CloudBridge 7.0 - Citrix Product Documentation

CloudBridge 7.0

2015-06-28 04:37:43 UTC

© 2015 Citrix Systems, Inc. All rights reserved. Terms of Use | Trademarks | Privacy Statement

http://www.citrix.com/about/legal/legal-notice.html

http://www.citrix.com/about/legal/brand-guidelines.html

http://www.citrix.com/about/legal/privacy.html

Contents

CloudBridge 7.0 ............................................................................................... 15

CloudBridge 7.0 .................................................................................. 16

Release Notes ............................................................................... 17

Branch Repeater 7.0 RN.............................................................. 18

Main Release...................................................................... 19

Enhancements .............................................................. 20

GUI Navigation Changes ................................................... 22

Known Issues and Workarounds .......................................... 25

Compatibility................................................................ 31

Licensing, Upgrading, and Downgrading ................................ 38

Contacting Customer Support ............................................ 42

Maintenance Release............................................................ 43

Release 7.0.1................................................................ 44

Bug Fixes ............................................................... 45

Known Issues and Workarounds..................................... 47

Compatibility................................................................ 53

Licensing, Upgrading, and Downgrading ................................ 60

Contacting Customer Support ............................................ 64

Introduction to the CloudBridge Product Family ...................................... 65

CloudBridge Features and Benefits ................................................. 66

How CloudBridge Works .............................................................. 67

Compression Overcomes Low Link Speeds ................................... 68

Lossless Flow Control Overcomes Congestion ............................... 70

TCP Optimizations Overcome Troubled Links ............................... 71

Application Optimizations Overcome Design Limitations.................. 72

Multiple Optimizations Enhance XenApp/XenDesktop Performance 73

Autodetection Simplifies Deployment ........................................ 74

Product line ............................................................................ 75

Product Selection and Deployment................................................. 77

2

Product Selection by Capacity ................................................. 79

Product and Mode Selection by Datacenter Topology...................... 81

Sites with One WAN Router ............................................... 83

Sites with Multiple WAN Routers......................................... 86

Supported Mode/Feature Combinations ................................ 89

Recommendations for Supporting VPNs................................. 90

Supporting CloudBridge Plug-in With Citrix Access Gateway VPNs 92

What Happens if the Appliance Fails .................................... 93

Product Selection and Deployment ...................................................... 94

Product Selection by Capacity ...................................................... 96

Product and Mode Selection by Datacenter Topology ........................... 98

Sites with One WAN Router .................................................... 100

Sites with Multiple WAN Routers .............................................. 103

Supported Mode/Feature Combinations...................................... 106

Recommendations for Supporting VPNs ...................................... 107

Supporting CloudBridge Plug-in With Citrix Access Gateway VPNs 109

What Happens if the Appliance Fails ......................................... 110

CloudBridge 2000 and 3000 Appliances ................................................. 111

CloudBridge 2000 & 3000 ............................................................ 112

Hardware Installation ........................................................... 113

Introduction to the Hardware Platforms................................ 114

Common Hardware Components.................................... 115

Ports ............................................................... 116

Field Replaceable Units ........................................ 118

Power Supply ............................................... 119

Solid-State Drive ........................................... 122

Citrix CloudBridge 2000 .............................................. 124

Citrix CloudBridge 3000 .............................................. 126

Summary of Hardware Specifications.............................. 128

Preparing for Installation ................................................. 130

Unpacking the CloudBridge Appliance ............................. 131

Preparing the Site and Rack......................................... 132

Cautions and Warnings ............................................... 134

Installing the Hardware ................................................... 137

Rack Mounting the Appliance ....................................... 138

Connecting the Cables ............................................... 140

Switching on the Appliance ......................................... 143

3

Assigning IP Addresses .......................................................... 144

Configuring the CloudBridge Appliance ...................................... 145

Managing the Appliance......................................................... 151

CloudBridge 4000 and 5000 Appliances ................................................. 153

BRSDX 7.0............................................................................... 154

Overview .......................................................................... 156

Internal Architecture ...................................................... 158

Configuration and Control ................................................ 159

External Architecture...................................................... 162

Deployment Topology...................................................... 163

One-Arm Mode (WCCP)............................................... 164

Two-Arm Mode (Inline)............................................... 165

High Availability Deployments ...................................... 167

Hardware Platforms ............................................................. 168


Hardware Components ............................................... 170

Ports ............................................................... 171


Power Supply ............................................... 174


Hard Disk Drive ............................................. 179

Hardware Platforms .................................................. 180

Citrix CloudBridge 4000 ........................................ 181




Unpacking the Appliance ............................................ 188





Installing and Removing 1G SFP Transceivers 200

Installing and Removing 10G SFP+ Transceivers 203

Install Fiber Patch Cable in Ports 10/3 and 10/4 205




4

Lights Out Management Port of the CloudBridge 4000/5000Appliance .................................................................... 213

Planning the Deployment....................................................... 216

Sizing Guidelines ........................................................... 217

Selecting a Deployment Mode ............................................ 218

Selecting a Load Balancing Method...................................... 220

Gathering Information Needed for Configuration ..................... 222

Hardware Platforms ............................................................. 223


Hardware Components ............................................... 225

Ports ............................................................... 226


Power Supply ............................................... 229


Hard Disk Drive ............................................. 234

Hardware Platforms .................................................. 235





Unpacking the Appliance ............................................ 243





Installing and Removing 1G SFP Transceivers 255

Installing and Removing 10G SFP+ Transceivers 258





Lights Out Management Port of the CloudBridge 4000/5000Appliance .................................................................... 268

Planning the Deployment....................................................... 271

Sizing Guidelines ........................................................... 272

Selecting a Deployment Mode ............................................ 273

Selecting a Load Balancing Method...................................... 275

Gathering Information Needed for Configuration ..................... 277

5

Initial Configuration ............................................................. 278

Prerequisites ................................................................ 279

Deployment Worksheet.................................................... 281

Accessing the Appliance................................................... 288

Configuring the Appliance ................................................ 289

Deployment Modes............................................................... 299

WCCP Mode.................................................................. 300

Best Practices ......................................................... 303

Known Limitations .................................................... 305

Configuring WCCP Setup on the Network ......................... 306

Configuring the NetScaler Instance for WCCP 307

Adding a Subnet IP ......................................... 308

Adding Virtual IP Addresses 309

Configuring Network Address Translation 311

Adding a Static Route ..................................... 314

Modifying Load Balancing Virtual Servers 316

Saving the NetScaler Instance Configuration 317

Configuring a Router in Standard WCCP Mode 318

Configuring accelerators for WCCP Negotiation 320

Verifying the WCCP Mode ...................................... 328

Inline Mode .................................................................. 329

Deployment Topology ................................................ 330

Known Limitations .................................................... 333

Prerequisites........................................................... 334

Port Affinity and VLANs .............................................. 335

VLAN Trunking......................................................... 337

Ethernet Bypass ....................................................... 339

Configuring Inline Mode.............................................. 340

Configuring the High Availability Setup on the Appliances 345

Evaluating the Configuration................................................... 349

Managing the Appliance......................................................... 352

Managing the Appliance by using the Management Service 353

Automatically Configuring CloudBridge Devices 354

Platforms Supported ............................................ 355

Registering a CloudBridge Appliance with CitrixCommand Center ................................................ 356

Updating the appliance through the Management Service 358

Managing Client Sessions............................................. 359

6

Configuring User Accounts........................................... 360

SNMP Trap Destinations .............................................. 363

Restarting the Management Service ............................... 364

Upgrading the Management Service................................ 365

Uploading the Management Service Build andDocumentation Files ............................................ 366

Upgrading the Management Service to a Later Version 368

Upgrading the XenServer Software................................. 369

Backing Up and Restoring the Configuration Data of theAppliance............................................................... 370

Performing a Factory Reset ......................................... 372

Removing Management Service Files .............................. 374

Generating a Tar Archive for Technical Support 375

Managing the NetScaler Instance ........................................ 376

Saving the Configuration............................................. 377

Upgrading a NetScaler Instance .................................... 378

Uploading NetScaler Resources ............................... 379

Upgrading the Instance ......................................... 382

Deleting the NetScaler Instance .................................... 383

Managing a NetScaler Instance ..................................... 384

Removing NetScaler Instance Files................................. 385

Managing a CloudBridge Accelerator .................................... 386

Configuring CloudBridge Instances by using CloudBridgeAccelerator Interface ................................................ 387

Managing Individual CloudBridge Accelerator 388

Upgrading a CloudBridge Accelerator.............................. 389

Deleting the CloudBridge Instance ................................. 390

Managing the Appliance ................................................... 391

Modifying the Network Configuration of the Appliance 392

Changing the Password of the Default User Account 393

Configuring Clock Synchronization ................................. 394

Installing an SSL Certificate on the Appliance 397

Restarting the Appliance ............................................ 398

Shutting Down the Appliance ....................................... 399

Modifying the Time Zone on the Appliance ....................... 400

Modifying System Settings ........................................... 401

Upgrading the Resources ............................................ 402

Monitoring the Appliance ....................................................... 403

Monitoring the Appliance by using the Home Page ................... 404

7

Monitoring the Appliance ................................................. 406

Load Statistics ......................................................... 407

Connections ...................................................... 408

Traffic ............................................................. 410

Advanced ......................................................... 417

Monitoring with AppFlow ............................................ 418

Prerequisites ..................................................... 420

Enabling AppFlow Monitoring .................................. 421

Using AppFlow with Splunk .................................... 422

Viewing the SSL Certificate on the Management Service 423

Viewing the Properties of the Appliance.......................... 424

Viewing Real-Time Appliance Throughput ........................ 427

Viewing Real-Time CPU and Memory Usage ...................... 428

Viewing CPU Usage for All Cores ................................... 429

Monitoring the NetScaler Instance....................................... 430

Viewing the Properties of the NetScaler Instance 431

Viewing the Running and Saved Configuration of a NetScalerInstance ................................................................ 432

Pinging a NetScaler Instance ........................................ 433

Tracing the Route of a NetScaler Instance........................ 434

Rediscovering a NetScaler Instance ................................ 435

Monitoring the CloudBridge Instance.................................... 436

Viewing the Properties of the CloudBridge Instances 437

Viewing the Running and Saved Configuration of aCloudBridge Instance ................................................. 440

Pinging a CloudBridge Instance ..................................... 441

Tracing the Route of a CloudBridge Instance 442

Rediscovering Instance............................................... 443

Monitoring Operations and Events by Using Logs ...................... 444

Viewing Audit Logs.................................................... 445

Viewing Task Logs..................................................... 447

Viewing Events ........................................................ 449

CloudBridge VPX ............................................................................ 450

CloudBridge VPX Usage Scenarios................................................... 452

System Requirements and Provisioning ............................................ 457

Installing CloudBridge Virtual Appliances on XenServer......................... 461

Installing CloudBridge Virtual Appliances on VMware ESX ...................... 469

Installing CloudBridge Appliances on the Microsoft Hyper-V Platform........ 488

8

Installing CloudBridge VPX on Microsoft Server 2008 R2................... 491

Installing CloudBridge VPX on the Microsoft Server 2012.................. 495

Installing the CloudBridge Virtual Appliances on Amazon AWS ................ 498

Disabling the Source/Destination Check Feature ........................... 504

Configuring SNMP Monitoring on the CloudBridge AMI on AWS ........... 505

Limitations and Usage Guidelines for CloudBridge AMI Instances onAWS ................................................................................ 507

Supported Modes ...................................................................... 508

Features...................................................................................... 509

Compression............................................................................ 510

How Compression Works ........................................................ 511

Enabling or Disabling Compression ............................................ 513

Measuring Disk Based Compression Performance ........................... 514

CloudBridge Connector ............................................................... 516

Understanding CloudBridge Connector ....................................... 517

Configuring CloudBridge Connector Tunnel between two Datacenters 519

Configuring CloudBridge Connector between Datacenter and AWSCloud............................................................................... 523

Prerequisites ................................................................ 526

NetScalerCloudBridge VPX License................................. 527

Installing NetScaler VPX on AWS.................................... 528

How NetScaler VPX on AWS Works ............................ 529

ENI Support ....................................................... 532

Limitations and Usage Guidelines............................. 533

Launching the NetScaler VPX for AWS AMI 534

Launching NetScaler VPX for AWS by Using theAmazon GUI and CLI toolkit 535

Using the Citrix CloudFormation Template to launchCloudBridge VPX for AWS ................................. 548

Launching NetScaler VPX by using the AWS 1-Click 554

Verifying the NetScaler VPX on AWS Installation 561

Attaching Additional IP Addresses to an Instance 562

Downloading a NetScaler VPX License 564

Load Balancing Servers in different Availability Zones 565

High Availability ................................................. 566

Upgrading a NetScaler VPX instance on AWS 575

Changing the EC2 Instance Type of a NetScaler VPXInstance on AWS............................................ 576

Upgrading the Throughput or Software Edition for aNetScaler VPX Instance on AWS 577

9

Upgrading the System Software of a NetScaler VPXInstance on AWS............................................ 578

Upgrading to a New NetScaler AMI Instance by Usinga NetScaler High Availability Configuration 579

Troubleshooting the NetScaler VPX on AWS 582

Installing NetScaler VPX in a Data Center......................... 583

Installing NetScaler Virtual Appliances on XenServer 584

Prerequisites for Installing NetScaler VirtualAppliances on XenServer.................................. 585

Installing NetScaler Virtual Appliances on XenServerby Using XenCenter ........................................ 588

Installing NetScaler 1000V Virtual Appliances on VMwareESX................................................................. 589

Prerequisites for Installing NetScaler VirtualAppliances on VMware .................................... 590

Installing NetScaler Virtual Appliances on VMwareESX 4.0 or Later and Verifying the Installation 594

Installing NetScaler Virtual Appliances on VMwareESX 3.5....................................................... 598

Installing Citrix NetScaler Virtual Appliances onMicrosoft Hyper-V Servers...................................... 599

Prerequisites for Installing NetScaler VirtualAppliance on Microsoft Servers 600

Installing NetScaler Virtual Appliance on MicrosoftServers ....................................................... 602

Configuration Steps ........................................................ 604

Configuring CloudBridge Connector Tunnel between Datacenter andSoftLayer Enterprise Cloud..................................................... 608

Customizing the Ethernet ports..................................................... 610

Port Parameters.................................................................. 612

Accelerated Bridges (apA and apB) ........................................... 613

Motherboard Ports ............................................................... 615

VLAN Support ..................................................................... 616

HTTP Acceleration .................................................................... 617

Link Definitions ........................................................................ 619

The Default Link Definitions ................................................... 620

How the Traffic Shaper Users Link Definitions .............................. 622

Configuring Link Definitions.................................................... 624

Inline Links .................................................................. 625

Non-Inline Links............................................................. 628

Secure Traffic Acceleration ......................................................... 630

Secure Peering ................................................................... 631

How Secure Peering Works................................................ 632

Generating Security Keys and Certificates ............................. 633

10

Configuring the Secure Signaling Tunnel ............................... 634

Joining a Windows Domain for CIFS/MAPI Enhancements ................. 638

How Joining a Windows Domain Works ................................. 639

Requirements ............................................................... 640

Joining the Windows Domain and Adding the Kerberos DelegateUser........................................................................... 642

CIFS (Windows Filesystem) Acceleration ..................................... 646

CIFS Protocol Acceleration................................................ 649

Interpreting CIFS Statistics................................................ 652

CIFS Management Summary............................................... 653

Microsoft Outlook(MAPI) Acceleration ........................................ 654

SSL Compression ................................................................. 656

How SSL Compression Works.............................................. 657

Installing Server and Client Certificates ................................ 660

Using SSL Compression with the CloudBridge Plug-in................. 665

SCPS Support ........................................................................... 666

Traffic Classification.................................................................. 667

The Application Classifier ...................................................... 668

Service Classes ................................................................... 670

Differences Between Acceleration Decisions and Traffic ShapingPolicies....................................................................... 671

Configuring Service Class Definitions.................................... 672

Traffic Shaping ........................................................................ 674

Traffic Shaping Changes Since Release 5.x .................................. 676

Weighted Fair Queuing.......................................................... 677

Traffic Shaping Policies ......................................................... 679

TCP Flow-Control Acceleration ..................................................... 682

Lossless, Transparent Flow Control ........................................... 683

Speed Optimizations ............................................................ 685

Autodiscovery and Autoconfiguration ........................................ 687

Softboost and Hardboost ....................................................... 689

Firewall Considerations ......................................................... 690

Video Caching.......................................................................... 692

Use Cases.......................................................................... 694

Configuring the Video Caching Feature ...................................... 696

Adding Video Websites .................................................... 699

Configuring the Maximum Size of the Cached Objects 701

Configuring the Default Domain Name.................................. 702

11

Updating the Video Caching Policy File................................. 703

Excluding a Server from Cache Engine Interception .................. 704

Monitoring......................................................................... 705

Upgrade and Downgrade Considerations ..................................... 707

Troubleshooting Video Caching................................................ 708

XenApp/XenDesktop Acceleration .................................................. 710

The CloudBridge Plug-in ................................................................... 712

Hardware and Software Requirements............................................. 713

How the CloudBridge Plug-in Works ................................................ 714

Transparent Mode................................................................ 715

Redirector Mode ................................................................. 718

How the Plug-in Selects an Appliance ........................................ 721

Deploying Appliances for Use with Plug-ins ....................................... 722

Customizing the Plug-in MSI File .................................................... 726

Deploying Plug-ins On Windows Systems .......................................... 730

Installation........................................................................ 731

Troubleshooting Plug-ins ....................................................... 734

CloudBridge Plug-in GUI Commands................................................ 736

Basic Display...................................................................... 737

Advanced Display ................................................................ 738

Updating the CloudBridge Plug-in .................................................. 742

CloudBridge (2.0) on AWS ................................................................. 743

Reference Material ......................................................................... 744

Graphical User Interface ............................................................. 745

Using the Graphical User Interface ........................................... 746

Dashboard Page............................................................. 748

Features Page............................................................... 750

Quick Installation Page .................................................... 753

Monitoring Pages ........................................................... 756

Citrix (ICA/CGP)....................................................... 757

Compression ........................................................... 759

Connections............................................................ 761

Filesystem (CIFS/SMB)................................................ 767

Logging ................................................................. 769

Outlook (MAPI) ........................................................ 770

CloudBridge Partners ................................................. 772

CloudBridge Plug-ins.................................................. 774

12

Secure Partners ....................................................... 775

Server Load Indicator ................................................ 776

Usage Graph ........................................................... 777

WCCP ................................................................... 779

Compression ........................................................... 781

LAN vs WAN ............................................................ 783

Link Usage.............................................................. 784

Service Classes ........................................................ 785

Top Applications ...................................................... 786

Traffic Shaping ........................................................ 788

Configuration Pages........................................................ 789

Administrator Interface .............................................. 790

Advanced Deployments .............................................. 796

Application Classifiers................................................ 801

Licensing ............................................................... 803

Links .................................................................... 806

Logging/Monitoring ................................................... 810

Network Adapters..................................................... 818

CloudBridge Plug-ins.................................................. 823

Secure Partners ....................................................... 826

Service Classes ........................................................ 827

SSL Acceleration ...................................................... 831

SSL Encryption......................................................... 832

Traffic Shaping Policies .............................................. 833

Tuning .................................................................. 835

Windows Domain ...................................................... 840

System Maintenance Pages .......................................... 841

Backup/Restore.................................................. 842

Clear Statistics................................................... 843

Date/Time ........................................................ 844

Diagnostics........................................................ 845

Restart System................................................... 849

Update Software................................................. 850

Command Line Reference............................................................ 852

CLI Navigation .................................................................... 854

System Tools...................................................................... 855

Licenses ........................................................................... 858

13

Security............................................................................ 860

System Status..................................................................... 863

Ethernet Configuration ......................................................... 865

Bandwidth Configuration ....................................................... 866

Link Configuration ............................................................... 867

Service Class Configuration .................................................... 871

Traffic Shaping Configuration.................................................. 875

SNMP Configuration.............................................................. 877

Alert Configuration .............................................................. 880

WCCP Configuration ............................................................. 883

Logging ............................................................................ 886

Proxy Configuration ............................................................. 889

Client Configuration ............................................................. 890

Group Mode Configuration...................................................... 892

SSL Configuration ................................................................ 895

Test Mode Commands ........................................................... 903

14

15

CloudBridge 7.0

CloudBridge release 7.0 is compatible with partner appliances running previous BranchRepeater releases 5.0 and later, and Citrix Branch Repeater with Windows Server releases2.0 and later. It can be used in a mixed environment that includes units running these olderreleases.

What's New in CloudBridge 7.0This release supports hosting of CloudBridge VPX appliances on the Hyper-V 2012virtualization platform. The CloudBridge Plug-in is now supported by the Microsoft Windows8 operating system (32-bit and 64-bit versions of Enterprise Edition).

Release 7.0 adds a video caching feature to CloudBridge 600 and CloudBridge 2000appliances. The CloudBridge user interface has been changed to provide a better userexperience, with easier navigation, less clutter, and other usability improvements. TheCloudBridge Connector feature of the Citrix CloudBridge appliance connects enterprisedatacenters to external clouds and hosting environments, making the cloud a secureextension of the enterprise network.

For a summary of updates, see Release Notes.

16

Release Notes

Release notes describe the enhancements, changes, bug fixes, and known issues for aparticular release or build of the Citrix CloudBridge 7.0 software. The release notes arecategorized into:

• Main Release

• Maintenance Release

17

Release Notes

Release notes describe the enhancements, changes, bug fixes, and known issues for aparticular release or build of the Citrix CloudBridge 7.0 software. The release notes arecategorized into:

• Main Release

• Maintenance Release

18

Main Release

CloudBridge release 7.0 is compatible with partner appliances running Branch Repeaterrelease 5.5 or later, Branch Repeater with Windows Server release 2.0 or later, andCloudBridge release 6.2 or later. It can be used in a mixed environment that includesappliances running earlier releases.

Enhancements in this release include video caching and a redesigned administrativeinterface. Additionally, other key enhancements include Microsoft Hyper-V 2012, supportfor CloudBridge VPX, and CloudBridge Plugin for Windows 8. Citrix recommends that youupgrade your appliance to this release if you need any of these features on the appliance.

Review the following sections:

• Enhancements

• GUI Navigation Changes

• Known Issues and Workarounds

19

Main Release

CloudBridge release 7.0 is compatible with partner appliances running Branch Repeaterrelease 5.5 or later, Branch Repeater with Windows Server release 2.0 or later, andCloudBridge release 6.2 or later. It can be used in a mixed environment that includesappliances running earlier releases.

Enhancements in this release include video caching and a redesigned administrativeinterface. Additionally, other key enhancements include Microsoft Hyper-V 2012, supportfor CloudBridge VPX, and CloudBridge Plugin for Windows 8. Citrix recommends that youupgrade your appliance to this release if you need any of these features on the appliance.


• Enhancements

• GUI Navigation Changes


20

Enhancements

The Citrix CloudBridge 7.0 release contains enhancements for the following CloudBridge(formerly Repeater) features.

Branding Changes

In release 7.0, the Branch Repeater and Repeater products are renamed as CloudBridgeproducts, except the Repeater 8500 and Repeater 8800 series. The following table liststhe product-name and model-number changes:

Branch Repeater and Repeater CloudBridge

Branch Repeater 100, 200, and 300 Citrix CloudBridge 600 series

Branch Repeater with Windows Server (100,200, and 300)

Citrix CloudBridge 700 series

Repeater 310, 500, and 1000 on SDX Citrix CloudBridge 4000 series

Repeater 1500 and 2000 on SDX Citrix CloudBridge 5000 series

Branch Repeater VPX Citrix CloudBridge VPX

Repeater Plugin CloudBridge PluginNew Improved User Interface

The CloudBridge user interface has been changed to provide a better user experience,with easier navigation, less clutter, and other usability improvements. The Dashboardpage and Monitoring pages are reorganized for a better visual experience. The mainnavigation menu items are organized as tabs on the header, and the navigation optionsare reorganized. The header provides bread crumbs for tracing your navigation path.

