Optimizing Web Application Delivery with Citrix NetScaler
October 30, 2017 | Author: Anonymous | Category: N/A
Short Description
Optimizing Web Application Delivery with Citrix® NetScaler® Johnson Mok Systems Engineer Citrix ......
Description
Optimizing Web Application Delivery with Citrix® NetScaler®
Johnson Mok Systems Engineer Citrix Systems, Inc.
Six Keys to Successful App Delivery Optimizing Web Application Delivery Citrix® NetScaler® Deliver Web Applications
Citrix Presentation Server™ Deliver Windows Applications
Users
Citrix EdgeSight™ Citrix WANScaler™ Monitor End User Experience
Accelerate Apps to Branch Users
Citrix Access Gateway™ Enable Secure Application Access
© 2007 Citrix Systems, Inc.—All rights reserved, Citrix Company Confidential
Apps Citrix Desktop Server™ Deliver Desktops
2
Key Questions • Why do web applications need to be optimized? • What exactly is optimized delivery? • How can web applications be optimized?
© 2007 Citrix Systems, Inc.—All rights reserved, Citrix Company Confidential
3
Web Application Delivery Challenges Web Protocols Extremely “Chatty”
Remote Users Further Away from Apps
Apps Being Moved into Fewer Centralized Datacenters
© 2007 Citrix Systems, Inc.—All rights reserved, Citrix Company Confidential
Increased Security Requirements
4
Optimizing Web Applications Accelerate Performance
Improve Efficiency © 2007 Citrix Systems, Inc.—All rights reserved, Citrix Company Confidential
Ensure Availability 5
Key Optimization Concepts
Time Transmit
Generate
Cost Transmit © 2007 Citrix Systems, Inc.—All rights reserved, Citrix Company Confidential
Generate 6
Accelerating End-User Performance
9 Advanced TCP Optimizations Application Users
9 Content Compression
Application Infrastructure
9 Differential Compression
Accelerates secure application delivery by up to 15x
© 2007 Citrix Systems, Inc.—All rights reserved, Citrix Company Confidential
7
Compressing Application Data Citrix® AppCompressTM
Why compress application data? ¾ Fewer round-trips to send the data resulting in ¾ Lower application response times
• Most web content not stored compressed • All modern browsers support GZIP compression • • •
Completely transparent to application users Compression decision based on client’s User-Agent header NetScaler policy is determined by User-Agent and MIME-Type
• Typical compression ratios vary from 3:1 to 5:1 • Compresses application data at 1300+ Mbps © 2007 Citrix Systems, Inc.—All rights reserved, Citrix Company Confidential
8
Differential Content Compression Citrix® AppCompress ExtremeTM
Dynamically Generated Data
Dynamically Generated Data
End Users
Data Center Applications
On subsequent requests only changed data is sent Virtually instant response time for end users © 2007 Citrix Systems, Inc.—All rights reserved, Citrix Company Confidential
9
Improving Server Efficiency
• SSL Acceleration Application Users
• TCP Buffering • TCP Multiplexing
Application Infrastructure
• Citrix AppCacheTM Static and Dynamic caching
Supports more users and more applications with minimal investment
© 2007 Citrix Systems, Inc.—All rights reserved, Citrix Company Confidential
10
SSL Acceleration • Specialized silicon accelerates all SSL operations • Supports ALL Layer 7 (HTTP) policies Confidentiality
• FIPS-140-2 Level 2 Compliant • Re-encryption for end-to-end security • High Performance • •
28800 TPS for 1024-bit RSA 3 Gbps RC4-MD5 for bulk encryption
Performance
• Benefits: • Server offload of compute-intensive operations • Reduces cost of yearly SSL certificate management
© 2007 Citrix Systems, Inc.—All rights reserved, Citrix Company Confidential
11
Caching Application Data Citrix AppCacheTM
Customers
Cached Copy Partners
Original Content
Mobile Users
Remote Employees
Additional Requests © 2007 Citrix Systems, Inc.—All rights reserved, Citrix Company Confidential
Initial Request 12
Dynamic Caching Real-world benefits
Before NetScaler
© 2007 Citrix Systems, Inc.—All rights reserved, Citrix Company Confidential
After NetScaler
13
TCP Connection Offload SYN SYN+ACK ACK GET
GET Data Data Data Data Data Data FIN ACK FIN ACK
Client
NetScaler © 2007 Citrix Systems, Inc.—All rights reserved, Citrix Company Confidential
Web Server 14
TCP Connection Multiplexing Application Requests
Client Server Connection
Client Connection
Web Server Application Requests
1.
NetScaler terminates connection
4.
NetScaler transmits client requests
2.
Client transmits requests
5.
Other clients follow same procedure
3.
NetScaler establishes server connection
6.
