Introduction
NetScaler Insight is a fantastic tool to understand what is actually in a HTTP happens or HDX session for a user, it provides information on the characteristics of each user session and that was the missing component in Citrix systems until his release have been. The whole point of using Citrix software is that it is designed to give the user the best experience when their applications or data access wherever they may be, so that when the user a bad experience, it is important to find the problem and get it fixed quickly. NetScaler Insight is the key to this troubleshooting process.
Since it was introduced, the development team at Citrix have made great strides to improve the product and enhance its features and scalability. This blog will look at one of the new features that much easier by using a SOCKS proxy on the NetScaler running version 11 firmware makes the HDX-analysis in the trusted security zone collecting. The blog is also some details about the different ways to provide for data acquisition.
HDX data capture options
One thing that has been a constant, if a solution to the design HDX Insight Analytics to gather, the need to have a NetScaler or Cloudbridge somewhere in the transport path, the device offers the AppFlow detail that Insight then this presents to the administrator. There were three ways to earn a NetScaler using this information.
- With NetScaler Gateway.
- Transparent mode, either L2 or L3 based.
- Policy-based routing or sometimes lollipop mode.
also with the release of 7.4 it is possible to add another set of AppFlow collecting options with a Cloudbridge device. These are to use the options Cloudbridge.
- Data Center mode.
- data center and branch operation.
- In conjunction with single-hop NetScaler Gateway.
- In connection with double hop NetScaler Gateway
The release of NetScaler Version 11 firmware, an additional option has been made available. The SOCKS proxy option is a NetScaler configuration option that an alternative is available, Analytik for a LAN user application without some of the difficulties associated with L2, L3 or PBR options to collect.
The following document contains the details relating to the different modes in 10.5.
http://docs.citrix.com/en-us/netscaler-insight/10-5/ni-enable-data-wrapper-con1/ni-enable-hdx-wrapper-con.html
This document reference contains further details of the different modes now in 11.0, which includes multi-hop over the 10.5 Content Gateway.
http://docs.citrix.com/en-us/netscaler-insight/11/enable-data-collection/ni-enable-hdx-wrapper-con.html
Assumptions
Throughout the text, it is assumed that:
- NetScaler appliances are available in both DMZ and trusted security zones and have as a minimum the Enterprise feature set.
- The devices are available with version 11.0 firmware, in connection with a server Insight Center at least the same or a higher firmware as NetScaler.
- , the user is located inside the safety limit, so that he / she sits inside the corporate firewall.
Firmware Notes
The 10.5.50.10 release in 2014, the option for Cache Redirection Insight added, this version is not the HDX protocol option. A later 10.5.56.15 Build then have the opportunity to add to use the protocol and of course part of the 11.0-function has also been closed.
To the administrative network to collect analytical information from their HDX session, you can do the following architecture options.
NetScaler Gateway deployment mode
When the user is away from the data center and requires access to the Citrix software environment to access published applications and desktops, to connect to win comes in a NetScaler Gateway. This is a simple approach from a networking perspective, it does a bit more complicated when the NetScaler appliances are arranged in double-hop arrangement, however, the architectural design is very similar.
However, in this case the user is located inside the corporate firewall. So it is necessary to collect an internal NetScaler Gateway to generate statistics and the users accessing this portal. It would work, but it is probably better, the following option must be used.
Optimal Gateway Routing with gateway mode
It is also possible to have a hybrid option for the trusted zone users where Zone familiar users are redirected seamlessly to a NetScaler Gateway when they start their applications. This is done through the use of a storefront feature called Optimal Gateway Routing. The Storefront System has to show some modifications of the LAN users to an internal NetScaler gateway as the user starts the application or desktop to the start file is the gateway URL. If the user has already been authenticated when they are registered in the internal (Windows domain) network, this is done seamlessly and they just start a session in the normal way. Effectively, the user may be redirected to the start of the application on the NetScaler Gateway and just starts the HDX session over SSL.