Video Caching

Release 7.0 adds a video caching feature to CloudBridge 600 and CloudBridge 2000appliances. Video Caching improves the user experience for videos that are viewed morethan once, especially on slower links, although first time viewing remains without benefitbased on WAN speed. Due to video caching feature, video streams when re-watched willbe delivered at the LAN speed from a CloudBridge device. Hence, significantly improvingthe overall viewing experience and reducing WAN usage for subsequent viewers.

For more information on the supported use cases, see Video Caching.

Limitations:

• Only Inline deployment mode is supported.

• Support for CLI and SNMP are not available.

• This feature is supported only by the following appliances:

• CloudBridge 600 with 1Mbps or 2 Mbps bandwidth license model.

http://support.citrix.com/proddocs/topic/cloudbridge-70/cb-vid-cach-wrapper-con.html

• CloudBridge 2000 with all the bandwidth license model.

CloudBridge Plug-in for Microsoft Windows 8

The CloudBridge Plug-in is now supported by the Microsoft Windows 8 operating system(32-bit and 64-bit versions of Enterprise Edition).

Support for Microsoft Hyper-V 2012 Standard and Datacenter Edition

This release supports hosting of CloudBridge VPX appliances on the Hyper-V 2012virtualization platform.

GUI Navigation Changes

For GUI navigation changes in this release, see GUI Navigation Changes.

CloudBridge Connector on CloudBridge 4000 and CloudBridge 5000 Appliances

Note: CloudBridge Connector is included as a Beta feature in this release.

The CloudBridge Connector feature of the Citrix CloudBridge appliance connectsenterprise datacenters to external clouds and hosting environments, making the cloud asecure extension of the enterprise network. Cloud-hosted applications appear as thoughthey are running on one contiguous enterprise network. With Citrix CloudBridgeConnector, enterprises can augment their datacenters with the infinite capacity andelastic efficiency provided by cloud providers.

The primary purpose of the CloudBridge Connector is to enable enterprises to move theirapplications to the cloud while reducing costs and the risk of application failure. Inaddition, the CloudBridge Connector increases network security in cloud environments.

Also, the WAN optimization feature of the CloudBridge appliance accelerates traffic inthe CloudBridge Connector, providing LAN-like performance for applications runningacross enterprise datacenters and clouds.

You can configure CloudBridge Connector between two datacenters or between adatacenter and a Cloud.

For more information on the use cases supported, see CloudBridge Connector.

Enhancements

21

http://support.citrix.com/proddocs/topic/brsdx-70-map/CBC-wrapper-con.html

22


Many nodes that were at the top level of the previous interface are now sub-nodes. Thefollowing table shows their locations.

Table 1. Node Mapping Table

Nodes in the previous version of GUI Location of the nodes in the current GUI

Command Menu and sub-nodes

Command Menu> Dashboard Dashboard Tab

Command Menu> Features Configuration Tab> Appliance Settings>Features

Command Menu> Quick Installation No longer in the navigation menu, but theQuick Installation page is displayed whenyou logon the first time.

Command Menu> Logout Moved to header section of the browser.

Monitoring and Sub nodes

Monitoring > Citrix (ICA/CGP) Monitoring > Optimization > Citrix(ICA/CGP)

Monitoring > Compression Monitoring > Optimization > Compression

Monitoring > Connections Monitoring > Optimization > Connections

Monitoring >Filesystem (CIFS/SMB) Monitoring > Optimization > Filesystem(CIFS/SMB)

Monitoring > Logging Monitoring > Appliance Performance >Logging

Monitoring > Outlook (MAPI) Monitoring > Optimization > Outlook (MAPI)

Monitoring > Repeater Partners Monitoring > Partners & Plug-ins >CloudBridge Partners

Monitoring > Repeater Plug-ins Monitoring > Partners & Plug-ins >CloudBridge Plug-ins

Monitoring > Secure Partners Monitoring > Partners & Plug-ins > SecurePartners

Monitoring > Usage Graph Monitoring > Optimization > Usage Graph

Monitoring > WCCP Monitoring > Appliance Performance >WCCP

Configuration node and sub nodes

Configuration > Administrator Interface Configuration> Appliance Settings >Administrator Interface

Configuration > Advanced Deployments Configuration> Appliance Settings >Advanced Deployments

Configuration > Application Classifiers Configuration> Optimization Rules >Application Classifiers

Configuration > Licensing Configuration> Appliance Settings >Licensing

Configuration > Links Configuration> Optimization Rules > Links

Configuration > Logging/Monitoring Configuration> Appliance Settings >Logging/Monitoring

Configuration > Network Adapters Configuration> Appliance Settings >Network Adapters

Configuration > Repeater Plug-ins Configuration> Appliance Settings >CloudBridge Plug-ins

Configuration > Secure Partners Configuration > SSL Settings > SecurePartners

Configuration > Service Classes Configuration> Optimization Rules >Service Classes

Configuration > SSL Acceleration Configuration > SSL Settings > SSLAcceleration

Configuration > SSL Encryption Configuration > SSL Settings > Encryption

Configuration > Traffic Shaping Policies Configuration> Optimization Rules > TrafficShaping Policies

Configuration > Tuning Configuration> Optimization Rules > Tuning

Configuration > Windows Domain Configuration> Appliance Settings >Windows Domain

Reports node and sub-nodes

Reports > Compression Monitoring > Appliance Performance >Compression Engine

Reports > LAN vs WAN Monitoring > Optimization > LAN vs WAN

Reports > Links Usage Monitoring > Optimization > Links Usage

Reports > Service Classes Monitoring > Optimization > Service Classes

Reports > Top Applications Monitoring > Optimization > TopApplications

Reports > Traffic Shaping Monitoring > Optimization > Traffic Shaping

System Maintenance node and sub-nodes

System Maintenance > Backup/Restore Configuration > System Maintenance >Backup/Restore

System Maintenance > Clear Statistics Configuration > System Maintenance >Clear Statistics

System Maintenance > Date/Time Configuration > System Maintenance >Date/Time Settings

System Maintenance > Diagnostics Configuration > System Maintenance >Diagnostics

System Maintenance > Restart System Configuration > System Maintenance >Restart System


23

System Maintenance > Update Software Configuration > System Maintenance >Update Software


24

25

Known Issues and Workarounds

The following issues have been identified in this release.

• Issue ID 0350780: The wsBandwidthLimit SNMP object query is not supported in theCloudBridge 4000 and CloudBridge 5000 appliances, regardless of the platform modeland the number of instances provisioned on the platform.

Traffic is only accelerated to the licensed limit.

• Issue ID 0374104 (CloudBridge VPX): In a High Availability (HA) configuration of WindowsServers (2008 R2 or 2012), disk based compression stops functioning after a hypervisor(Windows Server) level HA operation.

• Issue ID 0379575 (CloudBridge 600 and CloudBridge 2000): On a CloudBridge appliancethat has two pairs of accelerated ports, if an IP address is not assigned to anaccelerated bridge interface, the network connected to that interface bypasses thevideo-caching engine.

Workaround: To make use of the video caching feature, assign IP addresses to both thebridge interfaces in the subnet, from where the connections are initiated.

• Issue ID 0380911 (CloudBridge 2000): The video caching feature might not work properlyon a CloudBridge 2000 appliance if the same IP address is assigned to more than onebridge adapter.

Workaround: Assign different IP addresses for the accelerated bridge interfaces (apAand apB).

• Issue ID 0382296 (CloudBridge 2000): When you log on to the CloudBridge GUI, the logonfails and a "Please login to continue" message appears.

Workaround: Close the browser, clear the browser cache, and log on again.

• Issue ID 0383207: In the Management Service of CloudBridge 2000 and CloudBridge 3000appliances, interface speed settings are not supported if Auto Negotiation is set to OFFor Duplex is set to Half.

Workaround: Set Auto Negotiation to ON and change the speed setting to either 10,100, or 1000 Mbps.

• Issue ID 0391924: If you use Internet Explorer 8 to configure CloudBridge, the userinterface displays error messages.

Workaround: Upgrade to Internet Explorer 9 or later, or use a different browser, such asChrome or Firefox.

• Issue ID 0392932: If a Windows 8 client opens a Microsoft Office (Word, Excel, orPowerpoint) file on a Windows Server 2008 R2 server and attempts a Save As operation,the attempt fails.

• Issue ID 0395559: The ICA diffserv code point (DSCP) marking on the CloudBridge 4000and CloudBridge 5000 appliances does not work.

• Issue ID 0395813: HTTP videos do not benefit from video caching when watched on aWindows 8 mobile device.

• Issue ID 0396893: After an upgrade from release 6.2 to release 7.0, product-namechanges introduced in the new release might not appear in your browser.

Workaround: Clear the browser cache and restart the browser.

• Issue ID 0397301: Video caching benefits are available only to clients in the same subnetas the CloudBridge appliance's apA or apB client-side interface.

• Issue ID 0398357: The Notifications tab displays an incorrect alert message. Instead of"Maximum number of concurrent video connections have been reached. New requestswill not get caching benefit," the message should say "Maximum number of concurrentHTTP connections have been reached. New HTTP connections will not get cachingbenefit."

• Issue ID 0398794: After you upgrade the CloudBridge appliance from release 6.2.2 to7.0.0, the user interface sometimes displays items incorrectly.

Workaround: Close the current browser session and log on through a new browsersession.

• Issue ID 0400523: In the video-caching settings, changing the value for maximumcaching object size has no effect.

Workaround: Restart the appliance.

• Issue IDs 0400799 and 0400800: CloudBridge 4000 and CloudBridge 5000 appliances donot allow you to add CloudBridge Accelerator instances.

Workaround: Add the CloudBridge Accelerator instances after performing the followingsteps:

1. Perform a factory reset on the appliance.

2. Apply the license.

3. Provision the instances.

4. Perform the software upgrade.• Issue ID 0400903: When you upgrade a CloudBridge appliance from release 6.2.0.112 to

7.0.0.195 by using the Management Service, the upgrade process fails.

Workaround: Use CloudBridge Accelerator to upgrade the appliance.

• Issue ID 0400949: The SNMP query wsCompressionEffectiveBandwidht is not supportedon the CloudBridge 4000 and CloudBridge 5000 appliances.

• Issue ID 0401141: The Microsoft Management Console of CloudBridge 700 appliancedisplays an error message when accessing the Diagnostic Trace.


26

• Issue ID 0409868 (CloudBridge 600 and CloudBridge 2000): If the CloudBridge applianceis placed on a VLAN Trunk mode, all HTTP VLAN tagged traffic bypasses the videocaching engine. Therefore, videos are not cached.

• Issue ID 0366937 (CloudBridge 4000 and 5000): HSRP is not supported in this release.Contact Citrix Support for specific deployment options.

• Issue IDs 0393547 and 0396617: If you configure a CloudBridge 4000 appliance in a highavailability setup to use a 1 Gbps interface in L2 mode, traffic does not flow throughthe interface if the appliance becomes primary after a failover event.

Workaround: From the NetScaler command line, reset both the interfaces by enteringthe reset interface <Interface_ID> command.

Example: If 1/1 and 1/2 are the bridge pair, enter the commands, reset interface 1/1and reset interface 1/2.

• Issue ID 0173696 (Citrix CloudBridge VPX for XenServer): The XenServer distributedvirtual switch controller feature is not compatible with Citrix CloudBridge VPX.

Workaround: The XenServer distributed virtual switch controller feature should not beconfigured or enabled when using Citrix CloudBridge VPX.

• Issue ID 0249221 (Citrix CloudBridge 4000 and 5000): Active FTP might not beaccelerated on the appliance.

Workaround: Enable acceleration for "Unclassified TCP" to get acceleration benefits.

• Issue ID 0278599: Citrix CloudBridge 700 series appliance does not work in somespanning tree enabled deployments.

Workaround: Disable the spanning tree protocol on switches connected to the CitrixCloudBridge 700 series appliance.

• Issue ID 0309528: Uploading a CA certificate results in an error in an SDX RepeaterUnified instance.

Workaround: Copy and paste the certificates instead of uploading them.

• Issue ID 0325685: After you upgrade or restart the Repeater Instances, one of theinstances might not start.

Workaround: Start the instance from the SDX-UI.

• Issue ID 0336492 (Citrix CloudBridge VPX for Amazon): If a user defined DNS Server IPaddress is added as a Secondary DNS Server, the server fails to join the domain.

Workaround: Add the DNS Server IP address as the Primary DNS Server.

• Issue ID 0337044 (Citrix CloudBridge 4000 and 5000): If you restart the SDX appliancefrom the SVM, the loopback interface might not be available.

Workaround: Unplug the fiber loopback cable and plug it back in.

• Issue ID 0337421 (Citrix Cloudbridge VPX for XenServer): When you run the SNMP getrequests command for any Enterprise SNMP OID on Branch Repeater, it randomly


27

returns the "SNMP No Such Object" message.

Workaround: Restart the Citrix CloudBridge VPX appliance.

• Issue ID 0342768: After a successful restore operation, the NetScaler and CloudBridgeinstances are not restored to the versions available in the backup.

• Issue ID 0347828: The management service on a Citrix CloudBridge 5000 series platformdoes not allow you to change the default loopback interface to 10/6.

Workaround: Use an interface other than 10/6 as the loopback interface.

• Issue ID 0348096: Repeater UI fails to synchronize configuration to CloudBridgeinstances after performing the CloudBridge-Replication task from SVM.

Workaround: Provision the CloudBridge instance by using the Service VM.

• Issue ID 0350207: If a Citrix CloudBridge VPX instance is deployed on XenServer 6.1.0,and the instance’s bridged interfaces are mapped to Broadcom BCM5722 NICs withfirmware version 3.08, VLAN tagged traffic does not flow through the bridgedinterfaces.

• Issue ID 0350521 (Citrix CloudBridge VPX for Amazon): TCP traffic on the CitrixCloudBridge Connector VPX stops working if you disable traffic processing.

Workaround:

1. Check the state of the Citrix CloudBridge Connector VPX SNMP monitor by using theNetScaler CLI, and enable it if it is not enabled.

2. Navigate to Logging/Monitoring: SNMP in the Citrix CloudBridge Connector VPXconfiguration utility and do the following:

• Click the Enable SNMP Authorization Failure Traps check box under SystemInformation.

• Enter the NetScaler IP address in the Management Station IP address field underAccess Configuration.

• Issue ID 0354698: If the primary DNS server cannot resolve the Windows domain, thejoin operation throws a DNS_ERROR_BAD_PACKET error message.

• Issue ID 0355751 (Citrix CloudBridge VPX for Amazon): The Citrix CloudBridge VPX forAmazon fails to launch Outlook MAPI connections if the other TCP Trafficservice-class policy is set to None.

Workaround: Set the other TCP Traffic service-class policy to Flow Control.

• Issue ID 0355978 (Citrix CloudBridge VPX for Amazon): Un-accelerating the TCPconnections in Citrix CloudBridge VPX for Amazon.

The TCP connection establishment fails in Citrix CloudBridge VPX for Amazon if you setthe corresponding service class policy to None.

Workaround:


28

• Citrix CloudBridge VPX for Amazon should always have service class policy for otherTCP traffic set to Flow Control.

• Configure the following policy on the CloudBridge Connector to bypass the TCPconnections. The following example bypasses the HTTP port 80 and CIFS port 445.

set lb vs BR_LB_VS_DYN_2 -listenpolicy client.tcp.dstport.eq(80).not&&client.tcp.dstport.eq(445).not

• Issue ID 0356746 (Citrix CloudBridge VPX for Amazon): Citrix CloudBridge VPX forAmazon does not forward ICMP packets. This results in the unaccelerated traffic gettingblocked on the appliance.

• Issue ID 0364919 (CloudBridge 2000 and 3000): Use Internet Explorer, Chrome, orFirefox browsers for best results with the Citrix CloudBridge configuration utility. Safaribrowser is not supported in this release.

• Issue ID 0365409 (CloudBridge 2000 and 3000): The configurations of Repeater 8500 andRepeater 8800 series appliances cannot be restored to Citrix CloudBridge 2000 or CitrixCloudBridge 3000 appliances.

• Issue ID 0366888 (CloudBridge 2000 and 3000): The Refresh button on the Dashboardpage of the Citrix CloudBridge configuration utility refreshes the graphs but not thevalues.

• Issue ID 0380447: Not all Branch Repeater instances are updated with domaininformation. Only a few instances are added to the domain.

Workaround: Attempt to join the domain again.

• Issue ID 0394705: When you update the virtual server (VIP) address from the GUI, thepersistence rule is removed.

Workaround: Run the following commands on NetScaler command line:

rm lb vserver BR_LB_VIP_SIGadd lb vserver BR_LB_VIP_SIG ANY <NS_SIG_IP> * -timeout 1440 -rule client.tcp.repeater_option.ip -Listenpolicy "SYS.VSERVER(\"BR_LB_VIP_SIG\").STATE.EQ(UP)&&CLIENT.TCP.REPEATER_OPTION.EXISTS" -cltTimeout 14400 -l2Conn ONbind lb vserver BR_LB_VIP_SIG BR_LB_SVC_<1>bind lb vserver BR_LB_VIP_SIG BR_LB_SVC_<2>bind lb vserver BR_LB_VIP_SIG BR_LB_SVC_<3>bind lb vserver BR_LB_VIP_SIG BR_LB_SVC_<4>bind lb vserver BR_LB_VIP_SIG BR_LB_SVC_<5>bind lb vserver BR_LB_VIP_SIG BR_LB_SVC_<6>bind lb group BR_LB_GROUP BR_LB_VIP_SIG

• Issue ID 0396567: Independent Network Configuration [INC] mode is not supportedbetween BR-SDX/CB-SDX (CloudBridge 4000/5000) appliances in an HA pair.

• Issue ID 0396705: Traffic sent from the NetScaler appliance to the router is not GREencapsulated in the case of UDP inner fragmentation.

• Issue ID 0398262: The NetScaler appliance does not synchronize the configurationsbetween HA partners if the appliances are on different builds of the same release.

Workaround: Disable synchronization before upgrade and complete the followingprocedure:


29

1. Disable HA Synchronization on the secondary appliance.

• Navigate to Configuration > System > High Availability.

• Clear the Secondary node will fetch the configuration from the primary checkbox.

• Save the running configuration.2. Upgrade the secondary appliance.

3. Upgrade the primary appliance.

4. The secondary appliance becomes the primary appliance.

5. Enable HA synchronization on the new primary appliance:


• Select the Secondary node will fetch the configuration from the primary checkbox.

• Save the running configuration.• Issue ID 0398334: When the Management service is upgraded, SVM displays an error

message even when the upgrade is successful.

Workaround: Ignore the error message and start a new session.

• Issue ID 0409603: CLI support is not provided for Citrix CloudBridge 4000 and 5000Repeater Unified Instance (Repeater broker).

• Issue ID 0418151: Link-Down propagation is not supported on XenServer basedCloudBridge 2000, 3000, 4000, or 5000 appliances.


30

31

Compatibility

The following table lists the supported products and platforms in release 7.0.

Table 1. Supported Products and Platforms

Appliance Type Supported?

Citrix CloudBridge 2000 and Citrix CloudBridge 3000 series Yes

Citrix CloudBridge VPX for Amazon Yes

Citrix CloudBridge 4000 and Citrix CloudBridge 5000 series Yes*

Citrix CloudBridge VPX (all models) Yes

Citrix CloudBridge 600 series Yes

Citrix CloudBridge VPX for XenServer platforms Yes

Citrix CloudBridge VPX for VMware ESX or ESXi platforms Yes

Citrix CloudBridge VPX for Microsoft Hyper-V Yes


CloudBridge Plug-in Yes

Repeater 8000 Series (New appliances): Units that list “SM85Series 3”or “SM88 Series 3” on the “System Hardware” line ofthe “System Status” page

Yes

Repeater 8000 Series (Earlier appliances): Units that list “SM85Series 2”or “SM88 Series 2” on the “System Hardware” line ofthe “System Status” page

No

Earlier Models No*Citrix recommends that you contact Citrix technical support for more details before youupgrade your CloudBridge 4000 and CloudBridge 5000 appliances to this release.

The following table lists the version matrix of release 7.0.

Table 2. Version Matrix

CloudBridgeVersions

NetScaler Version ManagementService Version

XenServerVersion

SupplementalPack

7.0(CloudBridge4000 andCloudBridge5000)

10.0-75.7007.e 10.0-75.7007.e 6.0 - 50762p 1.2


N/A 10.0-75.7007.e 6.0 - 50762p 1.3

CloudBridge Plug-inCompatible Operating Systems

The CloudBridge Plug-in is supported on desktop and laptop systems, but not on netbooksor thin clients. It is supported on the following operating systems:

• Windows 8 (32-bit and 64-bit versions of Enterprise Edition)

• Windows 7 (all 32-bit and 64-bit versions of Home Basic, Home Premium, Professional,Enterprise, and Ultimate)

• Windows Vista (all 32-bit versions of Home Basic, Home Premium, Business, Enterprise,and Ultimate)

• Windows XP Professional and Home edition

Hardware RequirementsThe recommended hardware specifications for systems running CloudBridge Plug-in are:

• Pentium 4-class CPU

• 4 GB of RAM

• 2 GB of disk space

Minimum hardware requirements for CloudBridge Plug-in are:

• 1.5 Ghz CPU

• 2 GB RAM

• 500 MB free disk space

CloudBridge Plug-in and Citrix ReceiverThe CloudBridge Plug-in is supported by Citrix Receiver 3.0 and later, and can bedistributed and managed by Citrix Receiver.

Features TableTable 3. Features Table for Citrix CloudBridge 600, 700, 2000, and 3000 series appliances

CitrixCloudBridge600 series




Release 7.0 Y Y Y Y

Product Features

Compatibility

32

Video Caching Y N Y N

TCPAcceleration

Y Y Y Y

Compression Y Y Y Y

Traffic Shaping Y Y Y Y

XenApp/XenDesktopAcceleration

Y Y Y Y

WindowsFilesystemAcceleration

Y Y Y Y

SSLAcceleration

Y Y Y Y

WindowsOutlookAcceleration

Y Y Y Y

CloudBridgePlug-In Support

N N Y Y

Pay-As-You-Grow Support

Y Y Y Y

Hardware Features

NetworkBypass Card

Y Y Y Y

10 GbpsInterfaces

N N N N

Fiber Support N N N Y

LCD FrontPanel InterfaceSupport

Y Y N N

RS-232 SerialInterfaceSupport

Y Y Y Y

Support forInitial Configover Network

N N Y Y

Modes

Inline Y Y Y Y

WCCP Y Y Y Y

Virtual Inline Y Y Y Y

Group Mode Y N Y Y

HighAvailability

Y N/R* Y Y

VLANs Y N Y Y

Compatibility

33

* = The accelerator portion of the product fails over seamlessly in high-availability mode,while the Windows Server portion does not.

