Citrix states in their article: CTX101922

CTX101922 - Radware Solutions for Citrix MetaFrame XP

This document was published at: http://support.citrix.com/kb/entry.jspa?externalID=CTX101922

Document ID: CTX101922, Created on: May 23, 2003, Updated: Jul 21, 2003

Products: Citrix MetaFrame XP 1.0 for Microsoft Windows 2000

Radware Solutions for Citrix MetaFrame

Solution Guide

Document Version: 0.7

Revision Date: 1 May 2003

Introduction

Employees can be anywhere when they need access to their company's information and applications. Citrix solutions for workforce mobility extend access to a company's networked resources beyond the traditional office environment — to anywhere, on any device, over any connection. Citrix solutions for remote office connectivity simplify and streamline the integration of disparate business systems and offer secure communications. Citrix allows you to configure, manage, and enable application access from one centralized location, reducing the cost of provisioning branch offices and Remote Clients individually.

The Citrix Independent Computing Architecture (ICA) is the foundation for accessing applications available on MetaFrame servers. ICA provides the streamlined communication between client and MetaFrame server than enable powerful application availability and performance over any connection on virtually any platform.

For organizations that rely on their network infrastructure to do business, the integrity of the network translates into the integrity of the organization. In today’s economic climate, companies are asked to do much more with less while expecting greater returns from network investments without compromising security or impacting business performance.

By reinforcing the infrastructure at every critical point, Radware ensures the integrity of network transactions with an uncompromising level of certainty ensuring secure and consistent connectivity. Radware affords high availability, optimized performance, and enhanced security across the network with a solution tailored to the Citrix application. Radware delivers intelligent application switching (IAS) technologies for the layer 4-7 and adds a critical level of intelligence to improve network manageability, performance and security resulting in end-to-end business continuity.

The Challenge

In preparing for natural, man-made, or technological disasters, today’s management must be able to maintain nothing less than an uninterrupted quality connection for employees, customers, suppliers and business partners—there can be no downtime. The Radware and Citrix solutions documented in this Solution Guide specifically address the needs of customers who require enhanced application performance and redundancy. Included in this document are two solutions that tackle the difficulty of ensuring NFuse and Citrix Secure Gateway (CSG) availability and scalability. This document will also address the needs of customers faced with implementing multiple ISP links to maintain an additional level of site and application resiliency.

MetaFrame Component Failure or Overload

The Citrix solution consists of multiple disparate components: NFuse and Citrix Secure Gateway (CSG). NFuse is a powerful web front-end component of the MetaFrame solution. With NFuse, inbound Citrix clients can connect and authenticate via their web browser. NFuse allows the client to then be redirected to the best-suited MetaFrame server, or in a secure solution, to a Secure Gateway. Both NFuse and CSG play a critical role in the secure delivery of applications. They are a critical link in the MetaFrame solution and require high availability and load balancing of inbound requests to ensure optimal application performance.

ISP Failure or Overload

Multi-homed sites present an interesting set of challenges that include directing traffic through the best ISP link. Within a multi-homed environment utilizing the Citrix MetaFrame solution, it is critical to provide intelligent inbound load balancing for clients. Today, customers facing this dilemma are left with few options, and none that fully address the need of intelligent layer 4-7 switching which includes providing seamless and instantaneous fail-over when a degradation of service or failure occurs among available ISP connections.

Application Load Balancing and High Availability with WSD

In a secure Citrix solution, clients connect to an NFuse server via HTTPS for authentication. Once authenticated, clients are redirected to the CSG where the encrypted ICA session is decrypted and forwarded to the MetaFrame server. Citrix offers high availability and load balancing for the MetaFrame servers. However, the availability of the NFuse and Secure Gateway application servers is critical to the functionality and security of the entire solution. NFuse and CSG availability and performance can be greatly enhanced by the WSD, which provides complete traffic management for HTTP/HTTPS and ICA applications.

