The Citrix ADC product line optimizes delivery of applications over the Internet and private networks. Citrix ADC is an application delivery controller (ADC) that accelerates application performance, enhances application availability with advanced L4-7 load balancing, secures mission-critical apps from attacks and lowers server expenses by offloading computationally intensive tasks. All these capabilities are combined into a single, integrated appliance for increased productivity, with lower overall total cost of ownership.
Citrix ADC is deployed in front of web, application and database servers. It combines high-speed L4-7 load balancing and content switching with application acceleration, data compression, static and dynamic content caching, SSL acceleration, network optimization, application performance monitoring application visibility and robust application security via an application firewall.
Citrix ADC appliances are installed in the data center and route all connections to back-end servers. The Citrix ADC features are enabled and the policies configured are then applied to incoming and outgoing traffic. Citrix ADC requires no additional client or server-side software, and can be configured using the Citrix ADC web-based GUI, RESTful API (“Nitro”) and CLI configuration utilities.
Citrix ADC is available as a high-performance network appliance and a virtual appliance for maximum deployment flexibility. The hardware based MPX appliances with multi-core processor designs are available with a wide range of appliance availability; from sub gigabit throughput to 50 Gbps. Each leverages a fully hardened and secure operating system.
Citrix ADC appliances provide multi-dimensional scalability for a superior ROI. Pay-As-You-Grow and Burst Pack upgrade licenses enable specific models to be upgraded to higher-end models within a particular platform via a software license. Citrix Networking SDX models allow up to 40 fully independently managed Citrix ADC instances to run on a single platform. Citrix ADC with TriScale clustering allows up to 32 Citrix ADC appliances (of the same platform, model and edition) to be aggregated into a single group to increase aggregate app delivery capacity.
Citrix ADC Standard Edition provides comprehensive layer 4-7 load balancing and content switching, SSL acceleration and server offload capabilities.
Citrix ADC Enterprise Edition is a highly integrated application delivery solution. It includes all Standard Edition capabilities, plus dynamic routing support, data compression (AppCompress), global server load balancing (GSLB), surge protection, priority queuing, L7 DoS protection, AAA for traffic management and cache redirection. Enterprise Edition also includes Citrix Command Center software.
Citrix ADC Platinum Edition is the most integrated and feature-rich Citrix ADC offering. It includes all Enterprise Edition capabilities, plus content caching (AppCache), web application firewall, Cloud Bridge, Command Center, and EdgeSight for Citrix ADC application performance monitoring.
Note: Citrix ADC clustering license upgrades are available on all Citrix Networking MPX and VPX models and software editions
The following options are available for Citrix MPX appliances.
The Citrix ADC appliances provide load-balancing and content-switching functions with granular traffic control based on customizable Layer 4 through 7 rules with support for both IPv4 and IPv6 addresses, virtual IP addresses (VIPs) and server farms.
Citrix ADC can natively load-balance the following protocols in an IPv4 environment: HTTP/HTTPS, FTP, DNS, ICMP, SIP, RTSP, Extended RTSP, LDAP, RADIUS, SCCP and Microsoft RDP. In an IPv6 environment, it can natively load-balance HTTP, HTTPS and SSL protocols. It has generic protocol parsing capabilities that enable the configuration of application switching and persistence policies based on any information in the traffic payload for custom and packaged applications without requiring any programming.
Citrix ADC supports translation and load balancing between IPv4 and IPv6 networks and provides flexibility to customers in planning their IPv6 migration.
|Persistency||Stickiness allows the same client to maintain multiple simultaneous or subsequent TCP or IP connections with the same real server for the duration of a session|
Stateful failover capabilities help ensure resilient network protection for enterprise network environments.
Citrix ADC integrates global server load balancing to provide a multiple data center scaling and failover system.