N/R = Not Recommended

Table 4. Features Table for Citrix CloudBridge 4000 and 5000 series appliances, CitrixCloudBridge VPX, and Citrix CloudBridge VPX for Amazon



Citrix CloudBridgeVPX

Citrix CloudBridgeVPX for Amazon

Release 7.0 Y* Y* Y Y

Product Features

Video Caching N N N N

TCPAcceleration

Y Y Y Y

Compression Y Y Y Y

TrafficShaping

Y Y Y N


Y Y Y Y


Y Y Y Y

SSLAcceleration

Y Y Y Y


Y Y Y Y

CloudBridgePlug-InSupport

Y Y Y N


Y Y Y N

Hardware Features

NetworkBypass Card

Y Y N N

10 GbpsInterfaces

Y Y ** N

Fiber Support Y Y ** N

LCD FrontPanelInterfaceSupport

N N N N

Compatibility

34


N N N N


Y Y N N

Modes

Inline Y Y Y Y****

WCCP Y Y Y N

Virtual Inline N/R N/R Y N

Group Mode N N N N

HighAvailability

Y Y N N

VLANs Y Y Y/Y/N*** N*Citrix recommends that you contact Citrix technical support for more details before youupgrade your CloudBridge 4000 and CloudBridge 5000 appliances to this release.

** = Depends on configuration of user-provided hardware.

*** = If shown as three values, support is for XenServer/VMware/Hyper-V, respectively. Ifshown as one value, this value applies to all three hypervisors.

**** = Refer WAN Optimization for CloudBridge.


Table 5. Features Table for Repeater appliances and CloudBridge Plug-in

Repeater 8820 Repeater 8520,8540

CloudBridgePlug-In

Release 7.0 Y Y Y

Product Features

Video Caching N N N

TCP Acceleration Y Y Y

Compression Y Y Y

Traffic Shaping Y Y N

XenApp/ XenDesktopAcceleration

Y Y Y

Windows FilesystemAcceleration

Y Y Y

SSL Acceleration Y Y Y

Windows OutlookAcceleration

Y Y Y

CloudBridge Plug-InSupport

Y Y Y

Compatibility

35

http://support.citrix.com/proddocs/topic/ns-system-10-map/cb-br-aws-wanopt-cb-con.html

Pay-As-You-GrowSupport

Y Y N

Hardware Features

Network Bypass Card Y Y N

10 Gbps Interfaces N N *

Fiber Support Y N *

LCD Front PanelInterface Support

Y Y N

RS-232 Serial InterfaceSupport

Y Y N

Support for InitialConfig over Network

N N N

Modes

Inline Y Y N/A

WCCP Y Y N/A

Virtual Inline Y Y N/A

Group Mode Y Y N/A

High Availability Y Y N/A

VLANs Y Y N/A* = Depends on configuration of user-provided hardware.

N/A = Not Applicable

Supported Citrix CloudBridge VPX ConfigurationsRelease 7.0 is supported on Citrix CloudBridge VPX running on XenServer, VMware vSphere,and Microsoft-Hyper-V hypervisors. See the following table for the versions of hypervisorthat are supported.

Table 6. Hypervisors Compatible with Citrix CloudBridge VPX

Citrix XenServer XenServer 6.1, XenServer 6.02/Hotfix602E007, XenServer 5.6.0 (but not 5.6 FP1or 5.6 SP2), XenServer 5.5

VMware Vsphere ESXi 5.1, ESXi 5.0, ESX/ESXi 4.1

Microsoft Hyper-V Hyper-V under Windows 2008 R2 SP1,Hyper-V 2012 Standard and DatacenterEdition

Citrix CloudBridge VPX for Amazon Amazon Web Services (AWS) platformFor instructions for changing the TSC emulation to maximize performance, seehttp://support.citrix.com/article/CTX136003.

Citrix CloudBridge VPX for Amazon

Compatibility

36

http://support.citrix.com/article/CTX136003

Citrix CloudBridge VPX for Amazon is available only in the m1.large configuration. Thistranslates to 2 vCPUs and 7.5 GB RAM. The AMI is preconfigured with a 250 GB volume,which should not be resized. Citrix CloudBridge VPX for Amazon supports a single ElasticNetwork Interface (ENI) only.

Table 7. Production Configurations, Citrix CloudBridge VPX for Amazon

Type Max. WAN Speed* Max. Accel. Conn.

10 Mbps CloudBridge License 5 mbps 1,000

200 Mbps CloudBridge License 45 mbps 10,000*The CloudBridge Connector License is enforced on the aggregate of ingress traffic on allthe interfaces hosted on the CloudBridge Connector.

Table 8. Production Configurations, XenServer and VMware vSphere.

Type vCPUs RAM Disk

2 GB production config. 2 2 GB 100 GB



8 GB production config. 4 8 GB 500 GBTable 9. Other Configurations (not for production networks).

Type vCPUs RAM Disk

VPX Express 2 1 GB 60 GB

Compatibility

37

38

Licensing, Upgrading, and Downgrading

LicensingRelease 7.0 supports both remote license servers and locally installed licenses. If youupgrade an existing system with a local license, it continues to work.

For licensing information for all Citrix CloudBridge platforms, seehttp://support.citrix.com/article/ctx131110.

Note: Licensing for Citrix CloudBridge VPX for Amazon uses the CloudBridge Connectorlicense. It does not require a separate license.

Upgrading Existing InstallationsNote: If you are using a standard evaluation license, you cannot upgrade to softwareversions that are newer than your license.

Citrix CloudBridge VPX

If you are upgrading from release 5.6, it is best to install a new virtual machine, ratherthan upgrading the existing virtual machine with the 6.2.0 release, because the resourcerequirements have changed. Release 6.0 and 6.2 virtual machines can be updated withthe release 7.0 CloudBridge binary.

Repeater 8500, Repeater 8800, Citrix CloudBridge 600, and Citrix CloudBridge 700

Acquire the software from MyCitrix.

Installing the Update

Note: If you are upgrading from a pre-6.0 release (such as release 5.3), you mustupdate to release 6.x first, then release 7.0. Also, if you are upgrading from apre-6.0 release, acceleration will not take place until you install the new licensefrom Citrix.

From the browser based user interface (http://appliance_ip_address), go to theSystem Maintenance > Update Software link, on the Configuration tab. In the UpgradeSystem Software table, use the Choose File button to select the patch file (the file youdownloaded with FTP), and then click the Upload Patch button. (See the followingfigure.)

http://support.citrix.com/article/ctx131110

Figure 1. Update Software Page

The patch file is then copied to your appliance and tested for integrity. If you havedownloaded a valid file, a “Restart Unit?” prompt appears. Click Yes.

The settings from your current release are copied to the new one, so yourconfiguration is retained in the new release.

The process of installing the patch file continues during the restart, which might takeseveral minutes longer than usual. This is normal.

The new release is now running on your appliance.

Note: If your appliance still uses the old default password, it is changed when youinstall this upgrade. The default password is now “password".

Citrix CloudBridge 2000, CloudBridge 3000, CloudBridge 4000, and CloudBridge 5000

Updating the CloudBridge 2000, CloudBridge 3000, CloudBridge 4000, and CloudBridge5000 appliances retains your previous configuration. The update process can requirethat you perform as many as five update operations:

1. Updating the service virtual machine (SVM).

2. Installing XenServer hotfixes.

3. Installing XenServer supplemental packs.

4. Updating the accelerator.

5. Updating the NetScaler instance (CloudBridge 4000 and CloudBridge 5000 only).Release 7.0.0 requires that you update the previously installed SVM, accelerator and(with CloudBridge 4000 and CloudBridge 5000), NetScaler instance. You may also needto install XenServer hotfixes and supplemental packs.

The versions of the SVM, XenServer hotfixes, and XenServer supplemental packcorresponding to release 7.0.0 is listed in the Compatibility section. The files can bedownloaded from MyCitrix.

To upgrade to release 7.0, perform the following procedure:


39

1. Note that the System > Configuration menu refers to the Configuration menu inthe CloudBridge 4000 and CloudBridge 5000 and the System > Configuration menuin the CloudBridge 2000 and CloudBridge 3000.

2. Update the SVM—On the System > Configuration > Management Service > SoftwareImages tab, click Upload and select and upload the new SVM from the pop-upwindow.

3. On the System > Configuration page, click Upgrade Management Service. Selectthe SVM image you just uploaded and click OK. The SVM will be upgraded. The UIwill become unresponsive during this process.

4. Once the new SVM is installed, the UI will become responsive again, and will takeyou to the login page. Log in. Go to the System > Configuration page and verifythat the current version of the management service (SVM) matches the version youintended to install.

5. Update XenServer files—You may see a Version Incompatibility Detectedwarning. Click on Recommendations to see if any XenServer hotfixes orsupplemental packs are recommended. If so, install them through the System >Management Service > XenServer Files page, using the Supplemental or Hotfixestabs as needed. (Until you update the XenServer files, the recommendations maynot list the current release. This is normal.)

6. Update the NetScaler image (CloudBridge 4000 and CloudBridge 5000 only)—Onthe Configuration > NetScaler > Software Images menu, click the Upload buttonand upload the new NetScaler image. This must be the image recommended forthis CloudBridge release. Other NetScaler images are not supported.

7. Install the NetScaler image (CloudBridge 4000 and CloudBridge 5000 only)—Onthe Configuration > NetScaler page, click Upgrade and install the image you justuploaded. You must also select the management IP address from the list provided(this generally has only one entry).

8. Update the Accelerator—On the CB 4000/5000, navigate to Configuration >CloudBridge > Accelerator and click the IP address of the CloudBridge. This willtake you to the accelerator UI. On the CB 2000/300, navigate to the CloudBridgemenu. On all appliances, continue to the System Maintenance > Update Softwarepage.

9. Click Choose File and select the accelerator binary for the release. Click UploadPatch. The new release will be installed automatically. You will be asked torestart the appliance. Click OK.

10. Upgrade resources (CloudBridge 4000 and CloudBridge 5000 only)—When theupdated accelerator is accessible again, navigate to System > Configuration andclick Update Resources.

11. Verify update—The Version Incompatibility Detected warnings should now begone. On the CloudBridge 2000 and CloudBridge 3000, the title bar at the top ofthe window should display the new version of the CloudBridge software. On theCloudBridge 4000 and CloudBridge 5000, the title bar should display the newversion of the SVM. The update is complete.

Note: After the clock timer goes to zero, navigate to System > Configuration>CloudBridge> Instances and click on Rediscover.


40


To upgrade a Citrix CloudBridge 700 appliance, see the Citrix Branch Repeater withWindows Server User's Guide, release 3.0, chapter 3.

Troubleshooting Installation Related Issues

The clockface showing the estimated update time is not always 100% accurate. If theinstallation ends with an error page displaying some kind of HTTP timeout error, waita few minutes, and then attempt to connect to the unit’s browser based managementinterface normally. Doing so usually shows that the newly installed version is up andrunning.

Sometimes an update fails if it spans a large number of releases, such as a jump fromrelease 4.x to 6.0. If this happens, installing an intermediate release first (forexample, release 5.5) and upgrading in two steps usually works.

Contact Citrix Support with any installation issues.

Troubleshooting Installation Related Issues for Citrix CloudBridge VPX for Amazon

For information about troubleshooting installation related issues for Citrix CloudBridgeVPX for Amazon, see WAN Optimization for CloudBridge.

Downgrading to an Earlier ReleaseUpgrading creates a new software installation; it does not remove the previous version ofthe software or the previous configuration settings. Therefore, an Appliance can bereturned to any release that it has previously used.

You can revert to a previous version of the software by using the Downgrade Releasefeature, which is available on the System Maintenance: Update Software page. Thedowngrade returns the configuration to what it was for the older release at the time theupgrade was applied. Any configuration changes you made with the newer release are lost.If you upgrade again, the upgrade copies the older release’s settings into the newerrelease.

The software can be downgraded to previously installed versions only. Neither the UpgradeSoftware nor the Downgrade Release feature supports the installation of patch files with alower version number than the current one, except for versions already resident on theunit.

Note: You cannot downgrade a CloudBridge 4000 or CloudBridge 5000 appliance to anearlier release.


41


42

Contacting Customer Support

To contact Citrix Support, call 1-800-4CITRIX or log on to MyCitrix athttp://www.citrix.com.

You will be asked for your hardware serial number as part of the support process.

Detailed instructions for contacting support can be found at: http://citrix.com/site/resources/dynamic/sup2nd/Citrix_HWS_SerialNO.pdf.

http://www.citrix.com

http://citrix.com/site/ resources/dynamic/sup2nd/Citrix_HWS_SerialNO.pdf


43

Maintenance Release

This section describes the fixed issues and known issues provided in the maintenancereleases of Citrix CloudBridge.

• Release 7.0.1

44

Release 7.0.1

CloudBridge release 7.0.1 is compatible with partner appliances running Branch Repeaterrelease 5.5 or later, Branch Repeater with Windows Server release 2.0 or later, andCloudBridge release 6.2 or later. It can be used in a mixed environment that includesappliances running earlier releases.

Note: CloudBridge Connector is included as a Beta feature in this release.


• Bug Fixes


45

Bug Fixes

The following bug fixes are available in this release.

• Issue ID 0346992: The SNMP MIB variable wsSystemLoad(1.3.6.1.4.1.3845.30.4.1.1.1.34.0) reports the same information that is on theAppliance Load page of the CloudBridge GUI.

• Issue ID 0350780: The wsBandwidthLimit SNMP object query is not supported in theCloudBridge 4000 and CloudBridge 5000 appliances, regardless of the platform modeland the number of instances provisioned on the platform.

Traffic is only accelerated to the licensed limit.

• Issue IDs 0357687 and 0399546: With acceleration enabled, the appliance adds latencyafter a few hours of processing traffic.

• Issue ID 0382296 (CloudBridge 2000): When you log on to the CloudBridge GUI, the logonfails and a "Please login to continue" message appears.

• Issue ID 0382970 (CloudBridge 4000 and 5000): In certain conditions, the system load ona CloudBridge accelerator incorrectly increases up to 100%. As a result, otheraccelerators can become overloaded or connections not be properly load balanced toother accelerators. The load metric has been enhanced to reflect the correct load.

• Issue IDs 0392263 and 0397733: Processing of CloudBridge UDP packets that have apayload size 1438 bytes or larger might fail.

• Issue ID 0392932: If a Windows 8 client opens a Microsoft Office (Word, Excel, orPowerpoint) file on a Windows Server 2008 R2 server and attempts a Save As operation,the attempt fails.

• Issue ID 0395559: The ICA diffserv code point (DSCP) marking on the CloudBridge 4000and CloudBridge 5000 appliances does not work.

• Issue ID 0395813: HTTP videos do not benefit from video caching when watched on aWindows 8 mobile device.

• Issue ID 0397301: Video caching benefits are available only to clients in the same subnetas the CloudBridge appliance's apA or apB client-side interface.

• Issue ID 0398256: The Windows CloudBridge appliance's internal log erroneously recordshigh latency.

• Issue ID 0398357: The Notifications tab displays an incorrect alert message. Instead of"Maximum number of concurrent video connections have been reached. New requestswill not get caching benefit," the message should say "Maximum number of concurrentHTTP connections have been reached. New HTTP connections will not get cachingbenefit."

• Issue ID 0398935: A CIFS connection that is blacklisted causes the MAPI connectionbetween the server and client to be unaccelerated.

• Issue ID 0400035: During provisioning of a CloudBridge 4000-310 appliance, the GetLicense link opens up an incorrect web page.

• Issue ID 0400523: In the video-caching settings, changing the value for maximumcaching object size has no effect.

• Issue ID 0401922: The Repeater appliance fails to respond if invalid Windows credentialsare presented more than 3 times after Windows reboots.

• Issue ID 0402507: Issues with connection establishment can result in the CloudBridgeappliance failing to respond.

• Issue ID 0403535: In a standalone (not high availability) CloudBridge setup, WindowsSNMP fails when an external SNMP manager tries to access the object identifier(1.3.6.1.4.1.3845.30.4.1.1.1.21.0) of the Windows unit.

• Issue ID 0404093: The CLI command remove service-class -all intermittently fails on aCloudBridge 4000 or CloudBridge 5000 appliance, which causes the custom task on theCommand Center appliance to fail.

• Issue ID 0407050: NetApp share fails to access a directory or open a Microsoft Office(Word, Excel, or Powerpoint) file when CIFS acceleration is enabled.

Bug Fixes

46

47


The following issues have been identified in this release.

• Issue ID 0173696 (Citrix CloudBridge VPX for XenServer): The XenServer distributedvirtual switch controller feature is not compatible with Citrix CloudBridge VPX.

Workaround: The XenServer distributed virtual switch controller feature should not beconfigured or enabled when using Citrix CloudBridge VPX.

• Issue ID 0249221 (Citrix CloudBridge 4000 and 5000): Active FTP might not beaccelerated on the appliance.

Workaround: Enable acceleration for "Unclassified TCP" to get acceleration benefits.

• Issue ID 0278599: Citrix CloudBridge 700 series appliance does not work in somespanning tree enabled deployments.

Workaround: Disable the spanning tree protocol on switches connected to the CitrixCloudBridge 700 series appliance.

• Issue ID 0309528: Uploading a CA certificate results in an error in an SDX RepeaterUnified instance.

Workaround: Copy and paste the certificates instead of uploading them.

• Issue ID 0336492 (Citrix CloudBridge VPX for Amazon): If a user defined DNS Server IPaddress is added as a Secondary DNS Server, the server fails to join the domain.

Workaround: Add the DNS Server IP address as the Primary DNS Server.

• Issue ID 0337044 (Citrix CloudBridge 4000 and 5000): If you restart the SDX appliancefrom the SVM, the loopback interface might not be available.

Workaround: Unplug the fiber loopback cable and plug it back in.

• Issue ID 0337421 (Citrix Cloudbridge VPX for XenServer): When you run the SNMP getrequests command for any Enterprise SNMP OID on Branch Repeater, it randomlyreturns the "SNMP No Such Object" message.

Workaround: Restart the Citrix CloudBridge VPX appliance.

• Issue ID 0342768 (CloudBridge 4000 and 5000): After a successful restore operation, theNetScaler and CloudBridge instances are not restored to the versions available in thebackup.

• Issue ID 0347828: The management service on a Citrix CloudBridge 5000 series platformdoes not allow you to change the default loopback interface to 10/6.

Workaround: Use an interface other than 10/6 as the loopback interface.

• Issue ID 0348096 (CloudBridge 4000 and 5000): Repeater UI fails to synchronizeconfiguration to CloudBridge instances after performing the CloudBridge-Replicationtask from SVM.

Workaround: Provision the CloudBridge instance by using the Service VM.

• Issue ID 0350207: If a Citrix CloudBridge VPX instance is deployed on XenServer 6.1.0,and the instance’s bridged interfaces are mapped to Broadcom BCM5722 NICs withfirmware version 3.08, VLAN tagged traffic does not flow through the bridgedinterfaces.

• Issue ID 0350521 (Citrix CloudBridge VPX for Amazon): TCP traffic on the CitrixCloudBridge Connector VPX stops working if you disable traffic processing.

Workaround:

1. Check the state of the Citrix CloudBridge Connector VPX SNMP monitor by using theNetScaler CLI, and enable it if it is not enabled.

2. Navigate to Logging/Monitoring: SNMP in the Citrix CloudBridge Connector VPXconfiguration utility and do the following:

• Click the Enable SNMP Authorization Failure Traps check box under SystemInformation.

• Enter the NetScaler IP address in the Management Station IP address field underAccess Configuration.

• Issue ID 0354698: If the primary DNS server cannot resolve the Windows domain, thejoin operation throws a DNS_ERROR_BAD_PACKET error message.

• Issue ID 0355751 (Citrix CloudBridge VPX for Amazon): The Citrix CloudBridge VPX forAmazon fails to launch Outlook MAPI connections if the other TCP Trafficservice-class policy is set to None.

Workaround: Set the other TCP Traffic service-class policy to Flow Control.

• Issue ID 0355978 (Citrix CloudBridge VPX for Amazon): Un-accelerating the TCPconnections in Citrix CloudBridge VPX for Amazon.

The TCP connection establishment fails in Citrix CloudBridge VPX for Amazon if you setthe corresponding service class policy to None.

Workaround:

• Citrix CloudBridge VPX for Amazon should always have service class policy for otherTCP traffic set to Flow Control.

• Configure the following policy on the CloudBridge Connector to bypass the TCPconnections. The following example bypasses the HTTP port 80 and CIFS port 445.

set lb vs BR_LB_VS_DYN_2 -listenpolicy client.tcp.dstport.eq(80).not&&client.tcp.dstport.eq(445).not• Issue ID 0356746 (Citrix CloudBridge VPX for Amazon): Citrix CloudBridge VPX for

Amazon does not forward ICMP packets. This results in the unaccelerated traffic gettingblocked on the appliance.


48

• Issue ID 0364919 (CloudBridge 2000 and 3000): Use Internet Explorer, Chrome, orFirefox browsers for best results with the Citrix CloudBridge configuration utility. Safaribrowser is not supported in this release.

• Issue ID 0365409 (CloudBridge 2000 and 3000): The configurations of Repeater 8500 andRepeater 8800 series appliances cannot be restored to Citrix CloudBridge 2000 or CitrixCloudBridge 3000 appliances.

• Issue ID 0366888 (CloudBridge 2000 and 3000): The Refresh button on the Dashboardpage of the Citrix CloudBridge configuration utility refreshes the graphs but not thevalues.

• Issue ID 0366937 (CloudBridge 4000 and 5000): HSRP is not supported in this release.Contact Citrix Support for specific deployment options.

• Issue ID 0374104 (CloudBridge VPX): In a High Availability (HA) configuration of WindowsServers (2008 R2 or 2012), disk based compression stops functioning after a hypervisor(Windows Server) level HA operation.

• Issue ID 0378418: Signed SMB2 connections with NetApp servers get blocked.

Workaround: Exclude NetApp servers from CIFS acceleration if the connections aresigned.

• Issue ID 0379575 (CloudBridge 600 and CloudBridge 2000): On a CloudBridge appliancethat has two pairs of accelerated ports, if an IP address is not assigned to anaccelerated bridge interface, the network connected to that interface bypasses thevideo-caching engine.

Workaround: To make use of the video caching feature, assign IP addresses to both thebridge interfaces in the subnet, from where the connections are initiated.

• Issue ID 0380447 (CloudBridge 4000 and 5000): Not all Branch Repeater instances areupdated with domain information. Only a few instances are added to the domain.

Workaround: Attempt to join the domain again.

• Issue ID 0380911 (CloudBridge 2000): The video caching feature might not work properlyon a CloudBridge 2000 appliance if the same IP address is assigned to more than onebridge adapter.

Workaround: Assign different IP addresses for the accelerated bridge interfaces (apAand apB).

• Issue ID 0383207: In the Management Service of CloudBridge 2000 and CloudBridge 3000appliances, interface speed settings are not supported if Auto Negotiation is set to OFFor Duplex is set to Half.

Workaround: Set Auto Negotiation to ON and change the speed setting to either 10,100, or 1000 Mbps.

• Issue ID 0391924: If you use Internet Explorer 8 to configure CloudBridge, the userinterface displays error messages.

Workaround: Upgrade to Internet Explorer 9 or later, or use a different browser, such asChrome or Firefox.


49

• Issue IDs 0393547 and 0396617 (CloudBridge 4000 and 5000): If you configure aCloudBridge 4000 appliance in a high availability setup to use a 1 Gbps interface in L2mode, traffic does not flow through the interface if the appliance becomes primaryafter a failover event.

Workaround: From the NetScaler command line, reset both the interfaces by enteringthe reset interface <Interface_ID> command.

Example: If 1/1 and 1/2 are the bridge pair, enter the commands, reset interface 1/1and reset interface 1/2.

• Issue ID 0394705 (CloudBridge 4000 and 5000): When you update the virtual server (VIP)address from the GUI, the persistence rule is removed.