Web Server Director Load Balancing NFuse and CSG Servers

WSD Overview

The preceding diagram presents how the WSD can be implemented in a secure Citrix environment. The WSD utilizes intelligent application switching technology such as layer 4-7 load balancing and server high availability for the critical elements of the Citrix solution. WSD ensures the full availability, optimized operation, and complete security of server farms—guaranteeing reliability and the highest level of performance from mission critical applications across the network. WSD eliminates bottlenecks, failures, and downtime from servers while continuously protecting resources from security violations enabling fault tolerant operation of all IP applications. With the ability to manage network traffic at Gigabit speeds, WSD attains the maximum utilization of servers across local and global sites for full service redundancy, economical operation, and seamless scaling of enterprise applications. Such features enhance overall solution performance and resiliency.

Functional Traffic Flow

The WSD provides traffic management through the use of server farms. Each server farm is represented by a Virtual IP (VIP) address. Client traffic destined to the NFuse application is sent to the VIP. Once received, the WSD chooses the best server based on the configurable load-balancing algorithm which takes real-time load, health, and capacity into account for each decision. The packet is then forwarded to the best NFuse server.

Once a client is load balanced to an NFuse server, the server authenticates the client and then instructs the client to connect to the CSG farm via the encrypted ICA protocol. The client connects to the CSG farm of the WSD and is load balanced to the best CSG server. The client session is decrypted by the CSG and forwarded to the MetaFrame server(s).

Application Health Monitoring

The WSD provides the ability to monitor the health of any application. Specifically, the WSD can verify the functionality of the
NFuse and CSG servers. The WSD can issue HTTP/S requests and determine, based on the content received, if the NFuse application is indeed functioning properly. For the CSG server, the WSD can verify connectivity to the encrypted port as well as verifying management access ports. If a server fails a health check (or multiple checks depending on configuration), the WSD will transparently redirect existing and new sessions among the remaining servers in the farm based on the configured load distribution algorithm.

Multiple ISP Load Balancing and High Availability with LinkProof

Networks that implement multiple ISP connections often have few options when it comes to providing link high availability, let alone real-time load balancing and optimization between all of the links. Typically, a customer would have to configure a DNS round robin solution to incorporate Citrix application traffic across all of the available internet connections. In this scenario, multiple A-records are issued in a cyclical order for the server at a main site. For example, an NFuse server would have an address on each ISP network. When inbound clients request the associated A-record for the server, DNS will issue an address associated with either ISP. Although DNS round robin provides a level of generic load sharing, it does not address the issue of server or ISP link load and health. In effect, a client could receive an A-record for the NFuse application that is inaccessible because of a non-functional ISP, leaving that client stranded, and without access to critical applications. LinkProof provides seamless load balancing and failover for Citrix application traffic.

Multiple ISP Scenario with LinkProof

LinkProof Overview

LinkProof alleviates complexities by taking responsibility for link failure detection, IP address management, and DNS support for internal resources that need to be accessed from the Internet. LinkProof also performs a complex series of health checks that monitor the functionality and real-time load on each of the ISP links as well as the LinkProof unit itself. These elements, combined with LinkProof’s ability to optimize the ISP links through proximity detection, make LinkProof a necessary ingredient in a multi-homed network. Not only does LinkProof make traffic management simpler, but it also optimizes the available resources in ways that traditional multi-homed networks are unable to. LinkProof optimizes a secure Citrix environment by intelligently routing inbound and outbound clients through the best performing ISP link.

Functional Flow

The LinkProof addresses availability and load balancing for inbound applications like NFuse, CSG, and MetaFrame by seamlessly controlling the DNS resolution for each service. The above diagram demonstrates a secure Citrix implementation. In this example Citrix clients connect to the NFuse server farm, and then are redirected to the CSG server farm. In each phase, authentication and ICA application initiation, the client is issued a DNS resolvable name for each service. It is during the name resolution process that the LinkProof effectively steers inbound application traffic through the best performing ISP link.

In a LinkProof solution, the customer’s DNS server is configured to delegate Name Server control over the requested sub domains such as “nfuse.company.com” and “csg.company.com” for example, to the LinkProof. By doing so, Citrix client DNS resolution requests are sent to the LinkProof, which then determines, based on real-time link health and performance, which ISP to direct the client through. The LinkProof does this for each Citrix client ensuring the best performance and seamless failover should an ISP link fail or become overloaded.

