With over 4,000 features in premium edition appliances, we get lots of questions about NetScaler. If you have a question, chances are we’ve probably been asked it before, so here’s our pick of the common NetScaler FAQs.
At a glance, NetScaler is an application delivery controller that analyses application specific traffic, layer 4 through layer 7 (L4-L7), then intelligently distributes, optimises, and secures this traffic.
The NetScaler device is a feature rich with built-in server load balancing, SSL offload, global server load balancing (GSLB), web application firewall, SSL VPN, and many other web application optimisation and protection features such as caching and compression.
It is available in multiple form factors including virtual (VPX), physical (MPX), hybrid (SDX), containerised (CPX) and bare metal (BLX).
NetScaler works as a very fast transparent proxy application delivery controller to provide secure, redundant, optimised web-application access, SSL offload, global server load balancing, web application firewall and SSL VPN.
It operates at layer 4-7 by terminating inbound client transmission control protocol (TCP) connections on a virtual IP. It establishes a persistent back-end server connections via its own subnet IP to request content on behalf of the client using request switching and pipelining techniques.
As an intermediary buffer between the client and server, the NetScaler can then inspect requests to prevent DDoS or application attacks, provides web content, and object caching and compression.
NetScaler’s many features can be broadly classified into four main categories:
- Security and protection
- Server farm optimisation
- Global server load balancing (GSLB)
The NetScaler is usually deployed in front of a server/server farm and sits anywhere in the network between the client device and the servers they wish to connect to. The NetScaler acts as a server receiving requests from the client and then forwards those requests to the server on behalf of the client.
The NetScaler can be deployed as a secure gateway, application firewall, load balancer, global server load balancer and network packet forwarder.
NetScaler is lightning-fast providing the best user experience, using single-pass architecture for low latency and optimal CPU utilisation. Using dynamic path selection for an optimal application experience and dynamic scaling for terabytes of layer 7 throughput.
NetScaler provides comprehensive security with no compromise on performance. Web application firewall, Zero Trust Network Access (ZTNA), and native and integrated authentication delivers bot protection at scale. It also secures access to internal and external applications and single sign-on.
NetScaler intelligent traffic management analyses internet traffic in real-time and automatically directs it to the optimal locations, ensuring your content is always available. It also collates performance data about each cloud provider so you can choose which is the best for your needs.
NetScaler and NetScaler Gateway provide full SSL VPN capabilities. NetScaler ICA/HDX proxy mode is a specific mode of operation to support secure remote access to Citrix virtual apps and desktops only. All a client endpoint needs is the Citrix receiver application installed. This mode of operation supports all endpoint types.
NetScaler content switching functionality is L4-L7 load balancing. This enables a NetScaler content-switching virtual server (vServer) to make flexible load balancing decisions based on policies. These can be triggered by specific client application requests, server responses or session-specific variables like source IP and cookie information.
NetScaler load balancing is a core feature which improves the availability, security, performance, scalability, and efficiency of services. It distributes all requests for a specific protected website, application, or resource between two or more identically configured servers.
The NetScaler load balancer primarily manages user requests to heavily used applications, preventing poor performance and outages, and ensuring that users can access your protected applications.
There is also fault tolerance. When one server that hosts a protected application becomes unavailable, the feature distributes user requests to the other servers that host the same application.
NetScaler is available as a hardware or software-based appliance. The hardware options are either single or multi-tenant devices and the software options are virtual hypervisor-based or containerised microservices.
- NetScaler MPX: Hardware single tenant-based
- NetScaler SDX: Hardware multi-tenant based
- NetScaler VPX: Virtual appliance hosted on enterprise hypervisors and cloud platforms
- NetScaler CPX: NetScaler appliance delivered as a Docker container
- NetScaler BLX: NetScaler designed to run natively on bare metal Linux running on commercial off-the-shelf server hardware
NetScaler MPX is a hardware-based appliance, running a single tenant of NetScaler firmware and offering performance throughput between 500MBps and 200 GBps.