Workaround: Run the following commands on NetScaler command line:

rm lb vserver BR_LB_VIP_SIGadd lb vserver BR_LB_VIP_SIG ANY <NS_SIG_IP> * -timeout 1440 -rule client.tcp.repeater_option.ip -Listenpolicy "SYS.VSERVER(\"BR_LB_VIP_SIG\").STATE.EQ(UP)&&CLIENT.TCP.REPEATER_OPTION.EXISTS" -cltTimeout 14400 -l2Conn ONbind lb vserver BR_LB_VIP_SIG BR_LB_SVC_<1>bind lb vserver BR_LB_VIP_SIG BR_LB_SVC_<2>bind lb vserver BR_LB_VIP_SIG BR_LB_SVC_<3>bind lb vserver BR_LB_VIP_SIG BR_LB_SVC_<4>bind lb vserver BR_LB_VIP_SIG BR_LB_SVC_<5>bind lb vserver BR_LB_VIP_SIG BR_LB_SVC_<6>bind lb group BR_LB_GROUP BR_LB_VIP_SIG

• Issue ID 0396567: Independent Network Configuration [INC] mode is not supportedbetween BR-SDX/CB-SDX (CloudBridge 4000/5000) appliances in an HA pair.

• Issue ID 0396705 (CloudBridge 4000 and 5000): Traffic sent from the NetScalerappliance to the router is not GRE encapsulated in the case of UDP inner fragmentation.

• Issue ID 0396893: After an upgrade from release 6.2 to release 7.0, product-namechanges introduced in the new release might not appear in your browser.

Workaround: Clear the browser cache and restart the browser.

• Issue ID 0398262 (CloudBridge 4000 and 5000): The NetScaler appliance does notsynchronize the configurations between HA partners if the appliances are on differentbuilds of the same release.

Workaround: Disable synchronization before upgrade and complete the followingprocedure:

1. Disable HA Synchronization on the secondary appliance.


• Clear the Secondary node will fetch the configuration from the primary checkbox.

• Save the running configuration.2. Upgrade the secondary appliance.

3. Upgrade the primary appliance.


50

4. The secondary appliance becomes the primary appliance.

5. Enable HA synchronization on the new primary appliance:


• Select the Secondary node will fetch the configuration from the primary checkbox.

• Save the running configuration.• Issue ID 0398334 (CloudBridge 4000 and 5000): When the Management service is

upgraded, SVM displays an error message even when the upgrade is successful.

Workaround: Ignore the error message and start a new session.

• Issue ID 0398794: After you upgrade the CloudBridge appliance from release 6.2.2 to7.0.0, the user interface sometimes displays items incorrectly.

Workaround: Close the current browser session and log on through a new browsersession.

• Issue IDs 0400799 and 0400800: CloudBridge 4000 and CloudBridge 5000 appliances donot allow you to add CloudBridge Accelerator instances.

Workaround: Add the CloudBridge Accelerator instances after performing the followingsteps:

1. Perform a factory reset on the appliance.

2. Apply the license.

3. Provision the instances.

4. Perform the software upgrade.• Issue ID 0400903: When you upgrade a CloudBridge appliance from release 6.2.0.112 to

7.0.0.195 by using the Management Service, the upgrade process fails.

Workaround: Use CloudBridge Accelerator to upgrade the appliance.

• Issue ID 0400949: The SNMP query wsCompressionEffectiveBandwidht is not supportedon the CloudBridge 4000 and CloudBridge 5000 appliances.

• Issue ID 0401007 (CloudBridge 4000 and 5000): Data-path traffic traversing through themanagement interface might cause looping.

Workaround: Add an ACL to bridge data traffic on the management interface.

• Issue ID 0401141: The Microsoft Management Console of CloudBridge 700 appliancedisplays an error message when accessing the Diagnostic Trace.

• Issue ID 0403190: In a CloudBridge 4000/5000 high availability setup, when the primaryappliance fails, rerouting traffic through the new primary appliance takes up to 300seconds.

• Issue ID 0408394: Restoring the system backup settings of a CloudBridge 2000/3000appliance to another CloudBridge 2000/3000 appliance results in an error if the


51

passwords for the two appliances are different.

Workaround: Before you restore the settings of your appliance, change one appliance'spassword to match the other.

• Issue ID 0409224: Video Caching graphs are unavailable after you upgrade yourCloudBridge appliance from release 7.0.0 to release 7.0.1.

Workaround: Do the following:

1. In the CloudBridge configuration utility, navigate to Configuration > ApplianceSettings > Features.

2. Disable video caching.

3. Enable video caching.

Note: The process of enabling video caching takes about 90 seconds to complete.You can monitor YouTube stream data in the Monitoring > Video Caching page.

• Issue ID 0409603: CLI support is not provided for Citrix CloudBridge 4000 and 5000Repeater Unified Instance (Repeater broker).

• Issue ID 0409868 (CloudBridge 600 and CloudBridge 2000): If the CloudBridge applianceis placed on a VLAN Trunk mode, all HTTP VLAN tagged traffic bypasses the videocaching engine. Therefore, videos are not cached.

• Issue ID 0410323 (CloudBridge 4000 and 5000): Modifying the hostnames of CloudBridgeaccelerators and CloudBridge instances results in an error.

• Issue ID 0410437: After you provision a CloudBridge 4000-310 appliance, the followingerror message appears:

Error in retrieving Subnet IPAddress. Could not retrieve IPaddress <Netscaler IP address>

• Issue ID 0410878: After restoring a CloudBridge 4000 or CloudBridge 5000 appliance withthe backup file, backing up CloudBridge accelerators through the management servicefails.

• Issue ID 0418151: Link-Down propagation is not supported on XenServer basedCloudBridge 2000, 3000, 4000, or 5000 appliances.


52

53

Compatibility

The following table lists the supported products and platforms in release 7.0.1.

Table 1. Supported Products and Platforms

Appliance Type Supported?

Citrix CloudBridge 2000 and Citrix CloudBridge 3000 series Yes

Citrix CloudBridge VPX for Amazon Yes

Citrix CloudBridge 4000 and Citrix CloudBridge 5000 series Yes*

Citrix CloudBridge VPX (all models) Yes


Citrix CloudBridge VPX for XenServer platforms Yes

Citrix CloudBridge VPX for VMware ESX or ESXi platforms Yes

Citrix CloudBridge VPX for Microsoft Hyper-V Yes


CloudBridge Plug-in Yes

Repeater 8000 Series (New appliances): Units that list “SM85Series 3”or “SM88 Series 3” on the “System Hardware” line ofthe “System Status” page

Yes

Repeater 8000 Series (Earlier appliances): Units that list “SM85Series 2”or “SM88 Series 2” on the “System Hardware” line ofthe “System Status” page

No

Earlier Models No*Citrix recommends that you contact Citrix technical support for more details before youupgrade your CloudBridge 4000 and CloudBridge 5000 appliances to this release.

The following table lists the version matrix of release 7.0.

Table 2. Version Matrix

CloudBridgeVersions

NetScaler Version ManagementService Version

XenServerVersion

SupplementalPack


10.0-75.7007.e 10.0-75.7007.e 6.0 - 50762p 1.2


N/A 10.0-75.7007.e 6.0 - 50762p 1.3

CloudBridge Plug-inCompatible Operating Systems

The CloudBridge Plug-in is supported on desktop and laptop systems, but not on netbooksor thin clients. It is supported on the following operating systems:




• Windows XP Professional and Home edition

Hardware RequirementsThe recommended hardware specifications for systems running CloudBridge Plug-in are:


• 4 GB of RAM

• 2 GB of disk space

Minimum hardware requirements for CloudBridge Plug-in are:

• 1.5 Ghz CPU

• 2 GB RAM

• 500 MB free disk space

CloudBridge Plug-in and Citrix ReceiverThe CloudBridge Plug-in is supported by Citrix Receiver 3.0 and later, and can bedistributed and managed by Citrix Receiver.

Features TableTable 3. Features Table for Citrix CloudBridge 600, 700, 2000, and 3000 series appliances





Release 7.0.1 Y Y Y Y

Product Features

Compatibility

54

Video Caching Y N Y N

TCPAcceleration

Y Y Y Y

Compression Y Y Y Y

Traffic Shaping Y Y Y Y


Y Y Y Y


Y Y Y Y

SSLAcceleration

Y Y Y Y


Y Y Y Y

CloudBridgePlug-In Support

N N Y Y


Y Y Y Y

Hardware Features

NetworkBypass Card

Y Y Y Y

10 GbpsInterfaces

N N N N

Fiber Support N N N Y

LCD FrontPanel InterfaceSupport

Y Y N N


Y Y Y Y


N N Y Y

Modes

Inline Y Y Y Y

WCCP Y Y Y Y

Virtual Inline Y Y Y Y

Group Mode Y N Y Y

HighAvailability

Y N/R* Y Y

VLANs Y N Y Y

Compatibility

55

* = The accelerator portion of the product fails over seamlessly in high-availability mode,while the Windows Server portion does not.


Table 4. Features Table for Citrix CloudBridge 4000 and 5000 series appliances, CitrixCloudBridge VPX, and Citrix CloudBridge VPX for Amazon



Citrix CloudBridgeVPX

Citrix CloudBridgeVPX for Amazon

Release 7.0.1 Y* Y* Y Y

Product Features

Video Caching N N N N

TCPAcceleration

Y Y Y Y

Compression Y Y Y Y

TrafficShaping

Y Y Y N


Y Y Y Y


Y Y Y Y

SSLAcceleration

Y Y Y Y


Y Y Y Y

CloudBridgePlug-InSupport

Y Y Y N


Y Y Y N

Hardware Features

NetworkBypass Card

Y Y N N

10 GbpsInterfaces

Y Y ** N

Fiber Support Y Y ** N

LCD FrontPanelInterfaceSupport

N N N N

Compatibility

56


N N N N


Y Y N N

Modes

Inline Y Y Y Y****

WCCP Y Y Y N

Virtual Inline N/R N/R Y N

Group Mode N N N N

HighAvailability

Y Y N N

VLANs Y Y Y/Y/N*** N*Citrix recommends that you contact Citrix technical support for more details before youupgrade your CloudBridge 4000 and CloudBridge 5000 appliances to this release.

** = Depends on configuration of user-provided hardware.

*** = If shown as three values, support is for XenServer/VMware/Hyper-V, respectively. Ifshown as one value, this value applies to all three hypervisors.

**** = Refer WAN Optimization for CloudBridge.


Table 5. Features Table for Repeater appliances and CloudBridge Plug-in

Repeater 8820 Repeater 8520,8540

CloudBridgePlug-In

Release 7.0.1 Y Y Y

Product Features

Video Caching N N N

TCP Acceleration Y Y Y

Compression Y Y Y

Traffic Shaping Y Y N


Y Y Y

Windows FilesystemAcceleration

Y Y Y

SSL Acceleration Y Y Y


Y Y Y

CloudBridge Plug-InSupport

Y Y Y

Compatibility

57


Pay-As-You-GrowSupport

Y Y N

Hardware Features

Network Bypass Card Y Y N

10 Gbps Interfaces N N *

Fiber Support Y N *

LCD Front PanelInterface Support

Y Y N

RS-232 Serial InterfaceSupport

Y Y N

Support for InitialConfig over Network

N N N

Modes

Inline Y Y N/A

WCCP Y Y N/A

Virtual Inline Y Y N/A

Group Mode Y Y N/A

High Availability Y Y N/A

VLANs Y Y N/A* = Depends on configuration of user-provided hardware.

N/A = Not Applicable

Supported Citrix CloudBridge VPX ConfigurationsRelease 7.0.x is supported on Citrix CloudBridge VPX running on XenServer, VMwarevSphere, and Microsoft-Hyper-V hypervisors. See the following table for the versions ofhypervisor that are supported.

Table 6. Hypervisors Compatible with Citrix CloudBridge VPX

Citrix XenServer XenServer 6.1, XenServer 6.02/Hotfix602E007, XenServer 5.6.0 (but not 5.6 FP1or 5.6 SP2), XenServer 5.5

VMware Vsphere ESXi 5.1, ESXi 5.0, ESX/ESXi 4.1

Microsoft Hyper-V Hyper-V under Windows 2008 R2 SP1,Hyper-V 2012 Standard and DatacenterEdition

Citrix CloudBridge VPX for Amazon Amazon Web Services (AWS) platformFor instructions for changing the TSC emulation to maximize performance, seehttp://support.citrix.com/article/CTX136003.

Citrix CloudBridge VPX for Amazon

Compatibility

58

http://support.citrix.com/article/CTX136003

Citrix CloudBridge VPX for Amazon is available only in the m1.large configuration. Thistranslates to 2 vCPUs and 7.5 GB RAM. The AMI is preconfigured with a 250 GB volume,which should not be resized. Citrix CloudBridge VPX for Amazon supports a single ElasticNetwork Interface (ENI) only.

Table 7. Production Configurations, Citrix CloudBridge VPX for Amazon

Type Max. WAN Speed* Max. Accel. Conn.

10 Mbps CloudBridge License 5 mbps 1,000

200 Mbps CloudBridge License 45 mbps 10,000*The CloudBridge Connector License is enforced on the aggregate of ingress traffic on allthe interfaces hosted on the CloudBridge Connector.

Table 8. Production Configurations, XenServer and VMware vSphere.

Type vCPUs RAM Disk




8 GB production config. 4 8 GB 500 GBTable 9. Other Configurations (not for production networks).

Type vCPUs RAM Disk

VPX Express 2 1 GB 60 GB

Compatibility

59

60


LicensingRelease 7.0.x supports both remote license servers and locally installed licenses. If youupgrade an existing system with a local license, it continues to work.

For licensing information for all Citrix CloudBridge platforms, seehttp://support.citrix.com/article/ctx131110.

Note: Licensing for Citrix CloudBridge VPX for Amazon uses the CloudBridge Connectorlicense. It does not require a separate license.

Upgrading Existing InstallationsNote: If you are using a standard evaluation license, you cannot upgrade to softwareversions that are newer than your license.

Citrix CloudBridge VPX

If you are upgrading from release 5.6, it is best to install a new virtual machine, ratherthan upgrading the existing virtual machine with the 6.2.0 release, because the resourcerequirements have changed. Release 6.0 and 6.2 virtual machines can be updated withthe release 7.0 CloudBridge binary.

Repeater 8500, Repeater 8800, Citrix CloudBridge 600, and Citrix CloudBridge 700

Acquire the software from MyCitrix.

Installing the Update

Note: If you are upgrading from a pre-6.0 release (such as release 5.3), you mustupdate to release 6.x first, then release 7.0. Also, if you are upgrading from apre-6.0 release, acceleration will not take place until you install the new licensefrom Citrix.

From the browser based user interface (http://appliance_ip_address), go to theSystem Maintenance > Update Software link, on the Configuration tab. In the UpgradeSystem Software table, use the Choose File button to select the patch file (the file youdownloaded with FTP), and then click the Upload Patch button. (See the followingfigure.)


Figure 1. Update Software Page

The patch file is then copied to your appliance and tested for integrity. If you havedownloaded a valid file, a “Restart Unit?” prompt appears. Click Yes.

The settings from your current release are copied to the new one, so yourconfiguration is retained in the new release.

The process of installing the patch file continues during the restart, which might takeseveral minutes longer than usual. This is normal.

The new release is now running on your appliance.

Note: If your appliance still uses the old default password, it is changed when youinstall this upgrade. The default password is now “password".

Citrix CloudBridge 2000, CloudBridge 3000, CloudBridge 4000, and CloudBridge 5000

Updating the CloudBridge 2000, CloudBridge 3000, CloudBridge 4000, and CloudBridge5000 appliances retains your previous configuration. The update process can requirethat you perform as many as five update operations:

1. Updating the service virtual machine (SVM).

2. Installing XenServer hotfixes.

3. Installing XenServer supplemental packs.

4. Updating the accelerator.

5. Updating the NetScaler instance (CloudBridge 4000 and CloudBridge 5000 only).Release 7.0.x requires that you update the previously installed SVM, accelerator and(with CloudBridge 4000 and CloudBridge 5000), NetScaler instance. You may also needto install XenServer hotfixes and supplemental packs.

The versions of the SVM, XenServer hotfixes, and XenServer supplemental packcorresponding to release 7.0.0 is listed in the Compatibility section. The files can bedownloaded from MyCitrix.

To upgrade to release 7.0, perform the following procedure:


61

1. Note that the System > Configuration menu refers to the Configuration menu inthe CloudBridge 4000 and CloudBridge 5000 and the System > Configuration menuin the CloudBridge 2000 and CloudBridge 3000.

2. Update the SVM—On the System > Configuration > Management Service > SoftwareImages tab, click Upload and select and upload the new SVM from the pop-upwindow.

3. On the System > Configuration page, click Upgrade Management Service. Selectthe SVM image you just uploaded and click OK. The SVM will be upgraded. The UIwill become unresponsive during this process.

4. Once the new SVM is installed, the UI will become responsive again, and will takeyou to the login page. Log in. Go to the System > Configuration page and verifythat the current version of the management service (SVM) matches the version youintended to install.

5. Update XenServer files—You may see a Version Incompatibility Detectedwarning. Click on Recommendations to see if any XenServer hotfixes orsupplemental packs are recommended. If so, install them through the System >Management Service > XenServer Files page, using the Supplemental or Hotfixestabs as needed. (Until you update the XenServer files, the recommendations maynot list the current release. This is normal.)

6. Update the NetScaler image (CloudBridge 4000 and CloudBridge 5000 only)—Onthe Configuration > NetScaler > Software Images menu, click the Upload buttonand upload the new NetScaler image. This must be the image recommended forthis CloudBridge release. Other NetScaler images are not supported.

7. Install the NetScaler image (CloudBridge 4000 and CloudBridge 5000 only)—Onthe Configuration > NetScaler page, click Upgrade and install the image you justuploaded. You must also select the management IP address from the list provided(this generally has only one entry).

8. Update the Accelerator—On the CB 4000/5000, navigate to Configuration >CloudBridge > Accelerator and click the IP address of the CloudBridge. This willtake you to the accelerator UI. On the CB 2000/300, navigate to the CloudBridgemenu. On all appliances, continue to the System Maintenance > Update Softwarepage.

9. Click Choose File and select the accelerator binary for the release. Click UploadPatch. The new release will be installed automatically. You will be asked torestart the appliance. Click OK.

10. Upgrade resources (CloudBridge 4000 and CloudBridge 5000 only)—When theupdated accelerator is accessible again, navigate to System > Configuration andclick Update Resources.

11. Verify update—The Version Incompatibility Detected warnings should now begone. On the CloudBridge 2000 and CloudBridge 3000, the title bar at the top ofthe window should display the new version of the CloudBridge software. On theCloudBridge 4000 and CloudBridge 5000, the title bar should display the newversion of the SVM. The update is complete.

Note: After the clock timer goes to zero, navigate to System > Configuration>CloudBridge> Instances and click on Rediscover.


62


To upgrade a Citrix CloudBridge 700 appliance, see the Citrix Branch Repeater withWindows Server User's Guide, release 3.0, chapter 3.

Troubleshooting Installation Related Issues

The clockface showing the estimated update time is not always 100% accurate. If theinstallation ends with an error page displaying some kind of HTTP timeout error, waita few minutes, and then attempt to connect to the unit’s browser based managementinterface normally. Doing so usually shows that the newly installed version is up andrunning.

Sometimes an update fails if it spans a large number of releases, such as a jump fromrelease 4.x to 6.0. If this happens, installing an intermediate release first (forexample, release 5.5) and upgrading in two steps usually works.

Contact Citrix Support with any installation issues.

Troubleshooting Installation Related Issues for Citrix CloudBridge VPX for Amazon

For information about troubleshooting installation related issues for Citrix CloudBridgeVPX for Amazon, see WAN Optimization for CloudBridge.

Downgrading to an Earlier ReleaseUpgrading creates a new software installation; it does not remove the previous version ofthe software or the previous configuration settings. Therefore, an Appliance can bereturned to any release that it has previously used.

You can revert to a previous version of the software by using the Downgrade Releasefeature, which is available on the System Maintenance: Update Software page. Thedowngrade returns the configuration to what it was for the older release at the time theupgrade was applied. Any configuration changes you made with the newer release are lost.If you upgrade again, the upgrade copies the older release’s settings into the newerrelease.

The software can be downgraded to previously installed versions only. Neither the UpgradeSoftware nor the Downgrade Release feature supports the installation of patch files with alower version number than the current one, except for versions already resident on theunit.

Note: You cannot downgrade a CloudBridge 4000 or CloudBridge 5000 appliance to anearlier release.


63


64

Contacting Customer Support

To contact Citrix Support, call 1-800-4CITRIX or log on to MyCitrix athttp://www.citrix.com.

You will be asked for your hardware serial number as part of the support process.

Detailed instructions for contacting support can be found at: http://citrix.com/site/resources/dynamic/sup2nd/Citrix_HWS_SerialNO.pdf.

http://www.citrix.com



65

Introduction to the CloudBridge ProductFamily

The Citrix CloudBridge family of wide-area network (WAN) accelerators apply an array ofoptimizations to give your users the kind of speed and responsiveness normally associatedwith local-area networks (LANs). Compression enables faster completion of all types oftransactions. Traffic-shaping favors important traffic over less critical traffic. Applicationand protocol optimizations correct deficiencies that are unnoticeable on a LAN but causeserious slowdowns on WANs.

Most installations are simple and can be performed in about twenty minutes, even in branchoffices with no IT personnel. CloudBridge also provides many advanced features for use inmore complex or demanding environments.

Note: The term CloudBridge refers to the entire family of CloudBridge products. Thisfamily includes Repeater appliances, which are designed for use in data centers. It alsoincludes the CloudBridge appliance, which is designed for use in branch offices. Unlessstated otherwise, this documentation uses the term CloudBridge in the inclusive sense, torefer to either a Repeater appliance or a CloudBridge appliance.

66

CloudBridge Features and Benefits

Any time workers spend waiting for their computers to respond is lost time, resulting in lostproductivity. When users work remotely, their productivity depends on the responsivenessof their network connections. Safeguarding the responsiveness of their connections requiresadvanced network acceleration.

The Citrix CloudBridge product line protects your productivity by providing reliable WANand Internet link performance through a set of multiple, interlocking optimizations, eachreinforcing the others. To provide maximum productivity across your entire enterprise,there are CloudBridge products for every need, from the largest data center though thesmallest branch office and even the individual laptop.

CloudBridge provides robust usability even with undersized or degraded links.

Feature Benefit

Compression Higher effective link speed, greatertransfer rates, better interactiveperformance.

Lossless Flow Control Greater transfer rates, fine-grained trafficshaping, better interactive performance.

TCP Optimizations Superior performance on congested links.

Application Optimizations Optimal performance forXenApp/XenDesktop, Windows filesystem(CIFS, SMB), Outlook/Exchange (MAPI), andother applications.

XenApp/XenDesktop Optimizations All of the above provide the idealXenApp/XenDesktop user experience.

20-Minute Installation Easy deployment makes it practical toinstall CloudBridge throughout yourorganization.

67

How CloudBridge Works

CloudBridge products work in pairs, one at each end of a link, to accelerate traffic over thelink. The transformations done by the sender are reversed by the receiver. However, oneappliance (or virtual appliance) can handle many links, so you do not have to dedicate apair to each connection. A company with numerous branch offices might have multipleappliances at a central data center, but most commonly only one appliance at each branchoffice.

A link to a site that does not have a CloudBridge functions normally, but the link is notaccelerated.

CloudBridge features include robust compression for brisk performance over relatively slowlinks, and lossless flow control to deal with congestion. TCP optimizations overcome themain limitations of problematic links, and application optimization does away with thelimitations of applications designed for high-speed, local networks. An autodetectionfeature makes deployment quick and easy.