As mentioned in the text, this is an internal NetScaler Gateway would be, it is possible to have the trusted zone urged users to the DMZ, but it is less familiar than ideal, users have to cross only one security zone analysis to collect.
a side effect of this approach is that the HDX session is encrypted when it starts. This option has the advantages
Further details of the changes to storefront, see the administrator usually some access to the storefront and NetScaler system and can easily make the changes to implement it here :.
http://docs.citrix.com/en-us/storefront/2-6/dws-manage/dws-configure-ha/dws-configure-ha-optimal.html
transparent mode
If the user is in the trusted security zone, as a user LAN defined here the traffic needs of the NetScaler to see, to gather analysis, what were the other options to gather statistics, without a gateway?
a few options exist to accomplish this bridging either L3 routing or traffic with L2 mode through the NetScaler appliance. While both options can be achieved, there are some drawbacks. When the network is more complex troubleshooting and scaling is a major challenge for a L2 setup. For an L3 setup the NetScaler provides all the traffic and accessibility of VLANs depends on the NetScaler.
Policy Based Routing
used by something like policy-based routing (PBR) outside the appliance, traffic can be selectively pushed through the network to the NetScaler. One of my colleagues, Steven Wright, produced a great blog shows how PBR on the network through a NetScaler push ICA traffic are released.
/blogs/2015/02/02/how-to-deploy-netscaler-insight-center-with-policy-based-routing/
So hit the L2 and L3 options allow the ICA traffic to the ICA traffic traversing the NetScaler are analyzed, it achieved the desired result collect AppFlow information that only the marketing, always crossing the NetScaler sometimes may be difficult if perhaps customers located in different parts of the network with different routes to get to the back-end systems.
Policy Based Routing, as Steven has shown is also an option. However, it is to support the infrastructure PBR must use.
Using the optimal routing gateway with a NetScaler Gateway also allows the session analyzes are collected, the session is encrypted, which could be determined to be overkill for some applications.
LAN users
new option that was added to 11-firmware in NetScaler is an opportunity through the SOCKS Proxy option , the NetScaler as forward proxy server with a cache Redirection Server to use. This has the advantage that it is not a gateway NetScaler required and there are no changes to routing rules accommodate this option.
The process is fairly simple, the CR server has been revised so that it includes a protocol type of "HDX". If this proxy has been defined, it must be highly available, as if the proxy application is not available, will not start. The internal NetScaler should be used in any case as a HA pair
set it up, proceed as follows: ..
- A AppFlow collector / policy / action
- Create a cache redirection server on the NetScaler. define
- set the type as HDX and the port, for example port 8080
- to change the default startup file on the storefront or web interface servers use to use. the new proxy and port
Step 1. So, the first step in this process is the AppFlow Settings
create AppFlow policy, here are the CLI commands to define:
Add AppFlow collectors colector1 -IPAddress
Add AppFlow action action1 -collectors collector1
AppFlow policy Policy1 true action1 add
step 2 and 3. Next, the socks vserver the correct type create
create CR (socks) vServer, here again, the CLI commands
Add cr vserver bind HDX CRVS
AppFlow global Policy1 1 END -type ICA_REQ_DEFAULT
step 4. change default.ica boot file, use the new boot files with the new proxy to ensure.
This file will be available in "C: inetpub wwwroot Citrix
ICASOCKSProtocolVersion = 0
ICASOCKSProxyHost = < crvserverIP >
ICASOCKSProxyPortNumber = < connection >
ProxyFavorIEConnectionSetting = Yes
ProxyHost =
ProxyTimeout = 30000
ProxyType = socks
storefront considerations
with this approach, the default startup file
1. Create a new store and use that one for external users, this would then require within the NetScaler configuration can be defined to complete the process. Since the standard is updated startup file per business, it would of course have set up another, more general startup file.
2. Use single out the storefront SDK and the various users when they connect, determine if the user type is LanUser or type NetScaler Gateway. The SDK has to change a number of options for the behavior of the storefront, if a user connects. It will be necessary to have some .Net skills, but Simon Frost has provided some great documentation available here to help with this process.
/ blogs / 04.09.2014 / introduction-the storefront store Customization SDK /
to the SDK requires some coding, but it would enable the provision for all users only to use a single memory.
So how does it look? Here is a high view.
Conclusion
NetScaler extends 10.5 Firmware options for the detection analytics information, were they were used further improved with an additional option to a NetScaler as Forward proxy in NetScaler firmware version 11.0. This option is an easy way to collect these analyzes Trusted Zone users, and now adds to the other options that were available.
0 Komentar