What’s new in Citrix NetScaler ADC 12.1 – SSL to ACLs

In part two of our series looking at the new Citrix NetScaler ADC 12.1 firmware release, our Co-founder Al takes a look at the SSL headlines and digs in to the key messages around the core networking enhancements.

Continuing on the theme of security from part one, SSL has often been in the headlines with nasty vulnerabilities like BEAST, FREAK, POODLE and Heartbleed rocking the industry and causing thousands of hours overtime. In response, the recently agreed TLS 1.3 is a major revision of the specification, which offers faster, more secure encryption than its predecessors. Citrix got the scoop with the first ADC support of TLS 1.3 back in Q417, with front and back end support on their VPX and CPX virtual appliances making the GA release this time around. One of the frequent requests from the Citrix PTEC meetings, Internet Content Adaptation Protocol (ICAP) support joins the 12.1 feature list, giving NetScaler the ability to act as an ICAP client and integrate with 3rd party Data Loss Prevention and Anti-Malware services. Nice.

The UDP based Datagram Transport Layer Security (DTLS) protocol is now supported end to end which is good news for anyone who’s contemplating using the Citrix desktop protocol HDX Enlightened Data Transport (EDT) in the real world. Industry standard TLS Session Tickets allow for abbreviated handshakes which in turn increases the efficiency and speed of encryption but they can pose a risk if they are not changed frequently enough or they are unencrypted. Citrix ADC 12.1 (note the new naming convention drops the NetScaler brand) introduces Secure Session Tickets which plugs this gap nicely.

There’s a vast amount of information available to assist with fault diagnosis which is good in some ways but not so great in others (think needles in haystacks) so a nice management feature addition called Selective Logging allows admins to filter the information collected to provide an uncluttered view of the relevant parameters. Second fanfare for 12.1 as Qualys A+ is now baked in by default for SSL vServer configuration. Whoop Whoop as another one of those crappy jobs that admins previously had to repeat over and over again has gone away with 12.1. Citrix also announced that there will be regular quarterly firmware updates that will include enhancement of the A+ config, so you’ll always be able to keep up with the changing needs of this industry wide stamp of approval…

Into core networking enhancements and managing traffic across clouds with Global Server Load Balancing just got a whole lot easier with the ability to configure GSLB using domain names not IP addresses. We’ve been able to auto-scale back end resources across multiple clouds for years but the management of traffic to those cloud instances has been an often clunky process to date. 12.1 introduces the ability to use DNS lookup to identify the services coming on line to automatically pull them into the service group pool, effectively allowing your GSLB config to dynamic learn back end services to simplify multi and hybrid cloud delivery.

Back to admin friendly additions to Citrix ADC 12.1, and those who have built more complex environments or those of significant scale will know that vServer configurations can become significant, with potentially hundreds of policies and bind points to define how traffic should be processed. It’s where the magic happens and this configuration is often replicated across multiple vServers, each having it’s own IP address. The new Multi-Stack VIP feature allows a single vServer to present multiple IP addresses to reduce management overhead and configuration complexity.

More flexibility around appliance compatibility with Heterogeneous Clustering, ACL6 logging comes to the party and new ACLs at the SVM layer on the SDX platforms to close the admin trapdoor where the admin experience was common for all admins at the SVM layer – in other words, those who had the ability to add instances to your SDX appliance used to be able to remove instances that someone else had provisioned. Assuming there’s still a manual process involved of course, which leads nicely in to the next part of this series of posts where I’ll be looking at automation, containers and SDN. I think I might give part three a subtitle – The rise of the machines.

© NetScalerTaylor & cloudDNA 2018