000 Regional headquarters Americas Citrix Silicon Valley 4988 Great America Parkway Santa Clara, CA 95054 USA T +1 408 790 8000 Europe Citrix Systems International GmbH Rheinweg 9 8200 Schaffhausen Switzerland T +41 52 635 7700 Asia Pacific Citrix Systems Hong Kong Ltd. Suite 3201, 32nd Floor One International Finance Centre 1 Harbour View Street Central Hong Kong T +852 2100 5000 Citrix Online division 6500 Hollister Avenue Goleta, CA 93117 USA T +1 805 690 6400 www.citrix.com About Citrix Citrix Systems, Inc. (Nasdaq:CTXS) is the global leader and the most trusted name in application delivery infrastructure. More than 200,000 organizations worldwide rely on Citrix to deliver any application to users anywhere with the best performance, highest security and lowest cost. Citrix customers include 100% of the Fortune 100 companies and 99% of the Fortune Global 500, as well as hundreds of thousands of small businesses and prosumers. Citrix has approximately 6,200 channel and alliance partners in more than 100 countries. Annual revenue in 2007 was $1.4 billion. 2008 Citrix Systems, Inc. All rights reserved. Citrix, AppCache, Citrix EdgeSight and Citrix NetScaler are trademarks of Citrix Systems, Inc. and/or one or more of its subsidiaries, and may be registered in the United States Patent and Trademark Office and in other countries. All other trademarks and registered trademarks are property of their respective owners. 0508/PDF www.citrix.com

White paper Keys to Web application acceleration: advances in delivery systems.

Table of contents The challenges of fast Web application delivery...3 Solving the acceleration challenge: why traditional products fall short...4 The advantages of an integrated advanced app delivery solution...6 Citrix NetScaler: an integrated solution for optimal speed and performance...7 Conclusion...10

The challenges of fast Web application delivery In order to be most productive, employees, telecommuters, business partners, customers and remote office workers must all have unimpeded access to their critical applications. Today s enterprises rely heavily on their business applications. Inventory, customer relations, sales, accounting and other applications are the lifeblood of a company s operations, and fast delivery of these applications to users is a major challenge for businesses today. In order to be most productive, employees, telecommuters, business partners, customers and remote office workers must all have unimpeded access to their critical applications like Outlook Web Access. Any delays in delivering these apps quickly or shortcomings in availability and security will cause productivity and profitability to suffer. Fast isn t easy Unfortunately, there are many obstacles to delivering applications efficiently. Low-bandwidth, high-latency connections result in low throughput and long wait times. Server resource constraints produce poor response times for users. A large user base strains infrastructure and causes outages. Slow or difficult-to-use remote access causes lost productivity when people are traveling. Incomplete security leaves holes through which private data can be intercepted or applications can be brought down. Common obstacles to efficient application delivery Increased application traffic distances Chatty TCP protocols and poorly written applications Outdated load-balancing and traffic management appliances Tightened security requirements for Web servers and Web-based applications Minimal insight into true application performance 3

Solving the acceleration challenge: why traditional products fall short Treating the symptoms is not a cure When Web application deployment is complete, you may assume that the months of planning and trials will yield a successful application rollout. However, often everything goes according to plan until the application is made available to the entire user community. This can often cause dramatic problems including slow application delivery and poor performance reducing overall usability that will affect the entire application and overall success. While many application issues are not easily quantifiable (e.g., slow application delivery), there are a number of technologies and products available designed to address individual symptoms (see Table 1). SYMPTOM Poor Web application performance Poor SSL application performance Poor Web application performance Poor server scalability Poor performance over WAN TREATMENT Load balancer SSL acceleration Content caching TCP optimization Content compression Table 1. Symptom vs. treatment For many application deployments, there is a combination of the symptoms identified in Table 1, and many more as well. Addressing each of these symptoms would require a multifaceted appliance approach. While each symptom can be treated, the combination of treatments may not provide the best results. In fact, the combination of multiple treatments can cause unwanted and potentially disastrous side effects. Consider an enterprise-wide deployment of a proprietary Web application. While the application is customized to optimize the business processes and increase productivity, application speed and other performance issues may hinder user productivity. Almost instinctively, many performance-related issues seem to be identified as a network fault, even if the network infrastructure is performing flawlessly for all other applications. Only after an exhaustive investigation and proof of a network s validity will the problem fall back on the application and its behavior within the infrastructure. 4