NetScaler SDX is a hardware-based application delivery controller appliance aimed at enterprise and cloud datacentres. It supports the hosting of multiple NetScaler virtual appliance instances on a single hardware appliance and can be used for multi-tenancy.
NetScaler VPX is the virtual appliance form factor of NetScaler and can run on any enterprise hypervisor, public cloud (like Microsoft Azure, Amazon Web Services, Google Cloud Platform) or private cloud.
NetScaler VPX can support between 10GB and 100GB throughputs, however, there are limitations on the hypervisor support for the higher throughputs.
NetScaler VPX has full NetScaler firmware functionality (based on normal licenced options) and can be upgraded as part of the “pay as you grow” licence model, NetScaler VPX is available in 10,25,200 MBps and 1, 3, 5,8,10,15,25,40, 100 GBps throughputs.
NetScaler CPX is a virtual appliance delivered as a Docker container. NetScaler CPX enables customers to leverage Docker engine capabilities and use NetScaler load balancing and traffic management features for container-based applications. You can deploy one or more NetScaler CPX instances as standalone instances on a Docker host.
NetScaler BLX appliance is a software form factor of NetScaler. It is designed to run natively on bare-metal-Linux on commercial off-the-shelf servers. As the NetScaler BLX runs as an application on the Linux server it can run on the same host as other Linux-based applications, which makes NetScaler BLX cloud-ready as it can run on Linux-based servers deployed in the cloud.
NetScaler VPX Express is a free NetScaler virtual appliance that runs on any leading hypervisor or cloud and supports hybrid and or multi-cloud deployments.
NetScaler Express does not require a licence. It provides the capabilities of the NetScaler standard edition and supports up to 20MBps of throughput and 250 SSL connections.
NetScaler has three product editions. Each addition provides extra features and functionality over the previous edition. Full details can be found in the product documentation.
- Standard edition
- Advanced edition
- Premium edition
These editions are available on both physical and virtual appliances and are offered in the following criteria.
- Perpetual and subscription (yearly and hourly)
- vCPU (virtual CPU) and bandwidth
- On-premises and cloud
The NetScaler can be directed to a Citrix Application Delivery Manager (ADM) appliance to retrieve its licence. The ADM appliance can hold pooled capacity licences which allows for the sharing of bandwidth or instance licences across different NetScaler form factors.
Virtual CPU licence can be shared across instances. These pooled capacity licences can be used for instances that are in a datacentre or public cloud. When an instance no longer requires the resources, it checks the allocated capacity back into the common pool. You can reuse the released capacity for other NetScaler instances that need resources.
NetScaler Gateway can be purchased as a standalone product or as functionality within a NetScaler to provide full SSL VPN capabilities. NetScaler Gateway secures remote access to any client server enterprise, Citrix or intranet applications. See more information here.
Citrix ADC is the previous brand name for NetScaler.
NetScaler’s authentication, authorisation and auditing (AAA) features let the administrator enhance any normal traffic management virtual server. This allows policies to be configured that redirect incoming users to a AAA virtual server to be pre-authenticated, authorised and audited before accessing any corporate web applications from the internet.
A NetScaler virtual server (vServer) is an entity created on NetScaler to represent the application or service to the client. TCP and SSL connections are normally terminated on the vServer which normally has a routable IP address owned by the appliance.
NetScaler nCore technology relates to the NetScaler appliances operating system being multi-core (CPU cores) aware. It allows the systems packet engines to leverage the high-performance multi-core hardware and parallel processing architecture to efficiently scale to meet the requirements of the most demanding web applications.
A NetScaler Subnet IP (SNIP) is an IP address defined on and used by the NetScaler to communicate to resources on that subnet. It uses the SNIP as the source address to proxy client connections to servers. An appliance can have multiple subnet IPs defined.
The NetScaler IP (NSIP) is the IP address where you access the NetScaler for management purposes. The appliance can only have one NSIP, which can’t be removed, and the NSIP should be a non-routable IP on the network.