|Server health monitoring
||Citrix ADC checks the health of application servers and server farms through configuration of health probes.|
|Database load balancing
||SQL-aware health monitors increase availability of database servers. SQL connection offload increases database server performance and aids in scaling database servers. SQL intelligent load balancing enables scaling out database deployments to routing SQL requests to the most appropriate server.|
|Clustering||Citrix TriScale clustering allows up to 32 appliances to work in concert to deliver one or multiple applications. The result is a cost effective and simple option for scaling out application delivery infrastructures.|
|Compression||Citrix ADC delivers up to 11 Gbps data compression and provides faster application performance for application users|
|SSL acceleration||Citrix Networking MPX and SDX integrates hardware-based SSL acceleration technology, which offloads the encryption and decryption of up to 11 Gbps of SSL traffic from servers,|
|TCP offload||Offload web, application, and database servers from compute intensive tasks such as TCP connection management, SSL encryption/decryption and in-memory caching of both dynamic and static content.|
|Caching||Deliver application content immediately, both static and Dynamic, without burdening servers|
|Data center security||Citrix ADC protects the data center and critical applications from protocol and denial-of-service (DoS) attacks at both L4 and L7 and encrypts mission-critical content.|
|Application security||Citrix Web App Firewall provides deep protocol inspection capabilities, which enables IT professionals to comprehensively secure high-value applications in the data center. It secures mission-critical applications and protects against identity theft, data theft, application disruption, and fraud and defends web-based applications and transactions against targeted attacks by professional hackers. Citrix ADC uses a hybrid model including scanning over 3000 signatures for preventing known attack vectors.|
|Content rewrite and response control
||Policy-based bidirectional rewriting of HTTP header, payload elements and URLs. Policy-based redirection of incoming requests. Responder module with custom responses and redirects. Policy-based routing and network aware policies.|
|Packet filtering||L3 and L4 access control lists. Network Address Translation.|
|Virtual contexts||Citrix Networking SDX provides a means for creating complete resource segmentation and isolation, allowing the Citrix ADC appliance to act as if it were several individual appliances within a single physical appliance. Citrix Networking SDX enable organizations to provide defined levels of service to up to 40 business departments, applications, or customers and partners from a single Citrix Networking SDX appliance.|
|Role-based access control (RBAC)
||RBAC allows organizations to specify administrative roles and restrict administrators to specific functions within the appliance or virtual contexts, allowing each administrator group to freely perform its tasks without affecting the other groups|
|Deployment and management|
|Function consolidation||Through consolidation of application switching, SSL acceleration, data center security, and other functions on one device, Citrix ADC helps achieve better application performance, with fewer devices, simpler network designs, and easier management|
|Investment protection||Citrix ADC supports virtualization with one administrator device and up to 40 virtual contexts, 400,000 SSL transactions per second (TPS), and up to 11 Gbps of compression. The licensed throughput can be increased to up to 50 Gbps without the need for new equipment, through software license upgrades|
|Operational visibility||Provides network administrators application level details; AppFlow extends network monitoring to include granular application-layer visibility. By using IPFIX standard extensions Citrix ADC can provide inputs into a wide variety of monitoring tools. This eliminates span ports and network taps.|
|AppExpert framework||AppExpert Visual Policy Builder visually builds the policy for every web app delivery feature without programming. AppExpert Templates provide pre-configured settings to optimize specific applications|
|ActionAnalytics||Integrated, easy-to-use application analysis and policy-based control. Complements AppFlow with insight into full web application and SQL environments. Provides real-time monitoring and adaptive policy controls that transform raw data into actionable information to deliver better business intelligence and automatically tune application delivery policies|
|Citrix Networking MPX Model
||Throughput (Gbps)||Compression (Gbps)||SSL Throughput (Gbps)
||SSL TPS: 1K & 2K Key (K)
||HTTP Requests per Second (K/s)
Where does a Citrix ADC fit in the network?
Citrix ADC resides in front of web and applications servers, so that client requests and server responses pass through it. In a typical installation, virtual servers (vservers) configured on the Citrix ADC provide connection/termination points that clients use to access the applications delivered by Citrix ADC. In this case, the Citrix ADC owns public IP addresses that are associated with its vservers, while the real servers are isolated in a private network. It is also possible to operate the Citrix ADC in a transparent mode as an L2 bridge or L3 router, or even to combine aspects of these and other modes.
Physical deployment modes
Citrix ADC can be deployed in either of two physical modes: inline and one-arm. In inline mode, multiple network interfaces are connected to different Ethernet segments, and the Citrix ADC is placed between the clients and the servers. The Citrix ADC has a separate network interface to each client network and a separate network interface to each server network. The Citrix ADC and the servers can exist on different subnets in this configuration. It is possible for the servers to be in a public network and the clients to directly access the servers through the Citrix ADC, with the Citrix ADC transparently applying the L4-L7 features. Usually, vservers are configured to provide an abstraction of the real servers.
Figure 1 - Inline deployment
In one-arm mode, only one network interface of the Citrix ADC is connected to an Ethernet segment. The Citrix ADC in this case does not isolate the client and server sides of the network, but provides access to applications through configured vservers. One-arm mode can simplify network changes needed for Citrix ADC installation in some environments.
Figure 2 - Topology diagram for one-arm mode, multiple subnets
Citrix ADC as an L2 device
A Citrix ADC functioning as an L2 device is said to operate in L2 mode. In L2 mode, the Citrix ADC forwards packets between network interfaces when all of the following conditions are met:
By default, all network interfaces are members of a pre-defined VLAN, VLAN 1. Address Resolution Protocol (ARP) requests and responses are forwarded to all network interfaces that are members of the same VLAN. To avoid bridging loops, L2 mode must be disabled if another L2 device is working in parallel with the Citrix ADC.
