NetScaler Times Newsletter for Week 50
12th Dec 2022
Hello everyone! We have a mix of updated links, and articles for all things NetScaler related! The sections are:
1. A dive into a recent hardware appliance, hello 16K!
2. Build updates.
3. Useful articles from Citrix Cloud Developer forum.
4. Citrix Blogs worth another look
5. AOB
BTW. I am still transitioning back to the NetScaler name, so there might be a mix of references!
There are a number of different Citrix products covered here. The Citrix ADC/NetScaler is an Application Delivery Controller that runs in the cloud and on-prem. It is supported by a management platform called Citrix Application Delivery Manager (ADM for short) which can run as a service or on-prem.
1. NetScaler 16000 platform
At the start of October, a new NetScaler hardware appliance was released. I know a lot of customers are moving over to a software-based solution with automation with different tools. There are still some cases where a big(ish) box is really the best way to solve a problem.
I know what you are thinking, so what? What could be special about this appliance?
The NetScaler has always had a pretty good option for scaling, you buy a box with 20Gbps of throughput and there is an option to scale it up to 120Gbps without changing the chassis. There is a software key, and it just unlocks the capacity. We have updated that more recently with flexible options like pooled capacity, so that the capacity can be placed in different DC’s if you need it.
What about this 16k then?
There are some differences over what has gone before with this system, the short version is:
1. SDX and MPX are different boxes. As long as I have worked on NetScaler, the SDX and MPX were the same, if you bought a MPX you could convert it to SDX using a SSD kit. Just order the kit and it would flash the BIOS and convert the appliance to SDX. This was a one-way trip!
The 16k will have different systems for each type, you get what you buy and that is it. There are no plans for a field upgrade kit.
2. MPX and SDX have different memory assignments(another reason why they are different)
a. MPX - 128GB
b. SDX - 256GB, to allow support for 55 instances!
Common bits:
3. It starts at 30GBps and scales to 200GB! WooHoo!
4. The ports are 4 x 100G QSPF56 + 8 x 25GE SPF28.
As I said, sometimes you just need a box. When you have one that scales like this, it will last a while!
2. Build updates for this week.
Firmware gets changed from time to time, here are the most recent builds in each appliance type. These were first mentioned in the two Week 48 newsletters, but if you missed those here are the latest versions.
Unchanged - Current ADC Build. Dec 1, 2022, Citrix ADC 13.1-37.38.
Here are the release notes for this one:
Unchanged - Current ADM Build. Nov 29, 2022, Citrix ADM 13.1 Build 37.38
Here are the release notes for this one:
Unchanged - Citrix App Delivery and Security Service. Release 13.1-39.43
https://docs.citrix.com/en-us/citrix-app-delivery-and-security/whats-new.html
Updated - ADM Service. Release 13.1–40.25
Analytics
Discontinuation of Advanced Security Analytics for the premium licensed ADC instances
Citrix ADM no longer supports Advanced Security Analytics for the premium licensed ADC instances. With this upgrade, in the Citrix ADM GUI:
· The existing configurations in Advanced Security Analytics and the associated behaviour-based violations are now not visible.
· The visibility of the other Bot and WAF violations remain unchanged. For more information, see the Violation Categories.
· The Splunk and New Relic export are supported only with WAF and Bot violations.
Configure an action policy from Web Insight
In Web Insight, you can now configure an action policy from graph trend for the following metrics:
· Client Network Latency
· Server Network Latency
· Server Processing Time
As an administrator, when you notice any unusual traffic pattern or a sudden spike in these metrics for any application, this enhancement enables you to create a relative action policy by clicking Create Action Policy after placing it on a specific point in the graph.
Action policy - Add multiple applications
When you configure an action policy for Client Network Latency, Server Network Latency, and Server Processing Time, you can now select multiple applications using the IN operator and apply them in a single policy.
3. Citrix Developer Cloud Forum.
Richard Faulkner has been busy, he posted several useful documents last week, here are a couple of favourites.
Protecting Gateway vservers
Many NetScaler ADC appliances host VPN and NetScaler Gateway deployments that also provide security protections to other web applications. This PoC guide is designed to help protect VPN and Gateway virtual servers using tools already available on the NetScaler ADC appliance. This guide covers protecting the portal login page with Bot security and protecting the credential form submission with WAF capabilities. Also, advanced authentication policies add context to user logons and enable multifactor authentication.
https://forum.developer.cloud.com/s/article/protect-gateway-waf-bot-aaa
Always on VPN
Richard also posted a video on the use of setup of AO vpn
https://forum.developer.cloud.com/s/article/alwayson-vpn
Dig or NSlookup missing?
Steven did a great walk through to explain why nslookup might have gone walk about!
4. Citrix Blogs worth another look
Sanyukta did a great write up on how to ‘Improve your security posture with Security Advisory in Citrix ADM service’. I come back to this ever so often as there is a lot to pick over.
Naturally, it is from last year. I just love the options it offers, when you have a number of boxes to manage, anything that makes you look good is great to have!
5. Other links
Government, politics, and policy
Japan to go on the cyber-offensive: The Japanese government is working to amend its National Security Strategy law to allow government agencies to conduct pre-emptive cyber-attacks against threat actors they might deem a potential threat. In its current form, Japanese law allows the country to respond with offensive cyber-attacks only in the case of a military attack. The Japanese government's efforts come after the Australian government said they would go after hacker groups as a pre-emptive measure before threat actors can get to attack Australian organisations. [Original coverage in Nikkei, non-paywall version here]
Have a great week!