A NetScaler virtual IP (VIP) is an IP address owned by the appliance and normally associated with a virtual server entity (common in load balancing deployments). The VIP can be any public or private address.
The NetScaler web application firewall (WAF) is a feature within the NetScaler platinum edition. When configured it prevents security breaches, data loss, and possible unauthorised modifications to websites that access sensitive data.
NetScaler and NetScaler Gateway with nFactor, smart control and smart access provide secure access and delivery of all Citrix published applications and virtualised desktops.
In addition, NetScaler global server load balancing (GSLB) can be used to add redundancy for remote access to multiple datacentre sites and support globally distributed disaster recovery scenarios.
NetScaler provides specific set-up wizards for common Citrix virtual apps and desktop deployments. It also provides the deepest level of insight into ICA/HDX traffic which allows Citrix administrators a single point of end-user experience monitoring and reporting for the corporate Citrix environment.
NetScaler automatically saves the configuration file (ns.conf file) 5 steps back in /flash/nsconfig. Additionally, if a manual system back-up is performed using the #create system backup -level basic|full, the resulting zip file is stored in the /var/ns_sys_backup directory. This can also be downloaded from the device and used to recover, should there be a complete appliance failure.
Within the NetScaler management GUI, there is the option to perform a full backup or restore of the NetScaler appliance. The file created in the full backup is a .zip file that can be downloaded from the appliance and kept safe in case of recovery.
NetScaler system logs are stored in /var/nslog directory in the NetScaler.
Qualys SSL Labs provides a free online service that performs a deep analysis of the configuration of any SSL web server on the public internet. The result of the analysis is delivered as a rating, A+ being the very best and most secure.
The NetScaler can be configured to achieve an A+ rating, see NetScaler product documentation.
NetScaler deployed in the demilitarised zone (DMZ) can be secured and hardened. There are multiple mechanisms around systems management, authentication, monitoring, and logging that can be utilised depending on your specific security requirements. The systems can utilise independent management networks to isolate the admin traffic.
Role-based access can also be configured and combined with external authentication services like Microsoft Active Directory or TACACS+.
Additionally, if a single management pane of glass is required for multiple NetScaler appliances (VPX, MPX, SDX, CPX & BLX) then NetScaler ADM can be deployed to centrally manage the Citrix networking estate.
NetScaler high availability (HA) is the deployment of two NetScaler appliances to provide a fault-tolerant configuration, ensuring uninterrupted operation should one appliance fail.
One appliance is configured as the primary and the other as the secondary. The primary appliance handles the traffic load and is known as the active node, the secondary will monitor the primary node and if for any reason the primary node fails the secondary takes over.
A NetScaler cluster is a group of appliances working together as a single system image. Each appliance of the cluster is called a node. The cluster can have one appliance or as many as 32 NetScaler hardware or virtual appliances as nodes (the recommendation is n + 1 appliances in a cluster where n = the number of appliances that can handle user load comfortably). The client traffic is distributed between the nodes to provide high availability, high throughput, and scalability.
Global server load balancing (GSLB) is the ability to intelligently distribute network traffic across server resources located in multiple geographic locations. The servers can be on-premises, hosted datacentres or in the cloud.
NetScaler GSLB requires an advanced or premium edition licence on all NetScaler’s participating in the GSLB configuration.
If you have to log a support call with Citrix, they will often request you create and upload a NetScaler support bundle. This is a file that contains all the NetScaler configuration files, all the log files and core files.
It also contains the output of command line interface (CLI) and Berkeley Software Distribution (BSD) commands, allowing support to understand the NetScaler configuration and perform initial troubleshooting before requiring remote access to the NetScaler with the issue reported.
The NetScaler support bundle is created either via the management GUI, in the system > diagnostics section of the menu or by entering the CLI command “show techsupport” at the console.
The NetScaler support bundle is created in the directory /var/tmp/support/support.tgz
NetScaler complements existing network firewalls by operating layer 4-7 to inspect web content requests and responses with its web application firewall module to prevent application layer attacks. NetScaler can provide PCI DSS compliance reports for audit purposes and both simple and extended access control lists (ACLs) where required.