The next approach to solving these problems often consists of adding network-based treatments, such as QoS or adding bandwidth, to treat individual symptoms. This is a costly exercise, which may not solve the overall problem, but temporarily relieves individually identified symptoms. While incremental speed and performance gains can be realized with each individual treatment, there may be a reduced or negative gain overall when combining all of these treatments in a single application infrastructure. For example, management complexity and support costs are tremendously increased with the addition of each device, because different management interfaces of each appliance require additional administration training, and support contracts must be maintained for each appliance. Figure 1. Multiproduct solution While the point products deployed in Figure 1 above are designed to treat individual symptoms, they do not address the larger issue how to accelerate and optimize applications while minimizing network complexity and cost. 5

The advantages of an integrated advanced app delivery solution The cure for application challenges Integrated application delivery systems herald a new category of application networking infrastructures, harnessing the combination of acceleration, availability, security, and cost savings needed for enterprises and ebusinesses to confidently deploy critical applications over IP-based networks. Today s advanced application delivery systems unify all of the capabilities of conventional load balancers, traffic managers and remote access systems with improved application-based functionality. By combining the features of application acceleration, load balancing, advanced traffic management, delivery and security into a single unified platform, these advanced delivery systems are able to deliver the incremental benefits of each technology. Figure 2. Advanced application delivery systems A truly advanced application delivery system should incorporate four key capabilities, which allow complex Layer 7 technologies to be integrated into a high-performance architecture: 1. Acceleration Delivers applications at maximum speed for all users 2. Optimization Ensures optimal application performance and scalability 3. Switching Provides reliable application performance, as well as high availability 4. Security Ensures application content is secure and servers are protected from application layer attacks. 6

Citrix NetScaler: an integrated solution for optimal speed and performance. Citrix NetScaler is an ideal solution for any enterprise seeking accelerated Web application performance, availability, and security. These purpose-built appliances integrate multiple technologies to deliver highly efficient data compression and content caching, greater availability, improved visibility, advanced traffic management and comprehensive security. Citrix NetScaler reduces ongoing operational expenses by consolidating multiple capabilities in a single solution, reducing the number of required servers, and optimizing usage of available network bandwidth. Figure 3. Citrix NetScaler technology areas and discrete features Benefits of deploying Web applications with Citrix NetScaler Citrix collaborates with application developers on a continual basis to test Web applications with Citrix NetScaler to ensure optimal results. Benefits from a Citrix NetScaler integrated solution include: Enhanced availability of Web applications Superior response times for users with up to 5x improvement Expanded scalability of Web application servers Web application performance visibility 7

Acceleration: dramatic performance gains with minimal effort All too often, problems with Web application delivery speed and performance are deemed to be a function of server hardware after network infrastructure has been ruled out. Although the server hardware has a direct impact on server performance, it is not necessarily directly related to application speed and performance. There needs to be a distinction between processing and application performance. Simply increasing processing power in a server may have little or no affect on application speed, performance and scalability. The same may be said for adding load-balanced servers to cope with increased load. Application-specific optimization features can often offload tedious processes from application servers, freeing them to perform their main functions of serving content. This process offload allows servers to scale beyond their original capacity while accelerating content delivery. Citrix NetScaler Application Delivery systems implement a range of Web application optimization features, yielding dramatically improved application performance while increasing server capacity. These results are achieved without requiring any modification to either the server or client systems. Citrix NetScaler Application Delivery optimization features include: TCP Optimization Reduces the number of client connections each application server has to deal with while optimizing server responses. The result is a server that can support an increased number of users, extend the life of existing hardware investment, and delivering application content with much better performance. AppCompress AppCompress for HTTP provides advanced HTTP compression to speed the delivery of Web-based application data to all users. It accelerates application delivery by 2x to 4x for standard Web pages, and up to 7x for some enterprise application data, while requiring no additional client-side technology. It also offloads Web servers from performing extensive compression operations enabling organizations to serve much larger user populations with no additional infrastructure investment. Content Caching Allows static and dynamic applications content to be served from the Citrix NetScaler system, dramatically reducing resource and latency requirements for application content re-creation. The result is a dramatic improvement in application performance. Switching: more than just a balancing act The problem imposed by legacy switching (load balancing) solutions is that they are developed to inspect and switch traffic at Layer 4, and have limited application content knowledge or capabilities. In contrast, Citrix NetScaler s switching technology provides a way to identify and act on discrete Web application requests per user. By switching at the request level instead of at the connection level, Citrix NetScaler is able to offer a much more efficient solution for application traffic distribution among servers. This provides higher throughput for client requests and ensures fault tolerance in the face of server or application outages. Citrix NetScaler Application Delivery switching features include: Load Balancing Provides application content distribution among multiple application servers, ensuring increased application performance with failover support for business continuity. Request Switching ensures even traffic distribution irrespective of individual user demands. Layer 7 Switching Provides content-based traffic distribution. This allows administrators to deploy application-specific resources (e.g., image servers and HTML servers) tuned to specific types of application content. 8