68

Compression Overcomes Low LinkSpeeds

The most obvious problem with wide-area network (WAN) links and Internet links is theirlow bandwidth compared to local-area networks (LANs). A 1 Mbps WAN has only 1% of thethroughput of a 100 Mbps LAN. How do you overcome low link bandwidth? Withcompression. A compression ratio of 100:1 enables a 1 Mbps link to transfer data as quicklyas a 100 Mbps link does without compression. This speedup factor is achieved whenever thefollowing criteria are met:

• The compression algorithm must be able to deliver high compression ratios.

• The compression algorithm must be very fast (much faster than the link bandwidth, andideally as fast as the LAN).

• The LAN segments of the link must have flow control that is independent of the WANsegment, because the different segments handle data at different rates.

Multiple compression engines must be used to handle the different needs of different kindsof traffic. Interactive traffic requires relatively little bandwidth but is very sensitive todelay, while bulk-transfers are very sensitive to bandwidth but are insensitive to delay.

How Compression Works-A compression algorithm scans the data to be compressed,searching for strings of data that match strings that have been sent before. If no suchmatches are found, the actual data is sent. If a match is found, the matching data isreplaced with a pointer to the previous instance. In a very large matching string, megabytesor gigabytes of data can be represented by a pointer containing only a few bytes, and onlythose few bytes need be sent over the link.

Compression engines are limited by the size of their compression history. Traditionalcompression algorithms, such as LZS and ZLIB, use compression histories of 64 KB or less.CloudBridge appliances maintain at least 100 GB of compression history. With more than amillion times the compression history of traditional algorithms, the CloudBridge algorithmfinds more matches and longer matches, resulting in superior compression ratios.

The speed of different compression engines varies widely. The CloudBridge compressionalgorithm is very fast, so that even the entry-level appliances can saturate a 100 Mbps LANwith the throughput of the compressor. The highest-performance models can deliver wellover 1 Gbps of throughput.

Compression performance is robust in the face of data changes. Where, with caching,changing a single byte of a file or other object invalidates the entire copy in the cache,compression has no such limitation. Changing a single byte in the middle of a file justcreates two large matches separated by a single byte of nonmatching data, and the transfertime is only slightly greater than before. Compression ratio degrades gracefully with theamount of change. If you download a file, change 1% of it, and upload it again, expect a99:1 compression ratio on the upload.

Another advantage of a large compression history is that precompressed data compresseseasily with CloudBridge. A JPEG image, for example, is highly compressed, leaving little

possibility for compression the first time it is sent over the link. But whenever it is sentagain, it is reduced to just a handful of bytes, even if it is sent by different protocols ondifferent occasions, such as by FTP the first time and HTTP the next, or by different users.

In practice, compression performance depends on how much of the data traversing the linkis data that has previously traversed the link. The amount varies from application toapplication, from day to day, and even from moment to moment. When looking at a list ofactive accelerated connections, you will see ratios anywhere from 1:1 to 10,000:1.

Many connections showing poor compression performance do so because they areencrypted. Encrypted traffic is normally uncompressible, but even encrypted connectionscan be compressed when the CloudBridge participates in the encryption, which it doesautomatically with XenApp and XenDesktop, and after manual configuration with SSL,Windows file system (CIFS/SMB), and Outlook/Exchange (MAPI) traffic.

To serve the different needs of different kinds of traffic, CloudBridge uses not one but fivecompression engines, so the needs of everything from the most massive bulk transfer to themost latency-sensitive interactive traffic can be accommodated with ease. The compressionengine is matched dynamically to the changing needs of individual connections. Thisauto-optimization means that the compression engine requires no configuration.

Compression Overcomes Low Link Speeds

69

70

Lossless Flow Control OvercomesCongestion

Any attempt to send traffic faster than the link speed results in congestion. The TCP/IPprotocol has no flow control to slow senders down directly, and the absence of thisnecessary control mechanism makes packet losses and excessive queuing delays normal,even on mission-critical links. (If anything, this problem is getting worse over time, aspapers on the phenomenon of "bufferbloat" attest.)

A CloudBridge appliance solves this problem by providing the flow control that was omittedfrom the TCP/IP protocol. Unlike ordinary quality of service (QoS) solutions, CloudBridgeprovides lossless flow control that controls the rate at which the senders deliver data,instead of allowing senders to deliver data at any speed they like. Each sender delivers onlyas much data as CloudBridge allows it to send, and this data is placed on the link at exactlythe right rate to keep the link full but not overflowing. By eliminating excess data,CloudBridge is not forced to discard it. Without CloudBridge, the dropped packets wouldhave to be sent again, causing delay. Lossless flow control also eliminates delays caused byexcessive buffering. Lossless flow control is the key to maximum responsiveness on a busylink, enabling a link that was once congested to the point of unusability at 50% utilization toremain responsive at 100% utilization.

71

TCP Optimizations Overcome TroubledLinks

Some links continue to have high latency or packet losses in spite of lossless flow control,including satellite links and links that have been over-subscribed by service providers. Theconsequences are excessive delays and difficulty in getting the bandwidth that you arepaying for.

CloudBridge optimizations, including the use of speculative retransmissions, minimize theeffects of dropped packets. CloudBridge also offers a mode called hardboost, whichprovides excellent performance in the face of high delays and packet losses, especially onpoint-to-point links.

72

Application Optimizations OvercomeDesign Limitations

Applications and protocols designed for use on local-area networks are notorious for poorperformance over wide-area networks, because the designers did not consider the effectsof long speed-of-light delays on their protocols. For example, a simple Windows filesystem(CIFS) operation can take up to 50 round trips as messages pass back and forth across thenetwork. On a local-area network with sub millisecond response times, the delay might notbe noticed, but in a wide-area network with a 100 ms round-trip time, 50 round trips causea delay of five seconds.

Although speed-of-light delays are a fundamental limitation, application optimizations canperform the same operations in a smaller number of round-trips, usually throughspeculative operations. Where the original application would issue one command at a timeand wait for it to complete before issuing the next one, it is often perfectly safe to issue aseries of commands without waiting. In addition, data transfers can be accelerated througha combination of pre-fetching, read-ahead, and write-behind operations. By packing asmany operations as possible into a single round trip, performance can be increased tenfoldor more.

CloudBridge's optimizations are especially effective on CIFS, the Windows file system.

73

Multiple Optimizations EnhanceXenApp/XenDesktop Performance

Because CloudBridge appliances are Citrix products, they are especially effective ataccelerating Citrix protocols, such as XenApp and XenDesktop. Every aspect of CloudBridgeacceleration comes into play with these protocols to make the remote user experience asproductive as possible.

CloudBridge appliances negotiate session options with XenApp and XenDesktop servers. Thisallows the CloudBridge appliance to apply the following enhancements:

• It replaces the server's native compression with higher-performance CloudBridgecompression.

• It bases the connection's traffic-shaping priority on the priority bits embedded in everyXenApp and XenDesktop connection. This allows the priority of the connection to varyaccording to the type of traffic. For example, interactive tasks are high-priority tasksand print jobs are low-priority tasks.

• It gathers and reports statistics based on the XenApp or XenDesktop applications beingused.

• It maintains the end-to-end encryption of the original connection.

74

Autodetection Simplifies Deployment

Because the CloudBridge solution is double-ended, with optimizations requiring that aCloudBridge product be present at both ends of the link, deployment would seem to imposea burden on remote offices, especially ones without dedicated IT staff. However,CloudBridge is designed to be very easy to install and maintain. A typical installation takesabout twenty minutes. The only parameters needed are the usual network parameters (suchas IP address and subnet mask), the address of a Citrix license server, and the send andreceive speed of the link.

Requiring only a minimal level of configuration is possible because of autodetection,through which a CloudBridge determines which connections can be accelerated (and whichcannot), without any manual configuration. A CloudBridge at the other end of the link isautomatically detected, and the connection is then accelerated. You can add CloudBridgesto your network in an ad hoc fashion and do not even have to inform the existing appliancesof the arrival of a new one. They discover it for themselves.

A CloudBridge uses TCP header options to report its presence and to negotiate accelerationparameters with the remote CloudBridge. Because TCP header options are part of the TCPstandard, this method works very well, except in cases where firewalls are programmed toreject all but the most common options. Such firewalls exist, but they can be configured toallow the options used by CloudBridge to pass through.

CloudBridge performs its operations transparently to both the sender and receiver. Theother devices in your network are not aware that CloudBridge exists, and continue workingjust as they did before CloudBridge was installed. This transparency also eliminates anyneed to install special software on your servers or clients to benefit from CloudBridgeacceleration. Everything works transparently.

75

Product line

The products in the CloudBridge product line have different capabilities in terms of theamount of bandwidth and the numbers of users they can support. The different productsalso have different hardware features.

Capabilities

The following table compares the capabilities of the different CloudBridge products.

Table 1. CloudBridge Capabilities by Product

Product Use BandwidthRange

# XenApp/XenDesktopUsers

#CloudBridgePlug-in Users

Size RAID DiskSupport?

CloudBridge Branch Offices 2-10 Mbps 10-100 0 1U No

CloudBridge700 series

Branch Offices 2-10 Mbps 10-100 0 1U No

Repeater 8500Series

Datacentersand RegionalHeadquarters

10-45 Mbps 100-250 250-750 1U Yes

Repeater 8800 Datacentersand RegionalHeadquarters

45-155 Mbps 500 1,000 2U Yes

CloudBridge4000/5000

LargeDatacenters

500-2,000Mbps

1,200-5,000 1,800-4,800 2U Yes

CloudBridgeVPX

VirtualCloudBridgeAppliance

0.5-45 Mbps N/A No

CloudBridgePlug-in

WindowsLaptops andWorkstations

N/A 1 1 N/A No

Hardware Features

The following table compares the hardware features of the different CloudBridgeproducts.

Table 2. CloudBridge Hardware Features by Product

Product Bypass Card DualAcceleratedBridges

Dual PowerSupplies

10 GbpsSupport

CloudBridge Optional No No No

CloudBridge700 series

Optional No No No

Repeater 8500Series

Yes Optional No No

Repeater 8800 Yes Optional Yes No

CloudBridge4000/5000

Yes No Yes Yes

CloudBridgeVPX

No No N/A No

CloudBridgePlug-in

No No N/A No

Product line

76

77

Product Selection and Deployment

Deploying CloudBridge appliances successfully is not difficult, but improper deploymentscan cause problems and provide inadequate acceleration. Be sure to select appliances withsufficient capacity for the links that you want them to accelerate. Product selection is alsoone of the factors to consider when deciding how best to fit the appliances into yourtopology.

The most basic deployment criteria are:

• All packets in the TCP connection must pass through a supported combination of twoacceleration units (CloudBridge appliances or Plug-ins).

• Traffic must pass through the two acceleration units in both directions.

When these criteria are met, acceleration is automatic.

Figure 1. Acceleration Enhances Performance when Traffic Passes through Two Appliances

For sites with only one WAN network, these criteria can be met by placing the CloudBridgeappliance inline with the WAN. In more complex sites, other options are available. Some,such as WCCP support, are available on all models. Others are available on certain modelsonly. Therefore, the needs of a more complex site might limit your choice of appliances.

When evaluating your options, consider the importance of keeping various segments of yournetwork up and running in the event that a device fails or has to be disabled. For inlinedeployments, Citrix recommends an Ethernet bypass card. This card, which is standardequipment on all 8800 and 8500 Series Repeater appliances and optional on CloudBridgeappliances, has a relay that closes if the appliance fails, allowing packets to pass througheven if power is lost or removed.

Redundancy is a consideration for all types of deployments. CloudBridge appliances offerdifferent types of redundancy:

• The Repeater 8800 Series and CloudBridge 4000/5000 appliances have dual powersupplies.

• The Repeater 8800 and 8500 Series and CloudBridge 4000/5000 appliances haveredundant disk drives.

• Appliances can be used in high-availability mode (two redundant appliances withautomatic failover). This mode is supported on all models.


78

79

Product Selection by Capacity

Two capacities are important when selecting a CloudBridge appliance: link capacity(bandwidth) and disk capacity. For proper operation, your appliance must be able tosupport the WAN links it is accelerating, and for maximum performance, your appliancemust have an amount of disk-based compression history suitable for the amount of trafficover your link.

Link CapacityWhen selecting a CloudBridge appliance, the most important factor is that it support yourWAN links. If your site has a single WAN link, your appliance should support your link speed.For example, a CloudBridge can supports links of up to 10 Mbps, which would be suitable foran 8 Mbps link but not a 12 Mbps link. If your site has multiple links that are to beaccelerated by a single appliance, the appliance should support the total speed of all theseWAN links added together.

The maximum supported speed is determined by a combination of the appliance hardwareand the product license. The licensed bandwidth limit is the maximum link speed that issupported by the license, and the maximum link speed determines the maximum WANspeed.

Table 1. Licensed Bandwidth Limits by Product Line

Product Licensed Bandwidth Limit Range

CloudBridge Plug-in N/A

CloudBridge 700 series, CloudBridge 700series

1-10 Mbps

CloudBridge VPX 1-45 Mbps

Repeater 8500 Series 5-45 Mbps


CloudBridge 4000/5000 310-2,000 Mbps

Disk SizeDisk space is used mostly for compression history, and more disk space results in greatercompression performance.

The CloudBridge 700 series offers more disk capacity than the other appliances: between1.5 TB and 4 TB for CloudBridge 4000/5000, roughly 600 GB for the Repeater 8800, and 200GB for the Repeater 8500, CloudBridge, and CloudBridge 700 series. CloudBridge VPX has adisk capacity of 100-500 GB. Ideally, an appliance should have disk space equal to at leastseveral days of WAN traffic. (A 1 Mbps link can transfer about 10 GB per day at full speed.)

Table 2. Examples of Data Lifetime for Disk Sizes

Appliance Model Link Speed

1 Mbps 10 Mbps 100 Mbps

Data lifetime at 33% link utilization

Repeater 8800 180 days 18 days 43 hours






80

81

Product and Mode Selection byDatacenter Topology

The appliance can be placed in line with your WAN link. The appliance uses two bridgedEthernet ports for inline mode. Packets enter one Ethernet port and exit through the other.This mode puts the appliance between your WAN router and your LAN. For the rest of thenetwork, it is as if the appliance were not there at all. Its operation is completelytransparent.

Inline mode has the following advantages over the other deployment modes:

• Maximum performance.

• Very easy configuration, using only the Quick Installation page.

• No reconfiguration of your other network equipment.

Other modes (WCCP, virtual inline, redirector) are less convenient to set up, generallyrequiring that you reconfigure your router, and they have somewhat lower performance.

A basic deployment consideration is whether your site has a single WAN router or multipleWAN routers. You also have to think about which features can be used in which modes. Arequirement to support VPNs affects the placement of the appliance in your network.

Access Gateway appliances support CloudBridge TCP optimizations, enabling acceleratedVPN connections when CloudBridge appliances are deployed with Access Gateway.

Overview of Deployment ModesThe appliance can be deployed in the following modes:

Forwarding Modes• Inline mode—Highest-performance, most transparent mode. Data flows in on one

accelerated Ethernet port and out on the other. Requires no router reconfiguration ofany kind.

• Inline with dual bridges—Same as inline, but with two independent acceleratedbridges.

• WCCP mode—Recommended when inline mode is not practical. Supported by mostrouters. Requires only three lines of router configuration. To use WCCP mode on a Ciscorouter, the router should be running at least IOS version 12.0(11)S or 12.1(3)T. (WCCPstands for Web Cache Communications Protocol, but the protocol was greatly expandedwith version 2.0 to support a wide variety of network devices.)

• Virtual Inline mode—Similar to WCCP mode. Uses policy based routing. Generallyrequires a dedicated LAN port on the router. Not recommended on units without anEthernet bypass card. To use virtual inline mode on a Cisco router, the router should berunning IOS version 12.3(4)T or later.

• Group mode—Used with two or more inline appliances, one per link, within a site.Recommended only when multiple bridges, WCCP, and virtual inline modes are allimpractical.

• High-availability mode—Transparently combines two inline or virtual inline appliancesinto a primary/secondary pair. The primary appliance handles all the traffic. If it fails,the secondary appliance takes over. Requires no router configuration. Requires anappliance with an Ethernet bypass card.

• Transparent Mode—The recommended mode for communication with the CloudBridgePlug-in. In transparent mode, the Plug-in initiates connections in essentially the sameway as the CloudBridge appliance, keeping the original IP address and port number ofthe connection and adding CloudBridge options to the TCP/IP headers of selectedpackets. By contrast, in redirector mode (not recommended), the Plug-in alters thedestination IP and port numbers of the packets to match the signaling IP (and port) ofthe appliance.

• Redirector mode (not recommended)—Used by the CloudBridge Plug-in to forwardtraffic to the appliance. Can be used as a stand-alone mode or combined with one ofthe other deployments. Requires no router configuration.

Acceleration Modes• Softboost mode—A high-performance TCP variant that is recommended for most links.

Although it provides less performance than hardboost mode, it works with anydeployment. Acts like normal TCP, but faster.

• Hardboost mode—A highly aggressive, bandwidth-limited TCP variant useful forhigh-speed links, intercontinental links, satellite links, and other fixed-speed links forwhich achieving full link speed is difficult. Recommended for fixed-speed,point-to-point links where traffic shaping is not required.

Product and Mode Selection by Datacenter Topology

82

83

Sites with One WAN Router

For a site with only one WAN router, the main issue in deployment is to allow theCloudBridge appliance to work in harmony with the router. The following figure shows therecommended deployment modes for a single router. Compare it to your router cabling tofind the best mode for your environment.

Figure 1. Recommended Deployment Modes, Based on WAN Router Topology

Comments about the recommended deployment modes:

1. Single LAN, Single WAN: Inline mode. The router has a single active LAN interface anda single active WAN interface. The recommended mode for this case is inline mode,which provides the simplest installation, the most features, and the highestperformance of any mode.

2. Single LAN, Redundant WANs: Inline mode. Inline mode is best for this configurationas well.

3. Single LAN, Multiple WANs: Inline or WCCP. This topology falls into two categories:hub-and-spoke or multihop. In a hub-and-spoke deployment, connections are mostlybetween a spoke site and the hub site. In a multihop deployment, many connections arebetween two spoke sites, with the data passing through the hub site. A single multihopconnection can thus involve as many as three appliances, depending on the details ofwhere the hub site's appliance is positioned in the traffic flow.

For proper traffic shaping in multihop deployments, all WAN traffic on the hub site'sWAN router must also pass through the appliance, instead of being passed by the routerdirectly between WAN interfaces. In this case, WCCP is the preferred mode. If thedeployment is hub-and-spoke, with most traffic terminating on the hub site, an inlinedeployment is preferable.

4. Dual LANs, single WAN: Inline (with dual bridges) or WCCP. This mode is supported bydual accelerated bridges, WCCP mode, or virtual inline mode.

5. Multiple LANs, multiple WANs: Inline (dual bridges) or WCCP. This is similar to CaseC, but complicated by the presence of multiple LAN interfaces as well as multipleWANs. WCCP can always be used here. In the two-LAN case, an appliance with dualbridges can also be used in inline mode.

Table 1. Options Supported for Each Router Topology

Appliances WITH Ethernet Bypass Cards

Config. Mode Softboost Hardboost GroupMode

HighAvailability

A. Inline Yes Yes Yes Yes

B. WCCP Yes No Yes Yes

C1. WCCP Yes No No Yes

C2. Inline Yes No Yes Yes

D. WCCP Yes No No Yes

D2. Inline,DualBridges

Yes No No Yes

E. WCCP Yes No No Yes

E2. Inline,DualBridges

Yes No No Yes

Appliances WITHOUT Ethernet Bypass Cards


HighAvailability

A. Inline Yes Yes No No

B. WCCP Yes No No No

C1. WCCP Yes No No No

C2. Inline Yes No No No


84

D. WCCP Yes No No No


No No No No

E. WCCP Yes No No No


No No No No


85

86

Sites with Multiple WAN Routers

More than one WAN router at the same site raises the possibility of asymmetric routing.Normally, IP networks are not affected by what path the packets take, so long as theyarrive at their destination. However, the appliance relies on seeing every packet in theconnection. "End-around" packets are not acceptable.

In a site with only one WAN router, asymmetric routing is not a problem, because theappliance can be placed in the path between the router and the rest of the site, so thattraffic into or out of the router also passes through the appliance. But with two WANrouters, asymmetric routing can become an issue.

Asymmetric routing problems can appear during installation or later, as a result of failoverto a secondary link, or other forms of dynamic routing and load balancing. The followingfigure shows an example sites that might suffer from asymmetric routing. If sites C and Dalways use the direct path, C-D or D-C, when sending traffic to each other, everything isfine. However, packets that take the longer path, C-E-D or D-E-C, bypass the appliances,causing new connections to be unaccelerated and existing connections to hang.

Figure 1. Asymmetric Routing

Asymmetric routing can be addressed by router configuration, appliance placement, orappliance configuration.

If the router is configured to ensure that all packets of a given connection always passthrough the appliance in both directions, there is no asymmetry.

If the appliance is positioned after the point where all the WAN streams are combined,asymmetry is avoided, and all traffic is accelerated, as shown in the following figure.

Figure 2. Avoiding Asymmetric Routing through Proper Placement of the Appliance

Configuring the appliance to use one of the following asymmetry-resistant forwardingmodes can eliminate the problem:

• Multiple Bridges. An appliance with two accelerated bridges, or accelerated pairs, (forexample, apA and apB), allows two links to be accelerated in inline mode. The two linkscan be fully independent, load-balanced, or primary/backup links.

• WCCP mode allows a single appliance to be shared between multiple WAN routers,allowing it to handle all the WAN traffic regardless of which link it arrives on.

• Virtual inline mode allows a single appliance to be shared between multiple WANrouters, allowing it to handle all the WAN traffic regardless of which link it arrives on.

• Group mode allows two or more inline appliances to share traffic with each other,ensuring that traffic that arrives on the wrong link is handed off properly. Becausegroup mode requires multiple appliances, it is an expensive solution that is best suitedto installations where the accelerated links have wide physical separation, making theother alternatives difficult. For example, if the two WAN links are on different officesin the same city (but the campuses are connected by a LAN-speed link), group modemight be the only choice.


87

Figure 3. Eliminating Asymmetric Routing by Using Group Mode or Virtual Inline Mode

Note: One end of the link can use virtual inline mode while the other end uses groupmode. The two ends of a link do not have to use the same forwarding mode.

Figure 4. Sites with Only One WAN Link Cannot Have Asymmetric Routing Problems


88

89

Supported Mode/Feature Combinations

In general, all modes are simultaneously active. However, some combinations should not beused together, as shown in the following table.

Supported Combinations, Units WITH Ethernet Bypass Cards

Config. Inline VirtualInline

WCCP-GRE

WCCP-L2

MultipleBridges

HighAvail.

GroupMode

CloudBridgePlug-in

Y Y Y Y Y Y N

Inline Y N N N Y Y Y

Virtual Inline Y Y Y Y Y N

WCCP- GRE Y Y Y Y N

WCCP- L2 Y Y Y N

Multiple Bridges Y Y N

High Avail. Y Y

Supported Combinations, Units WITHOUT Ethernet Bypass Cards


WCCP-GRE

WCCP-L2

MultipleBridges

HighAvail.

GroupMode

CloudBridgePlug-in

N N N N N N N

Inline Y N N N N N N

Virtual Inline Y Y Y N N N

WCCP- GRE Y Y N N N

WCCP- L2 Y N N N

Multiple Bridges N N Y

High Avail. N N

Y = Yes, supported. N = Not supported.

90

Recommendations for Supporting VPNs

VPN support is simply a matter of putting the appliance on the LAN side of the VPN, asshown in the following figure. This placement ensures that the appliance receives andtransmits the decapsulated, decrypted, plain-text version of the link traffic, allowingcompression and application acceleration to work. (Application acceleration andcompression have no effect on encrypted traffic. However, TCP protocol acceleration workson encrypted traffic.)