NetScaler has a built-in domain name server (DNS) functionality to support an authoritative domain name server (ADNS) as well as DNS security and proxy capabilities.
The NetScaler can be configured to intercept and process SSL traffic and then send the decrypted traffic to the back-end server. By doing this the NetScaler can perform the process-intensive encryption/decryption and allow the back-end server to use its compute cycles to deliver content.
Configuring SSL offloading requires an SSL certificate and key pair to be installed on the NetScaler, which you must obtain if you do not already have an SSL certificate.
The NetScaler can be upgraded through either the management GUI or via the console. Either way, you must first download the version of firmware you require from the Citrix downloads webpage and then perform the upgrade. After an upgrade of the firmware, there will need to be a reboot of the appliance and as such a break in availability.
Full instructions on upgrading a NetScaler can be found in the online documentation: Upgrade a NetScaler standalone appliance | NetScaler 14.1
Upgrading a NetScaler HA pair is much the same as upgrading a standalone appliance with the recommendation that you upgrade the secondary appliance first, test all is OK and then upgrade the primary appliance.
Full details of the upgrade process can be found in the online documentation: Upgrade a high availability pair | NetScaler 14.1
Downgrading a NetScaler appliance can sometimes lead to configuration loss so make sure you back up the running configuration first (nsconfig directory or ns.conf file depending in the situation). Full instructions on the downgrade of a standalone appliance can be found in the NetScaler product documentation.
Please note that there is no management GUI option for downgrading a NetScaler, this can only be done via the command console and CLI commands.
In summary, back-up the ns.conf, rename ns.conf.NS<currentbuildnumber> to ns.conf, this will be the pre-upgrade configuration from the previous upgrade. If you have the build you want to roll back to already uploaded and unzipped in /var/nsinstall/ then re-run ./installns script in the old build folder to re-install the old firmware and reboot. See Downgrade a NetScaler standalone appliance | NetScaler 14.1
A NetScaler appliance can be partitioned into logical entities called admin partitions. Each partition can be configured and used as a separate NetScaler appliance.
It must be noted that administration access to partitions is via the NSIP and users can be bound to a partition using role based access.
Integrated caching allows the NetScaler to serve up static web content to users without requiring a round trip to the origin server. NetScaler uses in-memory storage for integrated caching.
When enabled, policies can be defined to control what is stored and for how long allowing the NetScaler to serve dynamic content which is marked as non-cacheable by the web and application servers.
NetScaler Call Home monitors the NetScaler for critical events and will notify NetScaler/Citrix Support should there be any errors. By enabling Call Home you don’t have to call NetScaler/Citrix support when there is an issue and the data is automatically uploaded to the system data before they will troubleshoot. This reduces resolution time.
Yes. NetScaler Call Home is enabled by default but can be disabled through the management GUI.
When the NetScaler is deployed in front of an application server it can optimise the distribution of traffic to those servers. Policies can be defined to segment traffic using the content of an HTTP or TCP request, L4-L7 header information, application data or cookie.
Numerous load balancing algorithms and server health checks will improve application availability by ensuring that client requests are directed to the appropriate servers.
NetScaler optimisation offloads resource-intensive operations, such as SSL processing, data compression, client keep-alive, TCP buffering, and the caching of static and dynamic content from servers.
The performance of the servers in the server farm is improved and, by definition, improves application performance. A NetScaler appliance has inbuilt optimisation which helps reduce problems caused by high latency and congested network links. This, in turn, improves the delivery of applications while requiring no configuration changes to clients or servers.
NetScaler ADC can be configured to support Microsoft SharePoint. Using Citrix AppExpert templates within the NetScaler, a complete configuration can be set up and customised to suit your requirements.
Features specifically used in this configuration to enhance the performance and security of the Microsoft SharePoint deployment include integrated caching, compression, load balancing, responder, rewrite, content switching, SSL offload, AAA-TM and web application firewall (a NetScaler platinum edition licence is recommended).