Dreamteam: Nutanix und Citrix Workspace Cloud

Der Vorreiter in wirklich konvergenten Infrastrukturen Nutanix und der Marktführer bei Applikations- und Desktopvirtualisierung Citrix verfolgen mit ihren aktuellen Entwicklungen die gleichen Ziele: IT-Organisationen die Zeit und Kapazität zu geben, sich auf die wirklich geschäftsrelevanten Dinge zu konzentrieren.

Nutanix kondensiert mit seiner Xtreme Computing Platform (XCP) die üblichen Infrastrukturkomponenten Storage, Server, Hypervisor und Management in schlüsselfertige Appliances, die nur noch ein Rechenzentrumsnetz und je nach Hypervisor-Wahl entsprechende Lizenzen benötigen. Warum sollten Unternehmen auch mit horrendem Aufwand und entsprechenden Betriebskosten komplexe Storage Area Networks, Speichersysteme, Serverparks und Management Tools betreiben, nur um darauf dann endlich ihre Anwendungssysteme installieren zu können? Weil es bislang eben nötig war. Aber wertschöpfend war das noch nie.

Citrix bietet mit seiner Workspace Cloud (CWC) inzwischen die Möglichkeit, die Basiskomponenten und Management Infrastruktur für seine Virtualisierungs- und Mobility Lösungen als Service aus der Cloud zu beziehen und die eigentlichen Workloads (VDI oder Hosted Shared Desktops) separat davon bereitzustellen. Auch hier kann sich die IT im Unternehmen auf das konzentrieren, womit wirklich gearbeitet wird und womit wirklich die Wertschöpfung stattfindet: die Arbeitsumgebungen und Applikationen für das Business.

In der Kombination bedeutet das, Commodity Komponenten wie Storage, Server, Hypervisor, Infrastruktur sind vorhanden und können genutzt werden. Zeit und Energie können in die ausgestaltung der Line of Business Applikationen und Arbeitsumgebungen investiert werden. Zugleich gewinnt das Unternehmen enorme Flexibilität, um auf Anforderungen wie globale Präsenz, Verfügbarkeit, Skalierung und Disaster Recovery zu reagieren, da beide Hersteller offene Schnittstellen zu Clouds wie AWS und Azure bieten. Citrix Desktops und Applikationen können unter der zentralen Steuerung der CWC in Minuten auf AWS (oder den meisten anderen Clouds, egal ob public oder private) ausgerollt und Anwendern bereitgestellt werden, Workloads auf der Nutanix XCP können „mal eben“ zu Azure konvertiert und verschoben werden.

Bei unseren Kunden führen diese Möglichkeiten und auch die von Nutanix gelieferte Performance wiederholt zu leuchtenden Augen. Haben Sie es auch schon erlebt?

Get number of ports/connections used on NetScaler SNIP/MIP

In the old times, there used to be a one-command-solution for getting the number of ports used and available on your NetScaler IPs (most interestingly MIPs and SNIPs). Meanwhile this command, which I do not state here, because it has way too much power to be loosely published, does show useless numbers with six or even seven digits. No idea why, but Tech Support was not able to tell me either.

There are no statistics on how many ports are already used on your SNIPs and MIPs so you could set alarms and plan for provisioning of additional IPs for back-end communication early enough, before the sockets are eaten up. You could go counting in the connection table – and that’s what this command does for you. Go to shell and run:

nscli -U :<user>:<password> sh connectiontable | cut -d “ “ -f 1 | grep <ip> | wc -l

word count (wc) will give you the number of lines and thus the number of connections originating from that IP (by cutting after the first field, which is SOURCEIP, we only get the outbound connections).

Note: password might need single quotes to protect special characters.

NetScaler 11 „ION“ Admin Partitions

We know it since well over a year that they are coming and they have already been made available in the current Enhancement Build releases („.e“ builds): Admin Partitions.

Thanks to Citrix Synergy currently spitting out official news, we can now talk about many things more openly. Among these is the upcoming release of NetScaler 11.0, codename ION. Expected sometime during summer 2015, ION will bring loads and loads of fascinating features, I would like to rave about, but for now let’s have a look at Admin Partitions.

Admin Partitions are mainly driven by many Cisco ACE migrations, where admins used the so called Contexts to separate applications, traffic, resources and administrative access. NetScaler provides similar possibilities through SDX instances and Traffic Domains, where SDX means total separation including firmware versions and Traffic Domains allow separation of traffic flows within a single instance (or MPX), but without administative separation. Admin Partitions now close that last gap and deliver a full match for ACE Contexts, allowing 500 partitions on a single NetScaler instance to seperate all layers including administration and resources.

While not overly interesting for many original ADC deployments, this massively supports migration of larger ACE installations. Imagine a deployment with 25 ACE Contexts; until today the answer was to get SDX appliances, put multiple instances on there and think about which workloads and tasks from the 25 Contexts could be combined in the same instances, if you did not opt for the larger SDXes to provide 40 or 80 instances. And to be honest, not many deployments need the bare throughput of those big boxes and if so, their CPU core count might soon limit the number of instances well below the theoretically possible number. With ION you will be able to privision fewer instances with solid resource assignments and split them up internally again in the known manner of Contexts to provide separate administration, traffic flow and resource allocation.

Update your NetScalers – DoS vulnerability in 10.5!