Citrix ADC as a packet forwarding device
A Citrix ADC can function as a packet forwarding device, and this mode of operation is called L3 mode. With L3 mode enabled, the Citrix ADC forwards any received unicast packets that are destined for an IP address that it does not have internally configured, if there is a route to the destination. A Citrix ADC can also route packets between VLANs.
In both modes of operation, L2 and L3, a Citrix ADC generally drops packets that are in:
A Citrix ADC appliance is usually deployed in front of a server farm and functions as a transparent TCP proxy between clients and servers, without requiring any client-side configuration. This basic mode of operation is called Request Switching technology and is the core of Citrix ADC functionality. Request Switching enables a Citrix ADC to multiplex and offload the TCP connections, maintain persistent connections, and manage traffic at the request (application layer) level. This is possible because the Citrix ADC can separate the HTTP request from the TCP connection on which the request is delivered.
Depending on the configuration, a Citrix ADC may process the traffic before forwarding the request to a server. For example, if the client attempts to access a secure application on the server, the Citrix ADC might perform the necessary SSL processing before sending traffic to the server.
To facilitate efficient and secure access to server resources, a Citrix ADC uses a set of IP addresses collectively known as Citrix ADC-owned IP addresses. To manage your network traffic, you assign Citrix ADC-owned IP addresses to virtual entities that become the building blocks of your configuration. For example, to configure load balancing, you create virtual servers (vservers) to receive client requests and distribute them to services, which are entities representing the applications on your servers.
The configuration of a Citrix ADC is typically built up with a series of virtual entities that serve as building blocks for traffic management. The building block approach helps separate traffic flows. Virtual entities are abstractions, typically representing IP addresses, ports, and protocol handlers for processing traffic. Clients access applications and resources through these virtual entities. The most commonly used entities are vservers and services. Vservers represent groups of servers in a server farm or remote network, and services represent specific applications on each server.
Figure 3 - How traffic management building blocks work
Most features and traffic settings are enabled through virtual entities. For example, you can configure a Citrix ADC to compress all server responses to a client that is connected to the server farm through a particular vserver. To configure the Citrix ADC for a particular environment, you need to identify the appropriate features and then choose the right mix of virtual entities to deliver them. Most features are delivered through a cascade of virtual entities that are bound to each other. In this case, the virtual entities are like blocks being assembled into the final structure of a delivered application. You can add, remove, modify, bind, enable, and disable the virtual entities to configure the features. The following figure shows the concepts covered in this section.
A simple load balancing configuration
In the example shown in the following figure, the Citrix ADC is configured to function as a load balancer. For this configuration, you need to configure virtual entities specific to load balancing and bind them in a specific order. As a load balancer, a Citrix ADC distributes client requests across several servers and thus optimizes the utilization of resources.
Figure 4 - Load balancing virtual server, services, and monitors
The basic building blocks of a typical load balancing configuration are services and load balancing vservers. The services represent the applications on the servers. The vservers abstract the servers by providing a single IP address to which the clients connect. To ensure that client requests are sent to a server, you need to bind each service to a vserver. That is, you must create services for every server and bind the services to a vserver. Clients use the VIP to connect to a Citrix ADC. When the Citrix ADC receives client requests on the VIP, it sends them to a server determined by the load balancing algorithm. Load balancing uses a virtual entity called a monitor to track whether a specific configured service (server plus application) is available to receive requests.
In addition to configuring the load balancing algorithm, you can configure several parameters that affect the behavior and performance of the load balancing configuration. For example, you can configure the vserver to maintain persistence based on source IP address. The Citrix ADC then directs all requests from any specific IP address to the same server.
A policy defines specific details of traffic filtering and management on a Citrix ADC. It consists of two parts: the expression and the action. The expression defines the types of requests that the policy matches. The action tells the Citrix ADC what to do when a request matches the expression. As an example, the expression might be to match a specific URL pattern to a type of security attack, with the action being to drop or reset the connection. Each policy has a priority, and the priorities determine the order in which the policies are evaluated.
When a Citrix ADC receives traffic, the appropriate policy list determines how to process the traffic. Each policy on the list contains one or more expressions, which together define the criteria that a connection must meet to match the policy. For all policy types except Rewrite policies, a Citrix ADC implements only the first policy that a request matches, not any additional policies that it might also match. For Rewrite policies, the Citrix ADC evaluates the policies in order and, in the case of multiple matches, performs the associated actions in that order. Policy priority is important for getting the results you want.