Link Health Monitoring

The LinkProof constantly performs health verification checks to, and through, each ISP via a number of predetermined, and completely customizable health monitoring methods. Should a link failure occur, new requests are transparently redirected only through the active ISP links. Existing sessions will failover to the active link as well.

Radware Device Resilience

Radware devices are designed to provide intelligent traffic management and redundancy for local and global network resources. Because of this, each Radware device can be deployed in a fully redundant solution. In this instance, a separate Radware device is deployed to provide an additional level of fault tolerance. A Radware redundancy solution can utilize VRRP or a proprietary redundancy mechanism for determining the health and availability of corresponding devices to ensure immediate and seamless device failover.

Radware Device Management

Radware offers several flexible and secure methods of configuration and management. Each device can be managed via ASCII, Telnet, SSH, Web Based Management (HTTP), Secure Web Based Management (HTTPS), SNMP, and via Radware Insite. Several management security features exist as well such as physical interface-based controls, and RADIUS authentication.

SynApps

Radware’s approach is to develop complete solutions that address the entire problem rather than just the symptoms. To this end, SynApps architecture was developed. Because Radware’s commitment to excellence in this field is key, SynApps is a core element that is available on all Radware boxes. Additional options available include:

Bandwidth Management

Bandwidth Management offers a robust classification engine that allows for traffic classification by source and destination IP addresses or groups of addresses, application, port, content/URL, and cookies. In our case, Bandwidth Management guarantees that the Citrix application receives the appropriate priority designation and bandwidth allocation that ensures that it receives priority over non-mission critical traffic. On a global level, Bandwidth Management ensures that the quality of service and allocated bandwidth is appropriate for each identified type of traffic, ensuring that service is consistent and reliable each & every time.

Application Security

The nature of attacks perpetrated against sites today, start with a high traffic, basic attack that disables the front-end device. Generally, the attack continues with a sophisticated routine designed to cause maximum damage. The application security module is designed to thwart the initial attack that is aimed to disable the front-end device. Today, Application Security contains a knowledge base that thwarts more than 1000 attacks. This module is designed to form an integral line of defense in front of the resources that the Radware device is managing, ranging from servers, firewalls, cache servers or routers. It also leverages your existing security devices to only have to deal with the more advanced second attack. This module uses both network information as well as application based information. Attacks are detected and prevented in real time by terminating the suspicious sessions as they are being tracked. No software agent is required on any managed device.

DoS Shield

The busiest sites on the Internet are easy targets for Denial of Service attacks. Blocking these sites against attacks requires Intrusion Detection mechanisms that can work in a high capacity throughput environment. Examining each and every packet against a list of hundreds of possible attacks proves impractical for such networks, as it leads to significant degradation of the overall network performance.

Radware implemented DoS Shield that is part of the SynApps architecture. It is designed to provide organizations with full DoS & DDoS detection and
protection capabilities while maintaining high network throughput. The DoS Shield module, in real-time, detects the occurrence of events with an advanced sampling algorithm and takes automatic actions to mitigate the problem. The combination of unique sampling schemes with the strong computing power of the Application Switch platform provides maximum security at maximum speeds.

Radware Solution Benefits

By using the Radware solution for Citrix, the following benefits are achieved:

• Radware ensures the availability of Citrix applications end-to-end by guaranteeing uninterrupted ISP connectivity while overcoming all service degradations and failure issues that may occur with NFuse or CSG servers.

• Radware optimizes performance of Citrix applications through load balancing NFuse/ CSG servers and using the best service provider for each client request. Service and performance is optimized end-to-end. This is accomplished by using the best performing ISP for each customer while load balancing is performed once in the data center to find best performing Citrix Metaframe component.

• Bandwidth management provides an integrated solution for QoS and advanced traffic shaping which guarantees service level for Citrix applications. Customers can ensure their Citrix application is getting the appropriate priority and bandwidth allocation.

• Security is enhanced through DOS Shield and Application Security.