Figure 1. VPN Cabling for an Inline VPN

The following figure shows one option for accelerating one-arm VPNs. The appliance is onthe server side of the VPN. All VPN traffic with a local destination is accelerated. VPNtraffic with a remote destination is not accelerated. Non-VPN traffic can also beaccelerated.

Figure 2. One-Arm VPN Acceleration, Option A

The following figure shows another option for accelerating one-arm VPNs. The appliance ison the server side of the VPN. All VPN traffic with a local destination is accelerated. VPNtraffic with a remote destination is not accelerated. Non-VPN traffic can also beaccelerated.

Figure 3. One-Arm VPN Acceleration, Option B

Important: For acceleration to be effective, the VPN must preserve TCP header options.Most VPNs do so.


91

92

Supporting CloudBridge Plug-in WithCitrix Access Gateway VPNs

The Access Gateway Standard Edition VPN supports CloudBridge Plug-in acceleration,provided that a CloudBridge appliance is deployed with the Access Gateway appliance andthe Access Gateway appliance is configured to support it. See the CloudBridge ReleaseNotes for a list of supported Access Gateway releases.

For CloudBridge Plug-in support with other VPNs, see your VPN documentation or contactyour Citrix representative.

To configure CloudBridge support, use the Access Gateway administration tool, as follows:

1. On the Global Cluster Policies page, under Advanced Options, select the Enable TCPoptimization with CloudBridge Plug-in check box.

2. Make sure that the IP addresses used by the CloudBridge (redirector IP and managementIP) have access enabled in the Network Resources section on the Access Policy Managerpage.

3. For each of these addresses, enable all protocols (TCP, UDP, ICMP) and enable PreserveTCP Options.

4. Make sure that these same addresses are included under User Groups: Default: NetworkPolicies on the Access Policy Manager page.

93

What Happens if the Appliance Fails

CloudBridge appliances have safeguards against loss of connectivity in case of software,hardware, and power failures. These safeguards are mode-dependent.

In inline mode, appliances maintain network continuity in the event of hardware, software,or power failure. If present, the bypass relay in the appliance closes if power is lost or someother failure occurs. Inline appliances without a bypass card usually block traffic in theevent of a serious failure, but they continue to forward traffic under some conditions,namely, when the network stack is running but the acceleration software has been disabledor has shut itself down because of persistent errors.

Existing accelerated connections usually become unresponsive after a failure and areeventually terminated by the application or the network stack at one of the end points.Some accelerated connections might continue as unaccelerated connections after thefailure. New connections run in unaccelerated mode.

When the appliance comes back online, existing connections continue as unacceleratedconnections. New connections are accelerated.

In WCCP mode, the router bypasses an appliance that stops responding, and reopens theconnection when the appliance begins responding again. The WCCP protocol has integralhealth-checking.

If the "verify-availability" option is used with virtual inline mode, the router behaves like itdoes with WCCP mode, bypassing the appliance when it is not available and reconnectingwhen it is. If "verify-availability" is not used, all packets forwarded to the appliance aredropped if the appliance is not available.

In group mode, an appliance can be configured to fail "open" (bridging disabled) or "closed"(bridging or bypass relay enabled).

In high availability mode, if one HA appliance fails, the other takes over automatically. Theappliances' bypass cards are disabled in HA mode, so if the HA appliances are in inline modeand both appliances fail, connectivity is lost.

In redirector mode, the CloudBridge Plug-in performs health checking on redirector-modeappliances and bypasses unresponsive appliances, sending traffic directly to endpointservers instead.

94


Deploying CloudBridge appliances successfully is not difficult, but improper deploymentscan cause problems and provide inadequate acceleration. Be sure to select appliances withsufficient capacity for the links that you want them to accelerate. Product selection is alsoone of the factors to consider when deciding how best to fit the appliances into yourtopology.

The most basic deployment criteria are:

• All packets in the TCP connection must pass through a supported combination of twoacceleration units (CloudBridge appliances or Plug-ins).

• Traffic must pass through the two acceleration units in both directions.

When these criteria are met, acceleration is automatic.

Figure 1. Acceleration Enhances Performance when Traffic Passes through Two Appliances

For sites with only one WAN network, these criteria can be met by placing the CloudBridgeappliance inline with the WAN. In more complex sites, other options are available. Some,such as WCCP support, are available on all models. Others are available on certain modelsonly. Therefore, the needs of a more complex site might limit your choice of appliances.

When evaluating your options, consider the importance of keeping various segments of yournetwork up and running in the event that a device fails or has to be disabled. For inlinedeployments, Citrix recommends an Ethernet bypass card. This card, which is standardequipment on all 8800 and 8500 Series Repeater appliances and optional on CloudBridgeappliances, has a relay that closes if the appliance fails, allowing packets to pass througheven if power is lost or removed.

Redundancy is a consideration for all types of deployments. CloudBridge appliances offerdifferent types of redundancy:

• The Repeater 8800 Series and CloudBridge 4000/5000 appliances have dual powersupplies.

• The Repeater 8800 and 8500 Series and CloudBridge 4000/5000 appliances haveredundant disk drives.

• Appliances can be used in high-availability mode (two redundant appliances withautomatic failover). This mode is supported on all models.


95

96


Two capacities are important when selecting a CloudBridge appliance: link capacity(bandwidth) and disk capacity. For proper operation, your appliance must be able tosupport the WAN links it is accelerating, and for maximum performance, your appliancemust have an amount of disk-based compression history suitable for the amount of trafficover your link.

Link CapacityWhen selecting a CloudBridge appliance, the most important factor is that it support yourWAN links. If your site has a single WAN link, your appliance should support your link speed.For example, a CloudBridge can supports links of up to 10 Mbps, which would be suitable foran 8 Mbps link but not a 12 Mbps link. If your site has multiple links that are to beaccelerated by a single appliance, the appliance should support the total speed of all theseWAN links added together.

The maximum supported speed is determined by a combination of the appliance hardwareand the product license. The licensed bandwidth limit is the maximum link speed that issupported by the license, and the maximum link speed determines the maximum WANspeed.

Table 1. Licensed Bandwidth Limits by Product Line

Product Licensed Bandwidth Limit Range

CloudBridge Plug-in N/A

CloudBridge 700 series, CloudBridge 700series

1-10 Mbps

CloudBridge VPX 1-45 Mbps



CloudBridge 4000/5000 310-2,000 Mbps

Disk SizeDisk space is used mostly for compression history, and more disk space results in greatercompression performance.

The CloudBridge 700 series offers more disk capacity than the other appliances: between1.5 TB and 4 TB for CloudBridge 4000/5000, roughly 600 GB for the Repeater 8800, and 200GB for the Repeater 8500, CloudBridge, and CloudBridge 700 series. CloudBridge VPX has adisk capacity of 100-500 GB. Ideally, an appliance should have disk space equal to at leastseveral days of WAN traffic. (A 1 Mbps link can transfer about 10 GB per day at full speed.)

Table 2. Examples of Data Lifetime for Disk Sizes

Appliance Model Link Speed

1 Mbps 10 Mbps 100 Mbps








97

98

Product and Mode Selection byDatacenter Topology

The appliance can be placed in line with your WAN link. The appliance uses two bridgedEthernet ports for inline mode. Packets enter one Ethernet port and exit through the other.This mode puts the appliance between your WAN router and your LAN. For the rest of thenetwork, it is as if the appliance were not there at all. Its operation is completelytransparent.

Inline mode has the following advantages over the other deployment modes:

• Maximum performance.

• Very easy configuration, using only the Quick Installation page.

• No reconfiguration of your other network equipment.

Other modes (WCCP, virtual inline, redirector) are less convenient to set up, generallyrequiring that you reconfigure your router, and they have somewhat lower performance.

A basic deployment consideration is whether your site has a single WAN router or multipleWAN routers. You also have to think about which features can be used in which modes. Arequirement to support VPNs affects the placement of the appliance in your network.

Access Gateway appliances support CloudBridge TCP optimizations, enabling acceleratedVPN connections when CloudBridge appliances are deployed with Access Gateway.

Overview of Deployment ModesThe appliance can be deployed in the following modes:

Forwarding Modes• Inline mode—Highest-performance, most transparent mode. Data flows in on one

accelerated Ethernet port and out on the other. Requires no router reconfiguration ofany kind.

• Inline with dual bridges—Same as inline, but with two independent acceleratedbridges.

• WCCP mode—Recommended when inline mode is not practical. Supported by mostrouters. Requires only three lines of router configuration. To use WCCP mode on a Ciscorouter, the router should be running at least IOS version 12.0(11)S or 12.1(3)T. (WCCPstands for Web Cache Communications Protocol, but the protocol was greatly expandedwith version 2.0 to support a wide variety of network devices.)

• Virtual Inline mode—Similar to WCCP mode. Uses policy based routing. Generallyrequires a dedicated LAN port on the router. Not recommended on units without anEthernet bypass card. To use virtual inline mode on a Cisco router, the router should berunning IOS version 12.3(4)T or later.

• Group mode—Used with two or more inline appliances, one per link, within a site.Recommended only when multiple bridges, WCCP, and virtual inline modes are allimpractical.

• High-availability mode—Transparently combines two inline or virtual inline appliancesinto a primary/secondary pair. The primary appliance handles all the traffic. If it fails,the secondary appliance takes over. Requires no router configuration. Requires anappliance with an Ethernet bypass card.

• Transparent Mode—The recommended mode for communication with the CloudBridgePlug-in. In transparent mode, the Plug-in initiates connections in essentially the sameway as the CloudBridge appliance, keeping the original IP address and port number ofthe connection and adding CloudBridge options to the TCP/IP headers of selectedpackets. By contrast, in redirector mode (not recommended), the Plug-in alters thedestination IP and port numbers of the packets to match the signaling IP (and port) ofthe appliance.

• Redirector mode (not recommended)—Used by the CloudBridge Plug-in to forwardtraffic to the appliance. Can be used as a stand-alone mode or combined with one ofthe other deployments. Requires no router configuration.

Acceleration Modes• Softboost mode—A high-performance TCP variant that is recommended for most links.

Although it provides less performance than hardboost mode, it works with anydeployment. Acts like normal TCP, but faster.

• Hardboost mode—A highly aggressive, bandwidth-limited TCP variant useful forhigh-speed links, intercontinental links, satellite links, and other fixed-speed links forwhich achieving full link speed is difficult. Recommended for fixed-speed,point-to-point links where traffic shaping is not required.

Product and Mode Selection by Datacenter Topology

99

100


For a site with only one WAN router, the main issue in deployment is to allow theCloudBridge appliance to work in harmony with the router. The following figure shows therecommended deployment modes for a single router. Compare it to your router cabling tofind the best mode for your environment.

Figure 1. Recommended Deployment Modes, Based on WAN Router Topology

Comments about the recommended deployment modes:

1. Single LAN, Single WAN: Inline mode. The router has a single active LAN interface anda single active WAN interface. The recommended mode for this case is inline mode,which provides the simplest installation, the most features, and the highestperformance of any mode.

2. Single LAN, Redundant WANs: Inline mode. Inline mode is best for this configurationas well.

3. Single LAN, Multiple WANs: Inline or WCCP. This topology falls into two categories:hub-and-spoke or multihop. In a hub-and-spoke deployment, connections are mostlybetween a spoke site and the hub site. In a multihop deployment, many connections arebetween two spoke sites, with the data passing through the hub site. A single multihopconnection can thus involve as many as three appliances, depending on the details ofwhere the hub site's appliance is positioned in the traffic flow.

For proper traffic shaping in multihop deployments, all WAN traffic on the hub site'sWAN router must also pass through the appliance, instead of being passed by the routerdirectly between WAN interfaces. In this case, WCCP is the preferred mode. If thedeployment is hub-and-spoke, with most traffic terminating on the hub site, an inlinedeployment is preferable.

4. Dual LANs, single WAN: Inline (with dual bridges) or WCCP. This mode is supported bydual accelerated bridges, WCCP mode, or virtual inline mode.

5. Multiple LANs, multiple WANs: Inline (dual bridges) or WCCP. This is similar to CaseC, but complicated by the presence of multiple LAN interfaces as well as multipleWANs. WCCP can always be used here. In the two-LAN case, an appliance with dualbridges can also be used in inline mode.

Table 1. Options Supported for Each Router Topology

Appliances WITH Ethernet Bypass Cards


HighAvailability

A. Inline Yes Yes Yes Yes

B. WCCP Yes No Yes Yes

C1. WCCP Yes No No Yes

C2. Inline Yes No Yes Yes

D. WCCP Yes No No Yes


Yes No No Yes

E. WCCP Yes No No Yes


Yes No No Yes

Appliances WITHOUT Ethernet Bypass Cards


HighAvailability

A. Inline Yes Yes No No

B. WCCP Yes No No No

C1. WCCP Yes No No No

C2. Inline Yes No No No


101

D. WCCP Yes No No No


No No No No

E. WCCP Yes No No No


No No No No


102

103


More than one WAN router at the same site raises the possibility of asymmetric routing.Normally, IP networks are not affected by what path the packets take, so long as theyarrive at their destination. However, the appliance relies on seeing every packet in theconnection. "End-around" packets are not acceptable.

In a site with only one WAN router, asymmetric routing is not a problem, because theappliance can be placed in the path between the router and the rest of the site, so thattraffic into or out of the router also passes through the appliance. But with two WANrouters, asymmetric routing can become an issue.

Asymmetric routing problems can appear during installation or later, as a result of failoverto a secondary link, or other forms of dynamic routing and load balancing. The followingfigure shows an example sites that might suffer from asymmetric routing. If sites C and Dalways use the direct path, C-D or D-C, when sending traffic to each other, everything isfine. However, packets that take the longer path, C-E-D or D-E-C, bypass the appliances,causing new connections to be unaccelerated and existing connections to hang.

Figure 1. Asymmetric Routing

Asymmetric routing can be addressed by router configuration, appliance placement, orappliance configuration.

If the router is configured to ensure that all packets of a given connection always passthrough the appliance in both directions, there is no asymmetry.

If the appliance is positioned after the point where all the WAN streams are combined,asymmetry is avoided, and all traffic is accelerated, as shown in the following figure.

Figure 2. Avoiding Asymmetric Routing through Proper Placement of the Appliance

Configuring the appliance to use one of the following asymmetry-resistant forwardingmodes can eliminate the problem:

• Multiple Bridges. An appliance with two accelerated bridges, or accelerated pairs, (forexample, apA and apB), allows two links to be accelerated in inline mode. The two linkscan be fully independent, load-balanced, or primary/backup links.

• WCCP mode allows a single appliance to be shared between multiple WAN routers,allowing it to handle all the WAN traffic regardless of which link it arrives on.

• Virtual inline mode allows a single appliance to be shared between multiple WANrouters, allowing it to handle all the WAN traffic regardless of which link it arrives on.

• Group mode allows two or more inline appliances to share traffic with each other,ensuring that traffic that arrives on the wrong link is handed off properly. Becausegroup mode requires multiple appliances, it is an expensive solution that is best suitedto installations where the accelerated links have wide physical separation, making theother alternatives difficult. For example, if the two WAN links are on different officesin the same city (but the campuses are connected by a LAN-speed link), group modemight be the only choice.


104

Figure 3. Eliminating Asymmetric Routing by Using Group Mode or Virtual Inline Mode

Note: One end of the link can use virtual inline mode while the other end uses groupmode. The two ends of a link do not have to use the same forwarding mode.

Figure 4. Sites with Only One WAN Link Cannot Have Asymmetric Routing Problems


105

106

Supported Mode/Feature Combinations

In general, all modes are simultaneously active. However, some combinations should not beused together, as shown in the following table.

Supported Combinations, Units WITH Ethernet Bypass Cards


WCCP-GRE

WCCP-L2

MultipleBridges

HighAvail.

GroupMode

CloudBridgePlug-in

Y Y Y Y Y Y N

Inline Y N N N Y Y Y

Virtual Inline Y Y Y Y Y N

WCCP- GRE Y Y Y Y N

WCCP- L2 Y Y Y N

Multiple Bridges Y Y N

High Avail. Y Y

Supported Combinations, Units WITHOUT Ethernet Bypass Cards


WCCP-GRE

WCCP-L2

MultipleBridges

HighAvail.

GroupMode

CloudBridgePlug-in

N N N N N N N

Inline Y N N N N N N

Virtual Inline Y Y Y N N N

WCCP- GRE Y Y N N N

WCCP- L2 Y N N N

Multiple Bridges N N Y

High Avail. N N

Y = Yes, supported. N = Not supported.

107


VPN support is simply a matter of putting the appliance on the LAN side of the VPN, asshown in the following figure. This placement ensures that the appliance receives andtransmits the decapsulated, decrypted, plain-text version of the link traffic, allowingcompression and application acceleration to work. (Application acceleration andcompression have no effect on encrypted traffic. However, TCP protocol acceleration workson encrypted traffic.)

Figure 1. VPN Cabling for an Inline VPN

The following figure shows one option for accelerating one-arm VPNs. The appliance is onthe server side of the VPN. All VPN traffic with a local destination is accelerated. VPNtraffic with a remote destination is not accelerated. Non-VPN traffic can also beaccelerated.

Figure 2. One-Arm VPN Acceleration, Option A

The following figure shows another option for accelerating one-arm VPNs. The appliance ison the server side of the VPN. All VPN traffic with a local destination is accelerated. VPNtraffic with a remote destination is not accelerated. Non-VPN traffic can also beaccelerated.

Figure 3. One-Arm VPN Acceleration, Option B

Important: For acceleration to be effective, the VPN must preserve TCP header options.Most VPNs do so.


108

109

Supporting CloudBridge Plug-in WithCitrix Access Gateway VPNs

The Access Gateway Standard Edition VPN supports CloudBridge Plug-in acceleration,provided that a CloudBridge appliance is deployed with the Access Gateway appliance andthe Access Gateway appliance is configured to support it. See the CloudBridge ReleaseNotes for a list of supported Access Gateway releases.

For CloudBridge Plug-in support with other VPNs, see your VPN documentation or contactyour Citrix representative.

To configure CloudBridge support, use the Access Gateway administration tool, as follows:

1. On the Global Cluster Policies page, under Advanced Options, select the Enable TCPoptimization with CloudBridge Plug-in check box.

2. Make sure that the IP addresses used by the CloudBridge (redirector IP and managementIP) have access enabled in the Network Resources section on the Access Policy Managerpage.

3. For each of these addresses, enable all protocols (TCP, UDP, ICMP) and enable PreserveTCP Options.

4. Make sure that these same addresses are included under User Groups: Default: NetworkPolicies on the Access Policy Manager page.

110

What Happens if the Appliance Fails

CloudBridge appliances have safeguards against loss of connectivity in case of software,hardware, and power failures. These safeguards are mode-dependent.

In inline mode, appliances maintain network continuity in the event of hardware, software,or power failure. If present, the bypass relay in the appliance closes if power is lost or someother failure occurs. Inline appliances without a bypass card usually block traffic in theevent of a serious failure, but they continue to forward traffic under some conditions,namely, when the network stack is running but the acceleration software has been disabledor has shut itself down because of persistent errors.

Existing accelerated connections usually become unresponsive after a failure and areeventually terminated by the application or the network stack at one of the end points.Some accelerated connections might continue as unaccelerated connections after thefailure. New connections run in unaccelerated mode.

When the appliance comes back online, existing connections continue as unacceleratedconnections. New connections are accelerated.

In WCCP mode, the router bypasses an appliance that stops responding, and reopens theconnection when the appliance begins responding again. The WCCP protocol has integralhealth-checking.

If the "verify-availability" option is used with virtual inline mode, the router behaves like itdoes with WCCP mode, bypassing the appliance when it is not available and reconnectingwhen it is. If "verify-availability" is not used, all packets forwarded to the appliance aredropped if the appliance is not available.

In group mode, an appliance can be configured to fail "open" (bridging disabled) or "closed"(bridging or bypass relay enabled).

In high availability mode, if one HA appliance fails, the other takes over automatically. Theappliances' bypass cards are disabled in HA mode, so if the HA appliances are in inline modeand both appliances fail, connectivity is lost.

In redirector mode, the CloudBridge Plug-in performs health checking on redirector-modeappliances and bypasses unresponsive appliances, sending traffic directly to endpointservers instead.

111

CloudBridge 2000 and 3000 Appliances

The CloudBridge 2000 and 3000 appliances are 1U accelerators for use in datacenters andlarger branch offices. The CloudBridge 2000 can be thought of as a faster Repeater 8500appliance with two accelerated bridges, while the CloudBridge 3000 can be thought of as afaster Repeater 8800 with three accelerated bridges. The configuration process, however,is not the same. Like the high-end Repeater SDX appliance, CloudBridge 2000 and 3000appliances use virtual machines for acceleration and management, running under aXenServer hypervisor.

112

Hardware Installation

The following sections describe the hardware installation for CloudBridge 2000 andCloudBridge 3000 hardware platforms.

Introduction to the Hardware Platforms Describes the CloudBridge 2000 andCloudBridge 3000 hardware platforms andprovides detailed information about eachplatform and its components

Preparing for Installation Describes how to unpack the CloudBridgeappliance and prepare the site and rack forinstalling the appliance. Lists the cautionsand warnings that you should reviewbefore you install the appliance.

Installing the Hardware Describes the steps to install the rails,mount the hardware, connect the cables,and turn on the appliance.

113

Hardware Installation

The following sections describe the hardware installation for CloudBridge 2000 andCloudBridge 3000 hardware platforms.

Introduction to the Hardware Platforms Describes the CloudBridge 2000 andCloudBridge 3000 hardware platforms andprovides detailed information about eachplatform and its components

Preparing for Installation Describes how to unpack the CloudBridgeappliance and prepare the site and rack forinstalling the appliance. Lists the cautionsand warnings that you should reviewbefore you install the appliance.

Installing the Hardware Describes the steps to install the rails,mount the hardware, connect the cables,and turn on the appliance.

114

Introduction to the Hardware Platforms

All of the platforms have similar components, but the CloudBridge hardware platforms offera wide range of features, communication ports, and processing capacities. All CloudBridgehardware platforms support the CloudBridge software and have multicore processors.

115

Common Hardware Components

Each platform has front panel and back panel hardware components. The front panel has anLCD display and an RS232 serial console port. The number, type, and location of additionalports—copper Ethernet and SX Fiber—vary by hardware platform. The back panel has apower switch and provides access to the power supply and the solid-state drive, which arefield replaceable units.

116

Ports

Ports are used to connect the appliance to external devices. CloudBridge appliances supportRS232 serial ports and 10/100/1000Base-T copper Ethernet ports.

RS232 Serial PortThe RS232 serial console port on the front panel of appliance provides a connectionbetween the appliance and a computer, allowing direct access to the appliance for initialconfiguration or troubleshooting.

Copper Ethernet PortsThe copper Ethernet ports installed on the appliance are standard RJ45 ports.

10/100/1000BASE-T port

The 10/100/1000BASE-T port has a maximum transmission speed of 1 gigabit per second,ten times faster than the other type of copper Ethernet port. Most platforms have atleast one 10/100/1000Base-T port.

To connect any of these ports to your network, you plug one end of a standard Ethernetcable into the port and plug the other end into the appropriate network connector.

Management PortsManagement ports are standard copper Ethernet ports (RJ45), which are used for directaccess to the appliance for system administration functions.

LED Port-Status IndicatorsThe port LEDs show whether a link is established and traffic is flowing through the port. Thefollowing table describes the LED indicators for each port. There are two LED indicators foreach port type.

Table 1. LED port-status indicators

Port Type LED Location LED Function LED Color LED Indicates

Ethernet (RJ45) Left Speed Off No connection,or a traffic rateof 10 megabitsper second(Mbps).