Multiple client requests are transmitted across common server connection
© 2007 Citrix Systems, Inc.—All rights reserved, Citrix Company Confidential
15
Improving Server Utilization Real-world Benefits
Load on Servers Before NetScaler Load on Servers After NetScaler
Free up Web Application Servers to do More with Less
© 2007 Citrix Systems, Inc.—All rights reserved, Citrix Company Confidential
16
Ensuring Application Availability
• Layer 4 Load Balancing Application Users
• Layer 7 Content Switching
Application Infrastructure
• DDoS Attack Protection • Surge Protection
Guarantees maximum application availability
© 2007 Citrix Systems, Inc.—All rights reserved, Citrix Company Confidential
17
Layer 4 Load Balancing TCP and UDP Client Requests
Maintaining User Sessions
Distributing Traffic
Monitoring Server Health and Availability
• Source IP
• Least Connections
• Cookie
• Lowest Response Time
• TCP Connection
• SSL Session ID
• Least Bandwidth
• HTTPS Connection
• Server-ID in URL Query
• Round Robin
• Customer Server-ID
• Hash-based
• Extended Content Verification
• Rule based
• Many more… © 2007 Citrix Systems, Inc.—All rights reserved, Citrix Company Confidential
• Scriptable Health Checks 18
What Is Layer 7 Load Balancing? • Recall TCP Offload identifies individual HTTP requests
• A HTTP request has several components • A URL (e.g., http://www.foo.com/content.html) • A Cookie • Client Information (e.g., browser type, etc.)
• Load Balancing decisions can be based on HTTP! • Direct requests to groups of servers based on their URL • Keep users that have logged into an application going to the same server
• Used to send specific URLs to specific servers • E.g., All requests to app.cgi goes to server1, app2.cgi go to server2, etc. © 2007 Citrix Systems, Inc.—All rights reserved, Citrix Company Confidential
19
Layer 7 Content Switching HTTP Requests
Application Users Client
Request Method
Attributes
Application
URL Infrastructure Requests
• Device Type
• Get
• Domain
• Language
• Post
• Wildcard URL
• Cookie • Browser Capability © 2007 Citrix Systems, Inc.—All rights reserved, Citrix Company Confidential
20
Denial of Service (DoS) Attacks Successful DoS attacks can overwhelm servers and • Impair application performance • Deny legitimate application access
• Consume bandwidth (some types)
DoS Attacks are common and easy to generate • Packet Floods • SYN Floods • GET Floods • SSL Floods
Challenge: How to distinguish legitimate application users from malicious clients? © 2007 Citrix Systems, Inc.—All rights reserved, Citrix Company Confidential
21
Defense: SYN Cookies • SYN cookies introduced in September 1996 by D.J. Bernstein •
He pointed out that this protection could be implemented with no changes to the TCP/IP protocol (http://cr.yp.to/syncookies.html)
• The basic idea was to use cryptographic techniques to provide an entry ticket of sorts for new connections 1. When a connection request was made, a SYN cookie would be formulated and sent back to the requestor 2. The information in this SYN cookie would be used in the final acknowledgement to prove that the client was legitimate, and to allocate resources for that connection
© 2007 Citrix Systems, Inc.—All rights reserved, Citrix Company Confidential
22
Resource Allocation • NetScaler never makes any resource allocation for a connection until the client has fully completed the threeway TCP/IP handshake • Fundamentally important for withstanding massive floods of SYN packets • By refusing to allocate any resources whatsoever until a connection is completed, NetScaler avoids any server resource limitation issues during these attacks
• NetScaler never causes any resources on a server to be allocated to a connection until the client has sent a valid request • Ensures that the server is only handling fully completed and legitimate clients
• Server never knows about client until valid request has been made
© 2007 Citrix Systems, Inc.—All rights reserved, Citrix Company Confidential
23
HTTP DOS Attack: GET Flood • GET DoS Attack • • • •
User creates valid TCP connections Sends surges of HTTP GET requests Server now busy serving malicious clients Genuine clients suffer
• HTTP DOS Attack Client Attributes • Thin/Lightweight • Distributed across unsuspecting hosts • No response parsing capabilities • Not a browser
•
Objective • Distinguish between real and malicious clients • Drop the malicious clients and serve the real ones.