Global Server Load Balancing (GSLB) Provides geographic and network proximity-based content distribution, ensuring remote users are transparently switched to localized content for their specific region, or proximity switched to a local resource for optimal performance. Cache Redirection Provides integration with existing cache infrastructures by forwarding application content to preconfigured caches. Security: maintaining application availability Citrix NetScaler Application Delivery systems provide comprehensive attack protection from Denial of Service (DoS) attacks, Distributed DoS (DDoS) attacks, network-based worms/viruses and applicationspecific vulnerabilities. At the heart of each Citrix NetScaler system is Request Switching, a multipatented technology that enables a unique, high-performance Layer 7 feature set. This technology allows Citrix NetScaler Application Delivery Systems to inspect Web application requests and identify malicious content, stopping it before it reaches the application server(s). Citrix NetScaler Application Delivery security features include: Web Application Firewall Protects Web applications from the growing number of applicationlayer attacks, including buffer overflow exploits, SQL injection attempts, cross-site scripting attacks and more. In addition to proven attack defenses, Citrix Application Firewall provides identity theft protection by securing confidential corporate information and sensitive customer data. DDoS Protection Identifies and protects application infrastructures from DoS/DDoS attacks. This protection goes beyond the traditional SYN cookie technologies employed by other vendors (see the Citrix NetScaler SYN protection white paper for more details). SSL Encryption Allows application content to be encrypted on the fly, maximizing application throughput by offloading complex encryption tasks from the server. This ability allows administrators to protect sensitive application content from potential eavesdropping and information misuse. SSL VPN Provides a comprehensive, secure remote access technology for remote users without the use of additional remote client software, but instead uses common client technology and the Secure Sockets Layer standard for content privacy. Citrix NetScaler SSL VPN technology allows end users to remotely access any application, including non-web client/server applications. 9

Conclusion It is essential that Web applications and network infrastructures be considered together as a common application infrastructure that supports strategic business objectives. Citrix NetScaler is designed to ensure successful delivery, protection and use of applications using existing network infrastructures with minimal disruption. The unique features of Citrix NetScaler are designed to optimize Web application communications and resources, secure data center assets, and ensure continued application availability. By deploying Citrix NetScaler within an enterprise or ebusiness infrastructure, an organization can realize immediate cost benefits. The following figure identifies three distinct areas of focus for network and application administrators that affect the application infrastructure ecosystem. Figure 4. Citrix NetScaler end-to-end application solution Citrix NetScaler is the industry s first solution that bridges the gap between network infrastructures and applications, optimizing application communications while increasing overall performance. The combination of Citrix NetScaler s innovative features working in unison at wire-speed in a single platform provides dramatic reductions in operational costs and network complexity. About Citrix NetScaler Citrix NetScaler optimizes the delivery of Web applications increasing security and improving performance and Web server capacity. This approach ensures the best total cost of ownership (TCO), security, availability and performance for web applications. The Citrix NetScaler solution is a comprehensive network system that combines high-speed load balancing and content switching with state-of-the-art application acceleration, layer 4-7 traffic management, data compression, dynamic content caching, SSL acceleration, network optimization and robust application security into a single, tightly integrated solution. Deployed in front of application servers, the system significantly reduces processing overhead on application and database servers, reducing hardware and bandwidth costs. 10