Green Traffic rate of100 Mbps.

Yellow Traffic rate of1 gigabit persecond.

Right Link/ Activity Off No link.

Solid green Link isestablished butno traffic ispassing throughthe port.

Blinking green Traffic ispassing throughthe port.

Management(RJ45)

Left Speed Off No connection,or a traffic rateof 10 megabitsper second(Mbps).

Green Traffic rate of100 Mbps.

Amber Traffic rate of1 gigabit persecond.

Right Link/ Activity Off No link.

Solid yellow Link isestablished butno traffic ispassing throughthe port.

Blinking yellow Traffic ispassing throughthe port.

Ports

117

118

Field Replaceable Units

Citrix CloudBridge field replaceable units (FRU) are CloudBridge components that can bequickly and easily removed from the appliance and replaced by the user or a technician atthe user's site. The FRUs in a CloudBridge appliance can include an AC power supply and asolid-state drive.

Note: The solid-state drive stores your configuration information, which has to berestored from a backup after replacing the unit.

119

Power Supply

CloudBridge appliances are configured with a single power supply. For a CloudBridge 3000appliance, you can order a second power supply.

The appliance ships with a standard power cord that plugs into the appliance’s powersupply. The other end of the cord has a NEMA 5-15 plug on the other end for connecting tothe power outlet on the rack or in the wall.

For power-supply specifications, see Common Hardware Components, which describes thevarious hardware components, hardware platforms and includes a table summarizing thehardware specifications.

Note: If you suspect that a power-supply fan is not working, see the description of yourplatform. On some platforms, what appears to be the fan does not turn, and the actualfan turns only when necessary.

Table 1. LED Power Supply Indicators

Power Supply Type LED Color LED Indicates

AC OFF No power to any powersupply.

Flashing RED No power to this powersupply.

Flashing GREEN Power supply is in standbymode.

GREEN Power supply is functional.

RED Power supply failure.

Electrical Safety Precautions for Power SupplyReplacement

• Make sure that the appliance has a direct physical connection to earth ground duringnormal use. When installing or repairing an appliance, always connect the groundcircuit first and disconnect it last.

• Always unplug any appliance before performing repairs or upgrades.

• Never touch a power supply when the power cord is plugged in. As long as the powercord is plugged in, line voltages are present in the power supply even if the powerswitch is turned off.

Replacing an AC Power SupplyA CloudBridge 2000 appliance can accommodate only one power supply. A CloudBridge 3000appliance has only one power supply, but you can order and install a second power supply.

Note: Shut down the appliance before replacing the power supply.

To install or replace an AC power supply in a Citrix CloudBridge appliance

1. If replacing an existing power supply, align the semicircular handle, so that it isperpendicular to the power supply, loosen the thumbscrew, press the lever toward thehandle and pull out the existing power supply, as shown in the following figure.

Note: The illustration in the following figures might not represent the actualCloudBridge appliance.

Figure 1. Removing the Existing AC Power Supply2. Carefully remove the new power supply from its box.

3. On the back of the appliance, align the power supply with the power supply slot.

4. Insert the power supply into the slot and press against the semicircular handle until youhear the power supply snap into place.

Figure 2. Inserting the Replacement AC Power Supply

Power Supply

120

5. Connect the power supply to a power source.

Power Supply

121

122

Solid-State Drive

A solid-state drive (SSD) is a high-performance data storage device that stores data insolid-state flash memory. It stores the CloudBridge software and user data.

Replacing a Solid-State DriveReplacement solid-state drives (SSDs) contain a pre-installed version of the CloudBridgesoftware.

To replace a Solid-State Drive

1. Shut down the appliance.

2. Locate the SSD on the back panel of the appliance. Push the safety latch of the drivecover to the right or down, depending on the platform, while pulling out on the drivehandle to disengage. Pull out the faulty drive.

Note: The illustration in the following figures might not represent the actualCloudBridge appliance.

Figure 1. Removing the Existing Solid-State Drive3. Verify that the replacement SSD is the correct type for the CloudBridge platform.

4. Pick up the new SSD, open the drive handle fully to the left, and insert the drive intothe slot as far as possible. To seat the drive, close the handle flush with the rear of theappliance so that the drive locks securely into the slot.

Important: When you insert the drive, make sure that the Citrix product label is atthe top if the drive is inserted horizontally or at the right if the drive is insertedvertically.

Figure 2. Inserting the Replacement Solid-State Drive5. Turn on the appliance.

6. Perform the initial configuration of the appliance.

Solid-State Drive

123

124

Citrix CloudBridge 2000

The Citrix CloudBridge 2000 platform has 3 models: CB 2000-010, CB 2000-020, and CB2000-050, with bandwidths of 10Mbps, 20Mbps, and 50Mbps, respectively. Each model is a1U appliance with one quad-core processor and 24 gigabytes (GB) of memory.

The following figure shows the front panel of the CloudBridge 2000 appliance.

Figure 1. Citrix CloudBridge 2000, front panel

The appliance has the following ports:

• An RS232 serial console port.

• A copper Ethernet (RJ45) Port called the Lights out Management (LOM) port. You canuse this port to remotely monitor and manage the appliance independently of theappliance's software.

• A copper Ethernet (RJ45) management port, numbered 0/1. The management port isused to connect directly to the appliance for system administration functions.

Note: The LOM port also operates as a management port.

• Four 10/100/1000Base-T copper Ethernet ports numbered 1/1, 1/2, 1/3, and 1/4 fromleft to right. The four ports form two accelerated pairs, which function as acceleratedbridges. Ports 1/1 and 1/2 are accelerated pair A (apA), and 1/3 and 1/4 areaccelerated pair B (apB).

The following figure shows the back panel of the CloudBridge 2000 appliance.

Figure 2. Citrix CloudBridge 2000 appliance, back panel

The following components are visible on the back panel of the CloudBridge 2000 appliance:

• 600 GB removable solid-state drive, which stores the appliance's software and userdata.

• Power switch, which turns off power to the appliance. Press the switch for five secondsto turn off the power.

• USB port (reserved for a future release).

• Non-maskable interrupt (NMI) button, for use at the request of Technical Support toproduce a core dump. You must use a pen, pencil, or other pointed object to press thisred button, which is recessed to prevent unintentional activation.

• Single power supply, rated at 300 watts, 100-240 volts.


125

126


The Citrix CloudBridge 3000 platform has 3 models: CloudBridge 3000-050, CloudBridge3000-100, and CloudBridge 3000-155, with bandwidths of 50M bps, 100 Mbps, and 155 Mbps,respectively. Each model is a 1U appliance with one quad-core processor and 32 gigabytes(GB) of memory.

The Citrix CloudBridge 3000 appliance is available in two port configurations:

• Six 10/100/1000 Base-T copper Ethernet ports

• Four 1G SX Fiber ports

The following figure shows the front panel of a CloudBridge 3000 with six 10/100/1000Base-T copper Ethernet ports.

Figure 1. Citrix CloudBridge 3000 (6×10/100/1000 Base-T copper Ethernet ports), frontpanel

The following figure shows the front panel of a CloudBridge 3000 appliance with four 1G SXfiber ports.

Figure 2. Citrix CloudBridge 3000 (4×1G SX Fiber ports), front panel

The appliance has the following ports:

• An RS232 serial console port.

• A copper Ethernet (RJ45) Port called the Lights out Management (LOM) port. You canuse this port to remotely monitor and manage the appliance independently of theappliance's software.

• A copper Ethernet (RJ45) management port, numbered 0/1. The management port isused to connect directly to the appliance for system administration functions.

Note: The LOM port also operates as a management port.

• Network Ports, in one of the following configurations:

• CloudBridge 3000 (6x10/100/1000 Base-T copper Ethernet ports). Six 10/100/1000Base-T copper Ethernet ports numbered 1/1, 1/2, 1/3, 1/4, 1/5, and 1/6 from leftto right. The six ports form three accelerated pairs, which function as acceleratedbridges. Ports 1/1 and 1/2 are accelerated pair A (apA), 1/3 and 1/4 areaccelerated pair B (apB), and 1/5 and 1/6 are accelerated pair C (apC).

• CloudBridge 3000 (4x 1G SX Fiber ports). Four 1G SX fiber ports numbered 1/1, 1/2,1/3, and 1/4 from left to right. The four ports form two accelerated pairs, whichfunction as accelerated bridges. Ports 1/1 and 1/2 are accelerated pair A (apA) and1/3 and 1/4 are accelerated pair B (apB).

The following figure shows the back panel of the CloudBridge 3000 appliance.

Figure 3. Citrix CloudBridge 3000 appliance, back panel

The following components are visible on the back panel of the CloudBridge 3000 appliance:

• Four 600 GB removable solid-state drives. The top left solid-state drive stores both theappliance's software and the user data. The other three store only user data.

• Power switch, which turns power to the appliance on or off. To turn off the power,press the switch for five seconds.


• Non-maskable interrupt (NMI) button, for use at the request of Technical Support toproduce a core dump. You must use a pen, pencil, or other pointed object to press thisred button, which is recessed to prevent unintentional activation.

• Disable alarm button, which is nonfunctional unless you install a second power supply.In that case, it disables the alarm that sounds if the appliance is plugged into only onepower outlet or one of the power supplies fails.

• Single power supply, rated at 450 watts, 100-240 volts.


127

128

Summary of Hardware Specifications

The following tables summarize the specifications of the CloudBridge 2000 and 3000hardware platforms.

Table 1. Citrix CloudBridge 2000 and 3000 Platforms Summary

CloudBridge 2000 CloudBridge 3000

Platform Performance

Bandwidth Model CB 2000-010: 10 Mbps

Model CB 2000-020: 20 Mbps





Maximum HDX sessions 300 500

Total sessions 20,000 50,000

Acceleration Plug-inCCUs

750 1,000

Hardware Specifications

Processor 4 Cores 4 Cores

Total disk space 600 GB SSD 4 x 600 GB SSD

SSD (dedicatedCompression history)

275 GB 1.5 TB

RAM 24 GB 32 GB

Network Interfaces 4 x 10/100/1000 Base-Tcopper Ethernet

6 x 10/100/1000 Base-Tcopper Ethernet

Transceiver support Yes Yes

Power supplies 1 1

Physical Dimensions

Rack Units 1U 1U

System width EIA 310-D for 19-inch racks EIA 310-D for 19-inch racks

System depth 25.4" (64.5 cm) 25.4" (64.5 cm)

System weight 32 lbs (14.5 kg) 32 lbs (14.5 kg)

Shipping dimensionsand weight

32L x 23.5W x 7.5" H

39 lbs

32L x 23.5W x 7.5" H

39 lbs

Environmental and Regulatory

Voltage 100/240 VAC, 50-60 Hz 100/240 VAC, 50-60 Hz

Power consumption(Max.)

300 W 450 W

Operating Temperature(degree Celsius)

0-40 0-40

Non-operatingTemperature (degreeCelsius)

-40–+70° C -40–+70° C

Allowed RelativeHumidity

5%-95% 5%-95%

Safety certifications CSA TUV

Electromagnetic andsusceptibilitycertifications

FCC (Part 15 Class A), CE,C-Tick, VCCI-A, CCC, KCC,NOM, SASO, SABS, PCT

FCC (Part 15 Class A), CE,C-Tick, VCCI-A, CCC, KCC,NOM, SASO, SABS, PCT

Environmentalcertifications

RoHS, WEEE RoHS, WEEE


129

130

Preparing for Installation

Before you install your new appliance, carefully unpack your appliance and make sure thatall parts were delivered. Once you are satisfied that your appliance has been delivered toyour expectations, verify that the location where the appliance will be installed meetstemperature and power requirements and that the server cabinet or floor-to-ceiling cabinetis securely bolted to the floor and has sufficient airflow.

Only trained and qualified personnel should install, maintain, or replace the appliance, andefforts should be taken to ensure that all cautions and warnings are followed.

131

Unpacking the CloudBridge Appliance

The hardware accessories for your particular appliance, such as cables, adapters, and railkit, vary depending on the hardware platform you ordered. Unpack the box that containsyour new appliance on a sturdy table with plenty of space and inspect the contents.

Use the following list to verify that you received everything that should have been includedin the box.

• The appliance you ordered

• One RJ-45 to DB-9 adapter

• One 6 ft RJ-45/DB-9 cable

• One power cable

• One standard 4-post rail kit

Note: If the kit that you received does not fit your rack, contact your Citrix salesrepresentative to order the appropriate kit.

In addition to the items included in the box with your new appliance, you will need thefollowing items to complete the installation and initial configuration process.

• Ethernet cables for each additional Ethernet port that you will connect to your network

• One available Ethernet port on your network switch or hub for each Ethernet port youwant to connect to your network

• A computer to serve as a management workstation

132

Preparing the Site and Rack

A CloudBridge appliance has specific site and rack requirements. You must make sure thatadequate environmental control and power density are available. Racks must be bolted tothe ground, have sufficient airflow, and have adequate power and network connections.Preparing the site and rack are important steps in the installation process and will helpensure a smooth installation.

Site RequirementsThe appliance should be installed in a server room or server cabinet with the followingfeatures:

Environment control

An air conditioner, preferably a dedicated computer room air conditioner (CRAC),capable of maintaining the cabinet or server room at a temperature of no more than 21degrees C/70 degrees F at altitudes of up to 2100 m/7000 ft, or 15 degrees C/60 degreesF at higher altitudes, a humidity level no greater than 45 percent, and a dust-freeenvironment.

Power density

Wiring capable of handling at least 4,000 watts per rack unit in addition to power needsfor the CRAC.

Rack RequirementsThe rack on which you install your appliance should meet the following criteria:

Rack characteristics

Racks should be either integrated into a purpose-designed server cabinet or be thefloor-to-ceiling type, bolted down at both top and bottom to ensure stability. If you havea cabinet, it should be installed perpendicular to a load-bearing wall for stability andsufficient airflow. If you have a server room, your racks should be installed in rowsspaced at least 1 meter/3 feet apart for sufficient airflow. Your rack must allow your ITpersonnel unfettered access to the front and back of each server and to all power andnetwork connections.

Power connections

At minimum, two standard power outlets per unit.

Network connections

At minimum, four Ethernet connections per rack unit.

Space requirements

One empty rack unit for each CloudBridge 2000 or CloudBridge 3000 appliances.

Note: You can order the following rail kits separately.

• Compact 4-post rail kit, which fits racks of 23 to 33 inches.

• 2-post rail kit, which fits 2-post racks.


133

134

Cautions and Warnings

Electrical Safety PrecautionsCaution: During installation or maintenance procedures, wear a grounding wrist strap toavoid ESD damage to the electronics of the appliance. Use a conductive wrist strapattached to a good earth ground or to the appliance. You can attach it to the connectorbeside the ESD symbol on the back.

Follow basic electrical safety precautions to protect yourself from harm and the appliancefrom damage.

• Be aware of the location of the emergency power off (EPO) switch, so that you canquickly remove power to the appliance if an electrical accident occurs.

• Remove all jewelry and other metal objects that might come into contact with powersources or wires before installing or repairing the appliance. When you touch both a livepower source or wire and ground, any metal objects can heat up rapidly and may causeburns, set clothing on fire, or fuse the metal object to an exposed terminal.

• Use a regulating, uninterruptible power supply (UPS) to protect the appliance frompower surges and voltage spikes, and to keep the appliance operating in case of powerfailure.

• Never stack the appliance on top of any other server or electronic equipment.

• All appliances are designed to be installed on power systems that use TN earthing. Donot install your device on a power system that uses either TT or IT earthing.

• Make sure that the appliance has a direct physical connection to the earth duringnormal use. When installing or repairing an appliance, always make sure that theground circuit is connected first and disconnected last.

• Make sure that a fuse or circuit breaker no larger than 120 VAC, 15 A U.S. (240 VAC, 16A international) is used on all current-carrying conductors on the power system towhich your appliances are connected.

• Do not work alone when working with high voltage components.

• Always disconnect the appliance from power before removing or installing anycomponent. When disconnecting power, first shut down the appliance, and then unplugthe power cords of all the power supply units connected to the appliance. As long asthe power cord is plugged in, line voltages can be present in the power supply, evenwhen the power switch is OFF.

• Do not use mats designed to decrease static electrical discharge as protection fromelectrical shock. Instead, use rubber mats that have been specifically designed aselectrical insulators.

• Make sure that the power source can handle the appliance's maximum powerconsumption rating with no danger of an overload. Always unplug any appliance before

performing repairs or upgrades.

• Do not overload the wiring in your server cabinet or on your server room rack.

• During thunderstorms, or anticipated thunderstorms, avoid performing any hardwarerepairs or upgrades until the danger of lightning has passed.

• When you dispose of an old appliance or any components, follow any local and nationallaws on disposal of electronic waste.

• To prevent possible explosions, replace expired batteries with the same model or amanufacturer-recommended substitute and follow the manufacturer’s instructions forbattery replacement.

• Never remove a power supply cover orany sealed part that has the followinglabel:

Appliance Precautions• Determine the placement of each component in the rack before you install the rail.

• Install the heaviest appliance first, at the bottom of the rack, and then work upward.Distribute the load on the rack evenly. An unbalanced rack is hazardous.

• Allow the power supply units and hard drives to cool before touching them.

• Install the equipment near an electrical outlet for easy access.

• Mount equipment in a rack with sufficient airflow for safe operation.

• For a closed or multiple-unit rack assembly, the ambient operating temperature of therack environment might be greater than the ambient temperature of the room.Therefore, consider the lowest and highest operating temperatures of the equipmentwhen making a decision about where to install the appliance in the rack.


135

Rack Precautions• Make sure that the leveling jacks on the bottom of the rack are fully extended to the

floor, with the full weight of the rack resting on them.

• For a single-rack installation, attach a stabilizer to the rack.

• For a multiple-rack installation, couple (attach) the racks together.

• Always make sure that the rack is stable before extending a component from the rack.

• Extend only one component at a time. Extending two or more simultaneously mightcause the rack to become unstable.

• The handles on the left and right of the front panel of the appliance should be usedonly for extending the appliance out of the rack. Do not use these handles for mountingthe appliance on the rack. Use the rack-rail hardware, described later, instead.


136

137

Installing the Hardware

After you have determined that the location where you will install your appliance meets theenvironmental standards and the server rack is in place according to the instructions, youare ready to install the hardware. After you mount the appliance, you are ready to connectit to the network, to a power source, and to the console terminal that you will use forinitial configuration. To complete the installation, you turn on the appliance. Be sure toobserve the cautions and warnings listed with the installation instructions.

138

Rack Mounting the Appliance

A CloudBridge 2000 or CloudBridge 3000 appliance requires one rack unit. Both arerack-mount devices that can be installed into two-post relay racks or four-post EIA-310server racks. Verify that the rack is compatible with your appliance.

To mount a CloudBridge appliance, you must first install the rails and then install theappliance in the rack, as follows:

• Remove the inner rails from the rail assembly.

• Attach the inner rails to the appliance.

• Install the rack rails on the rack.

• Install the appliance in the rack.To remove the inner rails from the rail assembly

1. Place the rail assembly on a flat surface.

2. Slide out the inner rail toward the front of the assembly.

3. Depress the locking tabs until the inner rail comes all the way out of the railassembly.

4. Repeat steps 1 through 3 to remove the second inner rail.To attach the inner rails to the appliance

1. Position the right inner rail behind the ear bracket on the right side of theappliance.

2. Align the holes on the rail with the corresponding holes on the side of theappliance.

3. Attach the rail to the appliance with the provided screws.

4. Repeat steps 1 through 3 to install the left inner rail on the left side of theappliance.

To install the rack rails

1. Position the rack rails at the desired location in the rack, keeping the sliding railguide facing inward.

2. Snap the rails to the rack.

Note: Make sure that both rack rails are at same height and that the rail guidesare facing inward.

To install the appliance in the rack

1. Align the inner rails, attached to the appliance, with the rack rails.

2. Slide the appliance into the rack rails, keeping the pressure even on both sides,and push the appliance into the rack rails until it locks into place.

3. Verify that the appliance is locked in place by pulling it all the way out from therack.

Figure 1. Rack Mounting the Appliance


139

140

Connecting the Cables

When the appliance is securely mounted on the rack, determine which ports you shoulduse. You are then ready to connect the cables. Ethernet cables and the optional consolecable are connected first. Connect the power cable last.

Danger: Remove all jewelry and other metal objects that might come in contact withpower sources or wires before installing or repairing the appliance. When you touch botha live power source or wire and ground, any metal objects can heat up rapidly, and maycause burns, set clothing on fire, or fuse the metal object to an exposed terminal.

PortsA typical installation using a single accelerated bridge uses three Ethernet ports (thePrimary port and apA) and five IP addresses (three on the Primary port's subnet and two onapA's subnet).

The appliance has two motherboard ports and two (CloudBridge 2000) or three (CloudBridge3000) accelerated bridges. Motherboard port 0/1 is used for initial configuration.

The motherboard ports are labeled "0/1" and "0/2." They are equivalent to the Primary andAux1 ports, respectively.

Accelerated bridge ports 1/1 and 1/2 are equivalent to the accelerated pair A (apA) bridgeports. Accelerated bridge ports 1/3 and 1/4 are equivalent to the apB ports. Acceleratedbridge ports 1/5 and 1/6, if present, are equivalent to apC.

Connecting the Ethernet CablesEthernet cables connect your appliance to the network. The type of cable you needdepends on the type of port used to connect to the network. Use a category 5e or category6 Ethernet cable with a standard RJ-45 connector on a 10/100/1000BASE-T port.

To connect an Ethernet cable to a 10/100/1000BASE-T port1. Insert the RJ-45 connector on one end of your Ethernet cable into an appropriate port

on the front panel of the appliance, as shown in the following figure.

Note: The illustration in the following figure might not represent your actualCloudBridge appliance.

Figure 1. Inserting an Ethernet cable

2. Insert the RJ-45 connector on the other end into the target device, such as a router orswitch.

3. Verify that the LED glows amber when the connection is established.

Connecting the Console CableYou can use the console cable to connect your appliance to a computer or terminal, fromwhich you can configure the appliance. Before connecting the console cable, configure thecomputer or terminal to support VT100 terminal emulation, 9600 baud, 8 data bits, 1 stopbit, parity, and flow control set to NONE. Then connect one end of the console cable to theRS232 serial port on the appliance and the other end to the computer or terminal.

To connect the console cable to a computer or terminal1. Insert the DB-9 connector at the end of the cable into the console port, which is

located on the front panel of the appliance as shown in the following figure.

Note: The illustration in the following figure might not represent your actualCloudBridge appliance.

Figure 2. Inserting a console cable

Note: To use a cable with an RJ-45 converter, insert the optional converter providedinto the console port and attach the cable to it.

2. Insert the RJ-45 connector at the other end of the cable into the serial port of thecomputer or terminal.


141

Connecting the Power CableA CloudBridge appliances has one power supply, unless you have installed a second. Aseparate ground cable is not required, because the three-prong plug provides grounding.Provide power to the appliance by installing the power cord.

To connect the appliance to the power source1. Connect one end of the power cable to the power outlet on the back panel of the

appliance, next to the power supply, as shown in the following figure.

Note: The illustration in the following figure might not represent the actualCloudBridge appliance.

Figure 3. Inserting a powercable

2. Connect the other end of the power cable to a standard 110V/220V power outlet.


142

143

Switching on the Appliance

After you have installed the appliance in a rack and connected the cables, verify that thepower cable is properly connected. If you have installed a second power supply, make surethe second cable is connected to an outlet for a different circuit than the first. Afterverifying the connections, you are ready to switch on the appliance.

To switch on the appliance1. Verify that the appliance is connected through a console or Ethernet port. This will

ensure that you can configure the appliance after it is switched on.

