What’s new in Citrix NetScaler 12.0?

Usually, Citrix choose to announce their major NetScaler ADC firmware release for the year at Synergy, their annual global customer gathering. This year it’s different. Something has got the product team excited enough to deliver NetScaler 12.0 a month earlier than usual so there has to be more to talk about than PCoIP support and a funky new GSLB visualizer 🤔.  Here’s my pick of the things you need to know…

From the ‘Snowden effect’ to the rise in HTTP 2.0, more traffic than ever needs to be encrypted so first off, enhancements have been made to the code to allow for great SSL performance and improved handling of the increasingly popular Elliptical Curve Ciphers (ECC). NetScaler has always been a software first architecture and here is a prime example as to why this is a good thing. Both hardware and virtual appliances see significant increases in encryption capability with a typical VPX 1000 receiving a 3x increase in 2k key SSL performance from 1,000 to 3,300 transactions per second. Recently announced Hybrid SSL capabilities are well worth investigating if you need serious SSL scale but that topic will have to wait for another blog post.

For public clouds, 3 Gbps VPX appliances are now supported in Azure with multi NIC / IP allocations enabling GSLB failover between multiple Azure zones and on prem data centres. AWS users also get 3Gb VPX appliances to play with and (cue the fanfare) AutoScale is now supported too, allowing VPX instances to be provisioned, configured and de-provisioned in line with application VMs. This is a huge step to simple web-scale elasticity that will be well received.

CICO – It’s not a spelling mistake.

Spinning up VPX appliances to cope with demand has historically required the administrator to manually download and allocate a licence file from mycitrix.com but not anymore. Check In, Check Out (CICO) licencing is a new VPX licence allocation mechanism managed by NetScaler Management and Analytics System (MAS). In summary, MAS keeps a central repository of licences that can be auto allocated (checked out) when a VPX appliance boots and returned to the pool (checked in) when the VPX is de-provisioned. Add in support for CLI and the NetScaler Nitro API and it’s evident that automating VPX licence allocation will be dramatically simplified, reducing admin overhead and improving service agility. Don’t confuse this with pool licences although you see how these are aligned. Nice. 

New support for IoT protocols such as MQTT joins the recently announced Secure Event Delivery Controller feature to manage and secure conversations between the billions of ‘things’ we’re destined to connect to the internet. Multi core CPX appliances for Kubernetes ingress proxy deployments and Kube Proxy role replacement plus the obligatory stack of GUI enhancements & niche use features round off the core ADC headlines…

Unified Gateway has been a key talking point since its introduction in 2015. The big news here is support for PCoIP, the protocol used by VMware Horizon and View. This is arguably a major step towards the Citrix vision that Unified Gateway provides a consolidated remote access solution for all VDI, web, enterprise and SaaS apps. If you think about it, this is a nice move by Citrix as this opens up the Horizon/View install base for new customer conversations and not just about NetScaler.

Support for Microsoft Intune Mobile App Management (MAM) joins the previously released MDM capability and there is a rumour of another key feature coming in late Q2 for Intune that will further the divide between UG and competitor offerings. New policy infrastructure provides flexible authentication and authorisation policies for users that are part of multiple groups and sub groups. This allows admins to determine which polices get implemented first rather than NetScaler choosing the policy at random as before. Improved user experience for UDP traffic comes from DTLS support and Proxy PAC file support reduces the friction between remote and corporate LAN user experience parity.

NetScaler and Storefront configuration has been simplified with admins having the option to use Storefront as the authentication server (instead of AD). There’s support for the new Enhanced Data Transport (EDT) protocol (including multi-stream use cases) and GSLB end point analysis has been polished up to allow UG to eliminate issues caused by users bouncing around different Gateway sites.


NetScaler Gateway Service has been around since October 2016 to deliver basic ICA proxy functionality for XenApp and XenDesktop use cases. Some good news here is the cloud connector bandwidth bottle neck has been addressed, now offering 250 Mbps throughput which is ideal for the intended SMB market space and stay tuned folks, as we’re predicting a stack of new ‘aaS’ offerings to be announced in the near future, most likely at Synergy.

Moving in to the core security message, there is continued support for new, stronger ciphers with the new 14000 series FIPS appliances offering front and backend ECDHE, GCN and SHA2 capabilities. There is added protection against DNS DDoS attacks giving administrators the ability to either bypass the DNS cache or define an upper limit to the cache size so that NetScaler doesn’t run out of system memory during a DNS DDoS attack and that leads us nicely in to threat visibility provided by MAS.

I can’t over emphasise the value of MAS. It reduces operational cost, simplifies administrative tasks, provides real time service analytics and provides integration with external orchestration systems. I’ve said it before; deploying MAS is the single best decision you can make in your quest for service delivery perfection. Take my advice, do it now and you can thank me later.

MAS is already hugely powerful but MAS 12.0 takes things to a new level. New Advanced Analytic capabilities combine real time monitoring with machine learning techniques to establish normal traffic patterns. These baseline metrics can be then utilised to identify anomalies which (when used with other MAS tools) can help ensure that every user gets the best possible service and admins always have the relevant information available at their fingertips to rapidly remediate service issues.

You can’t manage what you can’t measure.

A new application perspective dashboard combines industry standard APDEX scoring with real time performance and security metrics to give instant visual representation of service quality on a per app basis. It’s really cool and worth checking out. App Activity Investigator offers administrators deeply granular investigation tools with click to drill down visibility. There are new ‘out of the box’ Stylebooks to accelerate delivery of core enterprise applications such as Exchange 2016 and new role base administrator access capabilities to further the appeal across larger operational structures.

MAS support for HA proxy is a further demonstration of the Citrix commitment to open interoperability frameworks which leads nicely in to the new SDN and orchestration capabilities. LBaaS support is now available for the Newton release from Mirantis and Redhat, OpenStack Mitaka is now able to configure the content switching feature of NetScaler for more advanced L7 traffic handling and heat templates also join the list of supported features.

Cisco ACI gets Services Manager Mode support (also known as hybrid mode) with MAS taking care of L4-7 and APIC managing L2-3 via a new mini device package to share config information. And staying with automation for VMware fans, it’s not just PCoIP support as the new MAS CICO licence provisioning supports NSX Manager. The list goes on and on….

© NetScaler Taylor

28th April 2017

Heading to Citrix Synergy in Florida? 

I’ll be presenting ‘The Great SD-WAN Bake Off – Lessons from the field’ on Wednesday. Swing by and say hello!

Session Number – SYN406 Date / Time -May 24, 4:00 p.m. – 5:00 p.m.

Room – Citrix Synergy, West Concourse, Level II, West Hall C, Synergy Park, Fireside 2