About Citrix Citrix Systems, Inc. (Nasdaq:CTXS) is the global leader and the most trusted name in application delivery infrastructure. More than 200,000 organizations worldwide rely on Citrix to deliver any application to users anywhere with the best performance, highest security and lowest cost. Citrix customers include 100% of the Fortune 100 companies and 99% of the Fortune Global 500, as well as hundreds of thousands of small businesses and prosumers. Citrix has approximately 6,200 channel and alliance partners in more than 100 countries. Annual revenue in 2007 was $1.4 billion. 2008 Citrix Systems, Inc. All rights reserved. Citrix, NetScaler, AppCache, AppCompress, AppCompress Extreme, Citrix Application Firewall are trademarks or registered trademarks of Citrix Systems, Inc. and/or one or more of its subsidiaries, and may be registered in the United States Patent and Trademark Office and in other countries. Microsoft, Windows, SharePoint and Outlook are registered trademarks of Microsoft Corporation in the U.S. and/or other countries. All other trademarks and registered trademarks are property of their respective owners. www.citrix.com

Case study Welch s Citrix Application Delivery for Manufacturing Our number-one project is implementing the Oracle ERP. Giving brokers and comanufacturers secure access to the system is imperative. Citrix NetScaler was the best solution for delivering Oracle with reliability, speed and cost-effectiveness. George Scangas IT Infrastructure Manager, Welch Foods, Inc. Key benefits Provided high availability and performance of Web and Microsoft Windows applications Extended Oracle ERP to external partners to streamline business processes Ensured security without cost and complexity of a traditional VPN Added 250 new users without expanding IT staff Welch s delivers Oracle E-Business securely and reliably with Citrix NetScaler A 138-year-old company headquartered in Concord, Massachusetts, Welch Foods, Inc., is the food processing and marketing arm of The National Grape Cooperative Association, Inc., a grower-owned agricultural cooperative. Welch s is the world s leading producer of juices, jams and jellies made from Concord and Niagara grapes. The company has 1,200 employees and a number of processing plants and offices across the United States. The Challenge: Securely delivering Oracle to brokers and co-manufacturers Welch s originally implemented Citrix Presentation Server for application delivery to remote employees. However, when the company embarked on a four-year project to replace its existing enterprise resource planning (ERP) solution with Oracle s E-Business 11i Web application suite, it became clear that an expanded application delivery solution was needed. Our vision was to enable our 250 external brokers and co-manufacturers to work directly with the Oracle system to put in an order, get a packing list or print an invoice, explained George Scangas, IT infrastructure manager. We were concerned about data security and also efficiency, since we have a very small infrastructure staff of three. We wanted to avoid having to create VPN tunnels for all these users or having to publish Oracle externally. Welch s IT staff also wanted to ensure exceptionally high availability, speed and reliability of the Oracle suite. The company was looking for a replacement to its outdated server load-balancing solution that could offer compression, caching, TCP offload and other sophisticated optimization technologies. Implementing a Citrix Application Delivery Infrastructure solution Welch s upgraded to Citrix Presentation Server, Platinum Edition with Microsoft Windows Server 2003 on three Dell servers to deliver a number of applications, including business intelligence, call center and sales forecasting software, to employees at headquarters and remote locations. To load-balance its four Web servers running the Oracle E-Business application, the IT team considered three different solutions, including Citrix NetScaler, Enterprise Edition. Scangas said,