© 2007 Citrix Systems, Inc.—All rights reserved, Citrix Company Confidential
24
NetScaler GET Flood Protection Client request
Client executes Javascript
t-cookie e s / w t ip Javascr Request re-issued with cook ie
Reque
st to se rver
ponse Server res
e sent to Respons
Legitimate Client
client
Citrix NetScaler
© 2007 Citrix Systems, Inc.—All rights reserved, Citrix Company Confidential
Web Server 25
NetScaler and DDoS • NetScaler’s core packet engine is extremely fast
• Large scale attacks can be handled • 475,000 GETs/sec for ILOVEYOU • 2 Million SYN/sec (approx. 1.3Gbps throughput) • 1.6 Million DNS queries/sec
• CPU Utilization scales linearly with attack • No interference with other functionality
© 2007 Citrix Systems, Inc.—All rights reserved, Citrix Company Confidential
26
Traffic Surges: Attack or Legitimate
• The “Super Bowl commercial” scenario: • Large flood of new connections arrives • Could be DOS attack or legitimate traffic
• Unprotected servers will choke • New connections unable to complete • Existing connections time out
© 2007 Citrix Systems, Inc.—All rights reserved, Citrix Company Confidential
27
Surge Queue • Keep at most n requests outstanding to the server • Most LB devices will have a “max” at which requests are dropped
• During a surge of traffic, the requests are queued
• Results: • This protects servers from “Death Spirals” • Maintains throughput (weather.com during hurricanes) • Keeps requests from being dropped under load • Users never see “Service Unavailable” messages © 2007 Citrix Systems, Inc.—All rights reserved, Citrix Company Confidential
28
NetScaler Surge Protection
Time
Time
Responses Per Second Server Connections Client Connections
Responses Per Second Server Connections Client Connections Surge Queue
Before NetScaler
© 2007 Citrix Systems, Inc.—All rights reserved, Citrix Company Confidential
After NetScaler
29
Global Server Load Balancing For Disaster Recovery
Site 1
Client Site 3
Site 2
9 9 9
Distributes traffic among multiple sites Reduces application latency Provides remote access disaster recovery © 2007 Citrix Systems, Inc.—All rights reserved, Citrix Company Confidential
30
Citrix NetScaler System Architecture
SSL VPN
**
Future Functionality
Denial of Service
AppCompress Extreme™
AppCompress MP™
AppCompress™
AppCache™
SSL Acceleration
Content Filtering
Application Security
Application Optimization
Global Server Load Balancing
Content Switching
Load Balancing
Application Availability
Functional Modules
Application Networking Module Interface AppExpert™ Policy Engine
NetScaler OS ™ Availability
Optimization
Core Platform Security
Request Switching™ High-Speed Packet Processing Engine
© 2007 Citrix Systems, Inc.—All rights reserved, Citrix Company Confidential
31
Citrix NetScaler Command Center Centralized Management 9 9 9 9 9 9
© 2007 Citrix Systems, Inc.—All rights reserved, Citrix Company Confidential
Device Discovery Fault Management Configuration Auditing Performance Security
32
AppExpert Policy Engine • Simple policy creation
• No programming or scripting required!
• Common framework for all traffic management functionality
• No performance degradation © 2007 Citrix Systems, Inc.—All rights reserved, Citrix Company Confidential
33
Independent Test Results 47X (0.3 sec)
Standard Web Page with moderate changes
Standard Web Page with no changes
22X
Enterprise Application Report Query
(0.7 sec)
8X
7X
(2 sec)
1X
4X
4X
(4 sec)
(4 sec)
1X
(16 sec) No Acceleration
1X
(16 sec) AppCompress HTTP Extreme Compression
Source: The Tolly Group (June 2005)
No Acceleration
(2 sec)
(14 sec) AppCompress HTTP Extreme Compression
No Acceleration
AppCompress HTTP Extreme Compression
Test Applications: Google (web), Oracle (enterprise)
© 2007 Citrix Systems, Inc.—All rights reserved, Citrix Company Confidential
34
Citrix Application Delivery Infrastructure
Application Visibility
Application Security
Application Delivery
Any Network
Users
Apps
© 2007 Citrix Systems, Inc.—All rights reserved, Citrix Company Confidential
35
Citrix NetScaler Appliance Family
7000
9000
10000
12000
1U
2U
2U
2U
1
2
2
2
Processor
Single
Single
Single
Dual
Memory
1 GB
2GB
4GB
4GB
Qty. 6 - 10/100 AND Qty. 2 - 10/100/1000
Qty. 4 - 10/100/1000 OR Qty. 4 – GB Fiber
Qty. 4 - 10/100/1000 OR Qty. 4 – GBit Fiber
Qty. 8 – GBit SFP Fiber OR Copper
System Throughput
600 Mbps
3 Gbps
4.8 Gbps
5.5 Gbps
HTTP Compression Throughput
150 Mbps
400 Mbps
555 Mbps
1.3 Gbps
HTTP Requests per Second
50K
125K
250K
275K
SSL Encrypted Throughput
150 Mbps
500 Mbps
760 Mbps
3 Gbps
SSL Transactions per Second
4400 Max.
4400
8800
Size Power Supplies
Network Interface Support
© 2007 Citrix Systems, Inc.—All rights reserved, Citrix Company Confidential
28,000+
36
Proven in the World’s Most Mission-Critical Environments
75% Of Internet Users
4,000 Enterprise Deployments
© 2007 Citrix Systems, Inc.—All rights reserved, Citrix Company Confidential
37
#1 in Technology #1 in Customer Satisfaction 76%
224 sec
15x
#1
Faster Application Response Time
Customer Satisfaction 36% 23%
13.8 sec
Before NetScaler
After NetScaler
NetScaler
Source: TCS Consulting Services, Performance Analysis of Oracle E-Business Applications, 2005
Cisco
F5
Source: Frost & Sullivan, 2005, Percentage of customers who gave vendor perfect 5-of-5 rating for overall customer satisfaction
© 2007 Citrix Systems, Inc.—All rights reserved, Citrix Company Confidential
38
© 2007 Citrix Systems, Inc.—All rights reserved, Citrix Company Confidential
39
View more...
Comments