Compression is a popular means of optimizing bandwidth usage, and all modern web browsers support compressed data. If you enable the AppCompress feature, the Citrix ADC intercepts requests from clients and determines whether the client can accept compressed content. After receiving the HTTP response from the server, the Citrix ADC examines the content to determine whether it is compressible. If the content is compressible, the Citrix ADC compresses it, modifies the response header to indicate the type of compression performed, and forwards the compressed content to the client.
Citrix ADC compression is a policy-based feature. A policy filters requests and responses to identify responses to be compressed, and specifies the type of compression to apply to each response. The Citrix ADC provides several built-in policies to compress common MIME types such as text/html, text/ plain, text/xml, text/css, text/rtf, application/msword, application/vnd.ms-excel, and application/vnd.mspowerpoint.
You can also create custom policies. The Citrix ADC does not compress compressed MIME types such as application/octet-stream, binary, bytes, and compressed image formats such as GIF and JPEG.
To configure compression, you must enable it globally and on each service that will provide responses that you want compressed. If you have configured vservers for load balancing or content switching, you should bind the polices to the vservers. Otherwise, the policies apply to all traffic that passes through the Citrix ADC.
A Citrix ADC appliance has both a command line interface (CLI) and a graphical user interface (GUI). The GUI includes a configuration utility for configuring the appliance and a statistical utility, called Dashboard. For initial access, all Citrix ADC appliances ship with the default Citrix ADC IP address (NSIP) of 192.168.100.1 and default subnet mask of 255.255.0.0. You can assign a new NSIP and an associated subnet mask during initial configuration.
Using the command line interface
You can access the CLI either locally, by connecting a workstation to the console port, or remotely, by connecting through secure shell (SSH) from any workstation on the same network.
For more information about the features of the CLI, including SSH, see the Citrix ADC Command Reference Guide.
Logging on to the command line interface through the console port
The Citrix ADC has a console port for connecting to a computer workstation. To log on to the Citrix ADC, you need a serial crossover cable and a workstation with a terminal emulation program.
To log on to the CLI through the console port:
Logging on to the command line interface by using SSH
The SSH protocol is the preferred remote access method for accessing a Citrix ADC remotely from any workstation on the same network. You can use either SSH version 1 (SSH1) or SSH version 2 (SSH2.)
To log on to a Citrix ADC by using an SSH clinet:
The graphical user interface includes a configuration utility and a statistical utility, called Dashboard, either of which you access through a workstation connected to an Ethernet port on the Citrix ADC. If your computer does not have a supported Java plugin installed, the utility prompts you to download and install the plug-in the first time you log on. If automatic installation fails, you can install the plug-in separately before you attempt to log on to the configuration utility or Dashboard.
The system requirements for the workstation running the GUI are as follows:
Determine the following information for performing the initial configuration.
Setting up connectivity
Connect the appliance to a management workstation or the network by using the Citrix ADC configuration utility, the command-line interface (CLI), or the LCD keypad.
Configuration utility setup
To set up the appliance by using the configuration utility, you need a management workstation or laptop configured on the same network as the appliance. To run the configuration utility, the Java RunTime Environment (JRE) version 1.4.2_04 or later must be installed on the workstation or laptop.
Note: The Setup Wizard automatically opens upon log on when the appliance is configured with the default IP address, when licenses are not installed on the appliance, and when either the mapped IP address or subnet IP address is not configured.
To configure the Citrix ADC by using the configuration utility
To set up the appliance by using the command-line interface (CLI), connect the serial cable to the console port. Access the command line with a terminal or terminal emulator with the following settings:
Log on to the Citrix ADC with the following credentials:
User name: nsroot
To configure the Citrix ADC by using the Citrix ADC command line
At the Citrix ADC command prompt, type:
set ns config -ipaddress 10.102.29.60 –netmask 255.255.255.0 add ns ip 10.102.29.61 255.255.255.0 - type snip add route 0.0.0.0 0.0.0.0 10.102.29.1 set system user nsroot administrator save ns config reboot
LCD keypad setup
To set up the appliance by using the LCD keypad on the front panel of the appliance, enter the following initial settings in the following order:
The NSIP and the default gateway should be on the same subnet.
The subnet mask, NSIP, and gateway values are saved in the configuration file. You can then use the NSIP to connect to the appliance remotely.
A complete set of documentation is available on the Documentation tab of your Citrix ADC and from
http://support.citrix.com. (Most of the documents require Adobe Reader, available at http://adobe.com.)
To view the documentation
If you have support questions, please contact Citrix Technical Support at 1-800-4-CITRIX (1-800-424-8749). For additional contact information, see Support Phone Numbers at http://support.citrix.com/. If you have comments or feedback on this documentation, please email to email@example.com.