XenMobile NetScalers environments that can take advantage of several options for improvement. Here are some of the options that can help optimize a XenMobile environment.
LDAP / (s) Virtual Server
LDAP and SSL version based ldaps, are commonly used forms of authentication in an environment XenMobile. When a NetScaler is available the best practice would be to use a virtual server (Vserver) to balance the LDAP / charge (s) traffic for resilience and scalability. Setting up a Vserver LDAP is a fairly simple process using TCP on port 389, while ldaps calls SSL_TCP on port 636 and a few extra steps.
Last year a colleague published a good technical note on how to configure a virtual server LDAPS for use by Access Gateway. The http://support.citrix.com/article/CTX133893 Vserver ldaps can be configured in the same way for NetScaler Gateway, and can also be used by XenMobile Device Manager, and XenMobile or AppController. Just be sure that the controllers refer to a domain name corresponding to the certificate associated with the IP address Vserver. Also be sure to reference the domain controllers by domain name instead of the IP address
For example :.
add server domainserver1.domain.com_ldaps_srv srv1.srv1.srv1. srv1
add server domainserver2.domain.com_ldaps_srv srv2.srv2.srv2.srv2
add domainserver1.domain.com_ldaps_svc Service domainserver1.domain.com_ldaps_srv SSL_TCP 636
add Service domainserver2 .domain.com_ldaps_svc domainserver2.domain.com_ldaps_srv SSL_TCP 636
add lb vserver vservername.domain.com_ldaps SSL_TCP vs1.vs1.vs1.vs1 636
bind lb vserver vservername.domain.com_ldaps domainserver1. domain.com_ldaps_svc
bind lb vserver vservername.domain.com_ldaps domainserver2.domain.com_ldaps_svc
bind ssl vserver vservername.domain.com_ldaps -certkeyName "* .domain.com"
[NOTE:IlyaquelquesoptionspourunLdap/(s)Vservermoniteurchacunavecunpeupluslaconfigurationimpliqués:
1) Use the build-in TCPS, but monitoring is limited to TCP / SSL
2) Create a custom LDAP monitor / blogs / 2011/01/29 / follow-secure-ldap-using-citrix-NetScaler /
3) create a custom monitor user http: / /support.citrix.com/article/CTX132944]
Mobile Traffic profile
Early TCP implementations supposed fairly accurately likened lost a packet congestion and subsequently invoked congestion avoidance algorithms " difficult ". With mobile devices connect via WiFi or carrier networks lost packets can indicate a change in the band WiFi, or switch to a transport network for example, and an action "hard" as halving the window outstanding would not be beneficial. Algorithms Thereafter, as "Westwood" were introduced to take account of mobile devices and maximize the transfer window while mitigating congestion. Wikipedia provides an overview of the algorithm http://en.wikipedia.org/wiki/TCP_Westwood_plus
Last year my colleague Abhilash Verma has done a good job introducing the TCP Westwood algorithm for NetScaler in a series of blogs on TCP optimization. / Blogs / 2012/04/26 / NetScaler-10-tune-tcp-stack-for-wireless-use cases-with-Westwood /
TCP Westwood is included in an integrated TCP profile "nstcp_default_Mobile_profile" which includes other mobile TCP optimizations. The application profile can improve the overall mobile session traffic, but should always be checked in a test environment before migrating to production.
From the NetScaler GUI under System> Profiles you can see the details of the nstcp_default_Mobile_profile. To apply the profile to a NetScaler Virtual Server gateway select the TCP profile on the Advanced tab, as shown below:
DNS Virtual Server
DNS is an essential element of any XenMobile environment. Setting up a NetScaler Vserver for DNS is a best practice to provide resiliency and scalability controllers. Under DNS> name servers by selecting "DNS Virtual Server" screen appears a "Create Virtual Server" populated by DNS. Here is an IP address for the Vserver can be seized and related services may be added as indicated below:
Then, once the DNS is created make sure Vserver you reference the gateway into NetScaler policy session of the network setup tab, as shown below:
SSL_BRIDGE
SSL_BRIDGE is a versatile form of Vserver that can provide a conduit for SSL servers that are not able to be approximated based SSL Offload. It is often used for XenMobile Device Manager controllers, but can also be used as a form of network address translation.
To help mitigate the risk of Single Sign-On (SSO) to unreliable target NetScaler Gateway will enable SSO "private IP address" defined in 1918 Rt http://www.rfc-editor.org /rfc/rfc1918.txt (10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16). Some companies, especially ISP's, use the DMZ where public IP controllers, which are targets SSO are hosted. to "circumvent" this SSL_Bridge can be used
for example add a Vserver SSL_BRIDGE for AppController as follows :.
Make sure you add a DNS record referencing the private IP address in enterprise DNS servers or add a virtual server as described above, and add a record directly on NetScaler NetScaler for gateway the reference as shown below:
for more information on XenMobile NetScaler or Citrix eDocs see: http://support.citrix.com/proddocs/topic /cloudgateway/xmob-landing-con.html
http: //support.citrix. com / proddocs / topic / NetScaler / ns-gen NetScaler-wrapper-con.html
Matt Brooks
Architect
Worldwide Consulting Solutions - Mobility practice
tweetmattbrooks
0 Komentar