Networking environment Citrix Presentation Server, Platinum Edition running on three Dell blade servers Citrix NetScaler, Enterprise Edition (with Citrix Access Gateway module) Microsoft Windows Server 2003 MPLS and Internet connectivity Dell PCs and laptops NetScaler was the best solution because it integrates nicely with the new Presentation Server farm. The way it s licensed and put together is far superior to the competition. Welch s also valued the SSL VPN functionality of Citrix Access Gateway that is integrated with NetScaler as an optional module. Working with DeVa Systems Group, a Platinum Citrix Solution Advisor, Welch s implemented four NetScaler appliances to load-balance the Oracle application servers. Two appliances sit in the DMZ to handle external traffic coming in via the SSL VPN, and two sit on the LAN to handle traffic from users at Welch s processing plants, which comes in on a private MPLS network. The NetScaler appliances are also used to load-balance Welch s other Web applications, including its intranet portal. The granularity and flexibility of the NetScaler solution helped Scangas and his team quickly optimize performance with Oracle. He explained, NetScaler was caching some objects Oracle didn t like. We were able to put in a special expression to bypass those features. Streamlining secure application delivery to external business partners Previously, Welch s brokers and co-manufacturers had to use a clumsy, paper-based process to obtain information from the legacy ERP system. We used to print out information and fax it to them, recalled Scangas. Faxes would get lost, and of course, any manual system takes a long time. We wanted them to be able to access the Oracle system directly to speed up business processes, get rid of duplication and improve accuracy. Citrix s load-balancing and optimization technology gives our brokers and co-manufacturers high-performance, high-availability access to Oracle. Citrix also protects our corporate network with end-to-end security. Citrix enables the three-person team to manage this influx of new users without requiring additional staff. We considered setting up VPN tunnels to connect all the different broker and co-manufacturer locations with the Oracle system, but it would have been a nightmare and very expensive. Citrix SSL VPN technology provides a high level of security without all that cost and complexity. Improving Performance From the beginning, Welch s has benefited from improved application performance with Citrix Presentation Server. Scangas said, Our sales team in Arkansas uses an application called Shiloh to do business with Wal-Mart. Formerly, we had to have a client/server architecture between the Arkansas office and Concord, and it was very slow. When we published Shiloh using Citrix, it sped things up considerably. Now the new Citrix solution is delivering additional benefits. The Citrix Presentation Server farm is providing up to a 50-percent improvement in performance over our old farm, he said. And the NetScaler solution is optimizing performance of Web applications through compression and caching technology. For example, people at remote sites are commenting that their portal pages are loading much faster. To monitor application performance, the IT team will implement the application performance monitoring capability included in Presentation Server, Platinum Edition. Our old farm experienced issues such as session disconnections and we had no visibility to actual user experience. Nor did we have a baseline of performance metrics from which to derive system health and availability. We re planning to begin proactively monitoring performance and troubleshooting issues from the datacenter. 2 Welch s

Simplifying Licensing According to Scangas, one of the impressive features of Citrix NetScaler is its simple licensing. With the competitive solutions we considered, if I needed extra functionality I would not only have to get the right license, but also upgrade the hardware and install a special module. There was no way I could figure it out because there were so many different variables. With NetScaler, I get everything with one license, and if I need an upgrade I just purchase a license for it no hardware changes. He concluded, Our number-one project is implementing the Oracle ERP and giving brokers and comanufacturers secure access to the system. Citrix NetScaler with the integrated SSL VPN functionality was the best solution for delivering Oracle with reliability, speed and cost-effectiveness. Applications delivered Oracle E-Business 11i Enterprise Resource Planning solution Demantra sales forecasting software Oracle Discoverer business intelligence software Shiloh data warehouse and retail management software Microsoft Office and Internet Explorer About the Citrix Solution Citrix Presentation Server is the de facto standard for delivering Windows applications at the lowest cost to any user, anywhere. It offers both application virtualization and application streaming delivery methods to enable the best access experience for any user, with any device, working over any network. Citrix NetScaler is an application networking solution that optimizes the delivery of Web applications increasing security and improving performance and Web server capacity. 2007 Citrix Systems, Inc. All rights reserved. Citrix, NetScaler, Citrix Presentation Server and Citrix Access Gateway are trademarks or registered trademarks of Citrix Systems, Inc. and/or one or more of its subsidiaries, and may be registered in the United States Patent and Trademark Office and in other countries. Microsoft, Windows, Internet Explorer and Windows Server are registered trademarks of Microsoft Corporation in the U.S. and/or other countries. All other trademarks and registered trademarks are property of their respective owners. Welch s.1107.pdf www.citrix.com