The first vulnerability sounding serious in years, but this one seems to be executable remotely. Affected are ADCs and Gateways with firmware 10.5 between build 52.11 and build 55.8 inclusive and 10.5.e Build 53-9010.e only.

Support article CTX200861 shows that Citrix Support knew about the issue from April 1st on, but did not publish until April 30th. Updated firmware builds are available.

NetScaler AppFW – Grundkonfiguration

Während heute Morgen unser vollständig ausgebuchter TechTalk zum Thema „Hyper-V: Alternative zu VMware?“ stattfand, laufen bereits die Anmeldungen für das nächste Mal: am 12.05.2015 spreche ich über die NetScaler Web Application Firewall: „Hinstellen, anschalten, sicher sein?“

Es gibt belegte Brötchen und Getränke zum Frühstück, Talk und Demo. Die Plätze sind begrenzt, daher am besten gleich anmelden.

NetScaler 10.5 build 56.12 eliminates Java

Really. End-to-End. Finally. What was promised, expected and not completely fulfilled with 10.5 initially might now be true with the latest build.

56.12 appeared as if nothing special had happened on March 31st. Just today I luckily updated a customer with easy change management and we went straight to the latest build. Behold my wide eyes – visualizers, diagnostics and even the AppFW profiles do NOT trigger the Java applet anymore! I did not do a full walkthrough yet, but I don’t know of any relevant modules of Configuration Utility that might be missing so far.

What a great day! 😀

TechTalk: Hyper-V: Alternative zu VMware?

Nach den zwei Specials zur CeBIT in der letzten Woche, setzen wir unsere Veranstaltungsreihe „TechTalk“ am 21. April fort mit dem Thema „Hyper-V: Alternative zu VMware?“

Als Microsoft Most Valuable Professional für Hyper-V kann man Nils Kaczenski natürlich eine einschlägige Tendenz unterstellen, er wird am 21.04.2015 ab 8.30 Uhr dennoch mit Ihnen einen offenen und genauen Blick auf den Vergleich der beiden marktführenden Lösungen zur Servervirtualisierung werfen.

Was benötigen Unternehmen in der Praxis tatsächlich an Features, wie werden Anforderungen und Konzepte realisiert, wodurch zeichnet sich Hyper-V aus und wo besteht gegebenenfalls weiterhin ein Vorsprung von VMware? Schlussendlich werden Sie selbst bewerten können, ob Hyper-V eine attraktive Alternative für Ihr Unternehmen ist und welche Vorteile es womöglich sogar für Sie bietet. Egal wie Sie sich entscheiden, wir stehen Ihnen auf beiden Wegen als kompetenter Partner zur Seite, daher können Sie eine wirklich unabhängige Beratung von uns erwarten.

Agenda:
8:30 Uhr: Empfang mit belegten Brötchen
9:15 Uhr: Hyper-V: Alternative zu VMware?
10:00 Uhr: Zeit für Gespräche

Hier geht’s zur Anmeldung – die Teilnehmerzahl ist begrenzt, um eine kleine, interaktive Runde sicherstellen zu können.

Updating NetScaler Gateway using custom theme

Since version 10.1 NetScaler (Gateway) uses a new mechanism for deploying and maintaining custom design themes for login pages. This works quite a bit better than the old way with manual boot scripts to copy customized files. But it still is prone to issues especially after updating the NetScaler firmware.

Before updating firmware, make sure to set the theme back to „Default“. This will not impact your users, because you do this on the SECONDARY node in your HA pair, which is not taking connections at that time. After the update, set the theme to „Custom“ again and re-implement customization, force HA failover and repeat on the other node.

What might happen, if you change this procedure? A couple of chances to mess things up:

  • No login possible through or malfunction of admin UI. The Configuration Utility is part of the ns_gui folder being deployed through the custom theme mechanism. If theme stays at „Custom“, the updated files will not be part of the customized ns_gui folder and thus the admin UI will be old and possibly incompatible with the new firmware.
  • No login possible through or malfunction of NetScaler Gateway and AAA-TM. If the files for login, tmlogin et al. are not updated, they might be missing changes needed for correct function with new firmware. Furthermore, the client components (Gateway Plugin, EPA Plugin) will not be updated and especially establishing an SSL-VPN will fail subsequently;
  • Update-downgrade-loop of Gateway Plugin: Even if you noticed that the client components need an update and you manually uploaded the new AGEE_setup.exe to your NetScaler Gateway (after you have manually updated the admin_ui folder in your ns_gui_custom folder to be able to login again…) and your clients have successfully updated, they will still fail to establish SSL-VPN connections. First they were told they need to update Gateway Plugin to a new version, which they thought they downloaded from the NetScaler Gateway, but they got the same old version. Now they have the new version installed, but upon connection they will be told they need to downgrade to an older version. After which they would be told to update again. This is due to another file not being updated, which compares the client’s version to its own information – which still has the old firmware version.

There might be even more issues, but at least these have been seen in the wild already. So make sure to simply go back to default and redo the customization. A script for creating the archive out of the newly customized files might be helpful. Yes, the archive. Make sure to recreate it after every customization, because it will be extracted and its contents will be used upon every NetScaler boot.

Update: Thanks to Stuart Carroll (@stuart_carroll) for the comment on using Rewrite feature to modify default themes to reduce risks even more. Whenever possible (complexity of customization is limited, of course), this is the best way to go. See our (German, sorry) post on using Rewrite for customizing Clientless Access view to get an idea on that.