2. Press the ON/OFF toggle power switch on the back panel of the appliance.

Caution: Be aware of the location of the emergency power off (EPO) switch, so that if anelectrical accident occurs you can quickly remove power from the appliance.

144

Assigning IP Addresses

Before proceeding with configuration of the appliance, decide upon the IP addresses thatyou will use.

IP Networks and AddressesThe presence of the XenServer hypervisor and separate virtual machines for managementand acceleration require more IP addresses than for older appliances. Also, a separatemanagement network (typically using port 0/1 as the Primary port) is now required.

Plan for three IP addresses on the management network and two for each acceleratedbridge, with the bridge addresses residing on the same subnets as the bridges themselves.

The appliances use the management network for administrative access and, optionally, tocommunicate with local partner appliances in high-availability or group mode. Remoteappliances are never contacted over the management network. Remote traffic uses theaccelerated bridges.

High availability and group mode each require an additional IP address. If these modes areused, the additional addresses should be assigned to the management network, that is, toport 0/1 (the Primary port) or to port 0/2 (the Aux1 port).

Management Network

The management network can use ports 0/1, 0/2, or both. The default is to use port 0/1,which is recommended for most installations. This network requires three IP addresses:one for the management VM, one for the XenServer hypervisor, and one for theaccelerator VM. The management network defaults are:

Management subnet: 192.168.100.0/16Management VM: 192.168.100.1XenServer: 192.168.100.2Accelerator: 192.168.100.20

Accelerated Bridge Addresses

In addition to these addresses on the management network, any accelerated bridge (apA,apB, and apC) that is actively used for acceleration requires a management IP, and mayrequire a signaling IP. These addresses are on the same subnet as the associated bridge.

145

Configuring the CloudBridge Appliance

The configuration process of the CloudBridge 2000 and CloudBridge 3000 appliances are notthe same with Repeater 8500 or Repeater 8800 appliances. For example, the high-endCloudBridge 2000 and 3000 appliances, and CloudBridge 4000 and 5000 appliances usevirtual machines for acceleration and management, running under a XenServer hypervisor.

To configure the CloudBridge appliance1. Plug an Ethernet cable into the Primary port (0/1), and connect it to a laptop or other

device with a Chrome or Firefox browser. Subsequent instructions refer to this device as“the laptop.”

2. Set the IP address for the laptop’s Ethernet port to 192.168.100.5, with a subnet maskof 255.255.0.0. Leave the gateway and DNS server fields blank.

3. Log on to the management VM at http://192.168.100.1, using the default login andpassword of nsroot and nsroot. When the Welcome screen appears, click Get Started todisplay the Platform Configuration page.

4. The Network Configuration block refers to the management network. Do not change itsdefault setting of Port 0/1 (the Primary port). The network parameters for theappliance’s XenServer hypervisor and Management service can be changed here, ifdesired, as can the netmask, gateway, and DNS server. If you plan to continuemanaging the appliance on a stub network consisting only of itself and the laptop, leaveall these values at their default settings. Otherwise, change them as appropriate foryour management subnet.

5. In the CloudBridge Configuration block, define the IP address for the accelerator’sPrimary port. Use an address on the same subnet as the Network Configuration block.

6. The Admin Password block requires that you type a new password twice. This passwordwill be used for access to the management service (login: nsroot) and the accelerator


146

http://192.168.100.1

(login: admin).

Caution: Do not forget this password. Resetting the appliance to factory defaultswithout the password is not supported in this release.

7. In the Systems Settings block, you can select the check box to allow only secure(HTTPS) access to the appliance, and you can select your time zone from the drop-downlist. (There is no provision for setting the time or specifying an NTP server.)

8. Press the Done button to move on to the main System menu.

9. The graphical user interface (GUI) has to major divisions: Repeater and System. TheRepeater pages are roughly equivalent to the Repeater release 6.2 GUI. The Systempages contain other features. Select Repeater from the pull-down menu if it is notalready selected.

10. The first time you access the Repeater GUI, the Quick Installation page is the default.Fill in the fields on this page. For some installations, this is all the configuration that isrequired.


147

11. If you are not using an inline deployment, see Non-Inline Links. Note that the menustructure is different than in the 6.2 documentation, but the Links page is the same.


148

http://support.citrix.com/proddocs/topic/branch-repeater-62/br-adv-non-inline-links-con.html

12. Click the Alerts link at the top of any page to see if your license has been installed. Ifthere is an alert reporting No valid license available, acquire a local licensefrom Citrix and install it by clicking the Add New License button on the Local Licensestab and uploading the license. (See below for navigation.)

13. On the Network Adapters page, verify and, if necessary, assign IP addresses, subnetmasks, and gateways to the accelerated bridges (apA, apB, and, if present, apC) thatyou will be using. Applying these changes will restart the appliance.

14. Connect one of the accelerated bridges, such as apA, to your network. Inlineinstallations place the appliance between your LAN and your WAN router, using bothports of the accelerated bridge, such as ports 1/1 and 1/2 for apA. WCCP and virtualinline installations connect a single accelerated bridge port to your WAN router.

15. Virtual inline installations require that you configure your router to forward WAN trafficto the appliance. See Router Configuration.

16. WCCP installations require configuration on your router and on the appliance. SeeWCCP Mode.

17. Traffic will now be flowing through the appliance. The Dashboard page will show thistraffic.


149

http://support.citrix.com/proddocs/topic/branch-repeater-62/br-adv-router-conf-con.html

http://support.citrix.com/proddocs/topic/branch-repeater-62/br-adv-wccp-mode-con.html

18. Verify, and, if necessary, set the date/time or NTP server on the Date/Time Settingspage. The NTP server should be reachable by one of the interfaces you have defined.

19. Basic installation is complete. For optional features, see Additional Configuration.


150

http://support.citrix.com/proddocs/topic/branch-repeater-62/br-initial-config-additional-ref.html

151

Managing the Appliance

The graphical user interface (GUI) is divided into two parts: System and Repeater. Undernormal operation, ignore the System pages. They are used rarely, most commonly to changethe management port parameters or to update the management virtual machine.

Managing the AcceleratorThe Repeater pages are quite similar to the GUI of other Repeater appliances, andmanagement can proceed as if the appliance were one of these appliances. However, themenu structure has been rearranged. The pages are now divided into three groups:

1. Dashboard.

2. Monitoring, consisting of the Monitoring and Reports pages.

3. Configuration, consisting of the Configuration and System Maintenance pages.

Within each category, the pages are no longer alphabetized.

Managing the Management ServiceYou can update the parameters of the management port.

To update the management port parameters

On the System page, select Network Configuration and fill out the pop-up form.

To update the management virtual machine

1. Updating the management virtual machine requires that you first upload a newmanagement virtual machine image, then install it, and then reboot the

management service.

2. Once the image is uploaded, you can install it from the System menu.

3. Finally, reboot the management service from the System menu.


152

153

CloudBridge 4000 and 5000 Appliances

Citrix CloudBridge 4000/5000 is a high-performance WAN accelerator for busy datacentersthat combines multiple virtual instances of the CloudBridge appliance with a single virtualinstance of the NetScaler load-balancer, providing the performance of multiple CloudBridgeappliances in a single package. Combining the virtual CloudBridges with a NetScaler allowsgreat flexibility in deployment. Through the use of the on-board NetScaler, the virtualCloudBridges can be dedicated individually to specific WAN traffic or used in aload-balanced configuration.

154

Overview

CloudBridge 4000/5000 WAN accelerators are the high end of the Citrix CloudBridge productline. They are designed to accelerate sites with WAN links with speeds in excess of 155Mbps, especially busy datacenters that communicate with a large number of branch andregional sites.

Figure 1. Typical Use Case

A CloudBridge 4000/5000 appliance hosts an array of virtual CloudBridge appliances that arecontrolled by a virtual NetScaler load balancer. A single CloudBridge 4000/5000 appliancecan support WAN speeds of up to 2 Gbps and up to 5000 XenApp/XenDesktop users.

For datacenters needing even more performance, a NetScaler MPX appliance can loadbalance a group of CloudBridge 4000/5000 appliances.

Figure 2. Load balancing multiple CloudBridge 4000/5000 appliances

CloudBridge 4000/5000 is recommended at the hub of a hub-and-spoke deployment, wheresmaller appliances are used at the spokes, whenever the link speed or the number ofXenApp/XenDesktop users is higher than can be supported by a smaller appliance. If yourlink requires CloudBridge 4000/5000 appliances at both ends, contact Citrix. Such adeployment is outside the scope of this document.

BRSDX 7.0

155

156

Overview

CloudBridge 4000/5000 WAN accelerators are the high end of the Citrix CloudBridge productline. They are designed to accelerate sites with WAN links with speeds in excess of 155Mbps, especially busy datacenters that communicate with a large number of branch andregional sites.

Figure 1. Typical Use Case

A CloudBridge 4000/5000 appliance hosts an array of virtual CloudBridge appliances that arecontrolled by a virtual NetScaler load balancer. A single CloudBridge 4000/5000 appliancecan support WAN speeds of up to 2 Gbps and up to 5000 XenApp/XenDesktop users.

For datacenters needing even more performance, a NetScaler MPX appliance can loadbalance a group of CloudBridge 4000/5000 appliances.

Figure 2. Load balancing multiple CloudBridge 4000/5000 appliances

CloudBridge 4000/5000 is recommended at the hub of a hub-and-spoke deployment, wheresmaller appliances are used at the spokes, whenever the link speed or the number ofXenApp/XenDesktop users is higher than can be supported by a smaller appliance. If yourlink requires CloudBridge 4000/5000 appliances at both ends, contact Citrix. Such adeployment is outside the scope of this document.

Overview

157

158

brsdx-admin-int-archi-conDue to technical difficulties, we are unable to display this topic. Citrix is currently fixingthis problem. In the meantime, you can view this topic online:

http://support.citrix.com/proddocs/index.jsp?lang=en&topic=/brsdx-70-map/brsdx-admin-int-archi-con.html



159

Configuration and Control

No WAN traffic enters or leaves the accelerators except as configured in the NetScalerinstance. When first used, the Provisioning Wizard sets up an initial configuration thatprovides communication and load balancing between the NetScaler instance and theaccelerators.

The Service VM (SVM) is the management and configuration interface for the appliance, andprovides access to key operating and monitoring elements of the appliance. When managingthe appliance through the Service VM's management IP address, you see the accelerator,which displays CloudBridge parameters as if they were from a single instance, and allchanges made through this interface are applied to all instances.

The service VM also includes the traffic shaper, which provides monitoring and trafficshaping (quality of service or QoS) for all WAN traffic.

The Xen hypervisor hosts all the virtual machines. The hypervisor is not user-configurableand should not be accessed except at the request of Citrix.

Internal and External NetworksThe external network interfaces are divided into two categories: traffic interfaces andmanagement interfaces.

Traffic Interfaces—The traffic interfaces include all but two of the 10 Gbps interfaces.Ports 10/3 and 10/4 are connected together with an external patch cable and are notavailable for other uses. The remaining 10 Gbps interfaces can be used for acceleratedtraffic. One-arm modes use a single port (such as 10/1). Inline mode uses one or more pairsof ports, such as 10/1 and 10/2 or 10/5 and 10/6.

Note: You must keep the traffic interfaces isolated from the management interface toprevent ARP flapping and other problems. This isolation can be achieved physically or bytagging management interface and traffic interface packets with different VLANs.

Accelerated traffic never passes over the management subnet. The traffic and managementnetworks are independent of one another.

Management subnet—The virtual machines all connect directly to the externalmanagement subnet, with one IP address per virtual machine, or from 5 to 11 in all. Theseaddresses are all externally visible, to allow management.

Note: You must keep the traffic interfaces isolated from the management interface toprevent ARP flapping and other problems. This isolation can be achieved physically or bytagging management interface and traffic interface packets with different VLANs.

Private Internal traffic subnet—The accelerators' accelerated ports are connected to theNetScaler instance internally in a one-arm mode, using an internal traffic subnet. There isno direct connection between the instances' accelerated ports and the appliance’s externalports. All accelerated traffic to the accelerators is controlled by the NetScaler instance.Thus, no accelerated traffic reaches the accelerators until the NetScaler is configured.

Since this internal subnet is not accessible from outside the appliance, it not a routablesubnet. Only the NetScaler instance needs to reach it. Therefore, you should use a fictitioussubnet such as 1.1.1.1/24 as the traffic subnet. Only the following two features of theaccelerators require IP addresses that can be reached from the outside world:

• The signaling IP address, used for secure peering and the acceleratorCloudBridgePlug-in.

• IP addresses of two of the accelerators, used for communication with the router whenthe WCCP protocol is used.

In both cases, the number of externally visible IP addresses is independent of the number ofaccelerators the appliance has. The NetScaler instance uses NAT to translate the signalingor WCCP address on the internal traffic subnet to an externally valid IP address, and viceversa.

The internal traffic subnet requires two IP addresses per accelerator, plus an address forthe NetScaler, plus one or two WCCP VIP addresses if WCCP is used. Since the internalnetwork is private, it has an abundance of address space for these tasks.

Data Flow on the Private Traffic Subnet—The one-arm connection between the NetScalerinstance and the accelerators uses the CloudBridge virtual inline mode, in which theNetScaler routes packets to the accelerators and the accelerators route them back to theNetScaler instance. Traffic flow over this internal traffic subnet is identical regardless ofwhether the mode visible to the outside world (on the external interfaces) is inline, virtualinline, or WCCP.

This traffic requires the CloudBridge "Return to Ethernet Sender" option, and the NetScalerMAC Address Forwarding and Use Subnet IP options.

Deployment Mode Summary

The differences between virtual inline, WCCP, and inline mode can be summarized asfollows:

• WCCP mode uses a one-arm configuration. The accelerators establish one or moreWCCP control channels to communicate with the router. In WCCP mode, one or twoaccelerator manage the WCCP control channel, while WCCP data is load-balancedacross all the instances. When GRE encapsulation is used, the NetScaler instanceperforms GRE encapsulation/decapsulation on the data stream between itself andthe router, allowing the data between the NetScaler and the accelerator WCCP modeuses a one-arm configuration. The accelerators establish one or more WCCP controlchannels to communicate with the router. In WCCP mode, one or two acceleratormanage the WCCP control channel, while WCCP data is load-balanced across all theinstances. When GRE encapsulation is used, the NetScaler instance performs GREencapsulation/decapsulation on the data stream between itself and the router,allowing the data between the NetScaler and the accelerators to be handledidentically in both GRE and non-GRE (L2) modes.

• Inline mode is much the same as WCCP mode, except that the appliance emulates abridge externally and no WCCP control channel is established. A packet that entersthe appliance on one bridge port exits through the other bridge port.

• In virtual inline mode (not recommended), the appliance is deployed in a one-armconfiguration, matching the deployment of the accelerators on the internal trafficsubnet. Traffic is sent to the appliance from the router, using policy-based routing


160

(PBR) rules. The appliance processes it and returns it to the router.


161

162

brsdx-admin-ext-archi-conDue to technical difficulties, we are unable to display this topic. Citrix is currently fixingthis problem. In the meantime, you can view this topic online:

http://support.citrix.com/proddocs/index.jsp?lang=en&topic=/brsdx-70-map/brsdx-admin-ext-archi-con.html



163

Deployment Topology

The following figure displays the deployment topology of a CloudBridge 4000/5000appliance with a single router.

Figure 1. Basic cabling for a CloudBridge 4000/5000 appliance

You can deploy a CloudBridge 4000/5000 appliance in any of the following physical mode:

• One-Arm Mode (WCCP)

• Two-arm Mode (Inline)

164

One-Arm Mode (WCCP)

In a one-arm mode, the appliance is connected by a single cable to a dedicated port on theWAN router or a WCCP-enabled switch. The router uses the WCCP protocol to communicatewith the appliance. If the appliance is not available, the WCCP negotiation fails and therouter does not send traffic to the appliance. If the appliance comes back online, the WCCPnegotiation succeeds and traffic is diverted to the appliance.

The following figure displays the deployment topology of a CloudBridge 4000/5000appliance in one-arm mode.

Figure 1. A CloudBridge 4000/5000 appliance deployed in the one-arm mode

165

Two-Arm Mode (Inline)

In the CloudBridge 4000/5000 two-arm deployment, the appliance is configured in a L2inline configuration, between the WAN router and the LAN.

The following figure displays the deployment topology of a CloudBridge 4000/5000appliance in inline mode.

Figure 1. A CloudBridge 4000/5000appliance deployed in inline mode

Two-Arm Mode (Inline)

166

167

brsdx-admin-ha-deployment-conDue to technical difficulties, we are unable to display this topic. Citrix is currently fixingthis problem. In the meantime, you can view this topic online:

http://support.citrix.com/proddocs/index.jsp?lang=en&topic=/brsdx-70-map/brsdx-admin-ha-deployment-con.html



168

Hardware Platforms

Citrix CloudBridge 4000 and 5000 is a high-performance WAN accelerator for busydatacenters that combines multiple virtual instances of the CloudBridge appliance with asingle virtual instance of the NetScaler load-balancer, providing the performance ofmultiple CloudBridge appliances in a single package.

169


Citrix CloudBridge 4000/5000 appliances are the highest-performing products in CitrixCloudBridge Product line. The appliances achieve this performance by combining aNetScaler VPX load balancer with three to eight accelerators, all in a singlehigh-performance server that meets the needs of busy datacenters.

170

Hardware Components

Each platform has front panel and back panel hardware components. The front panel has anLCD display and an RS232 serial console port. The number, type, and location ofports—copper Ethernet, copper and fiber 1G SFP and 10G SFP+—vary by hardware platform.The back panel provides access to the fan and the field replaceable units (power supplies,and solid-state and hard-disk drives).

171

Ports

Note: Some CloudBridge appliances do not require SFP transceivers.

Ports are used to connect the appliance to external devices. Citrix CloudBridge 4000/5000appliances support RS232 serial ports, 10/100/1000Base-T copper Ethernet ports, fiber 1GSFP ports and 10-gigabit fiber SFP+ ports. All Citrix CloudBridge 4000/5000 appliances havea combination of some or all of these ports. For details on the type and number of portsavailable on your appliance, see the section describing that platform.

RS232 Serial PortThe RS232 serial console port provides a connection between the appliance and acomputer, allowing direct access to the appliance for initial configuration ortroubleshooting.

Copper Ethernet PortsThe copper Ethernet ports installed on the appliances are standard RJ45 ports.


The 10/100/1000BASE-T port has a maximum transmission speed of 1 gigabit per second,ten times faster than the other type of copper Ethernet port.



1G SFP and 10G SFP+ PortsA 1G SFP port can operate at a speed of 1 Gbps. It accepts either a copper 1G SFPtransceiver, for operation as a copper Ethernet port, or a fiber 1G SFP transceiver foroperation as a fiber optic port.

The 10G SFP+ ports are high-speed ports that can operate at speeds of up to 10 Gbps. Youneed a fiber optic cable to connect to a 10G SFP+ port.

LED Port-Status IndicatorsThe port LEDs show whether the link is established and traffic is flowing through the port.For information about the LED indicators for each card type, see Networking BypassAdapters.

Ports

172

http://www.silicom-usa.com/10_Gigabit_Ethernet_Bypass_Networking_Server_Adapters


173


Citrix CloudBridge 4000/5000 field replaceable units (FRU) are components that can bequickly and easily removed from the appliance and replaced by the user or a technician atthe user's site. The FRUs in a Citrix CloudBridge 4000/5000 appliance can include DC or ACpower supplies, and solid-state and hard-disk drives.

Note: By default the appliance ships with AC power supplies. DC power supply isorderable.

174

Power Supply

Citrix CloudBridge 4000/5000 appliances are configured with dual power supplies but canoperate with only one power supply. The second power supply serves as a backup.

For power-supply specifications, see "Hardware Platforms," which describes the variousplatforms and includes a table summarizing the hardware specifications.








DC OFF No power to any powersupply.


Flashing BLUE Power supply is in standbymode.

BLUE Power supply is functional.






Replacing an AC Power SupplyReplace an AC power supply with another AC power supply. All power supplies must be ofthe same type (AC or DC).

Note: You can replace one power supply without shutting down the appliance, providedthe other power supply is working.

To install or replace an AC power supply on a Citrix CloudBridge 4000/5000 appliance

1. Align the semicircular handle perpendicular to the power supply. Loosen thethumbscrew and press the lever toward the handle and pull out the existing powersupply, as shown in the following figure.

Figure 1. Removing the Existing AC Power Supply

2. Carefully remove the new power supply from its box.




5. Connect the power supply to a power source. If connecting all power supplies, plugseparate power cords into the power supplies and connect them to separate wallsockets.

Note: CloudBridge 4000/5000 appliances emit a high-pitched alert if one power supplyfails or if you connect only one power cable to an appliance in which two power suppliesare installed. To silence the alarm, press the small red button on the back panel of theappliance. The disable alarm button is functional only when the appliance has two powersupplies.

Power Supply

175

Replacing a DC Power SupplyReplace a DC power supply with another DC power supply. All power supplies must be ofthe same type (AC or DC).


To install or replace a DC power supply on a Citrix CloudBridge 4000/5000 appliance

1. Loosen the thumbscrew and press the lever towards the handle and pull out the existingpower supply, as shown in the following figure.

Figure 3. Removing the Existing DC Power Supply2. Carefully remove the new power supply from its box.


4. Insert the power supply into the slot while pressing the lever towards the handle. Applyfirm pressure to insert the power supply firmly into the slot.

Figure 4. Inserting the Replacement DC Power Supply5. When the power supply is completely inserted into its slot, release the lever.



Power Supply

176

177

Solid-State Drive

A solid-state drive (SSD) is a high-performance device that stores data in solid-state flashmemory.

Replacing a Solid-State DriveThe CloudBridge 4000/5000 software is stored on the solid-state drive (SSD).

To replace a solid-state drive


Figure 1. Removing the Existing Solid-State Drive

2. Verify that the replacement SSD is the correct type for the platform.

3. Pick up the new SSD, open the drive handle fully to the left or up, and insert the driveinto the slot as far as possible. To seat the drive, close the handle flush with the rear ofthe appliance so that the drive locks securely into the slot.


Figure 2. Inserting the Replacement Solid-State Drive

4. Turn on the appliance.

5. Log on to the default IP address by using a web browser, or connect to the serialconsole by using a console cable, to perform the initial configuration.

Solid-State Drive

178

179

Hard Disk Drive

The NetScaler and CloudBridge virtual machines are hosted on the hard-disk drive.

Replacing a Hard Disk DriveVerify that the replacement hard disk drive is the correct type for the CloudBridge4000/5000 platform.

To install a hard disk drive


2. Locate the hard disk drive on the back panel of the appliance.

3. Disengage the hard disk drive by pushing the safety latch of the drive cover to the rightor down, depending on the platform, while pulling out on the drive handle todisengage. Pull out the faulty drive.

Figure 1. Removing the Existing Hard Disk Drive

4. Pick up the new disk drive, open the drive handle fully to the left, and insert the newdrive into the slot as far as possible. To seat the drive, close the handle flush with therear of the appliance so that the hard drive locks securely into the slot.

Important: When you insert the drive, make sure that the Citrix product label is atthe top.

Figure 2. Inserting the Replacement Hard Disk Drive


180

Hardware Platforms

The CloudBridge 4000/5000 hardware platforms offer a wide range of features,communication ports, and processing capacities. All platforms have multicore processors.

181


Citrix CloudBridge 4000 are 2U appliances. Each model has two 6-core processors for a totalof 12 physical cores (24 cores with hyper-threading), and 48 gigabytes (GB) of memory. TheCitrix CloudBridge 4000 have a bandwidth of 310Mbps, 500Mbps, and 1Gbps, respectively.

The following figures shows the front panel of the Citrix CloudBridge 4000 appliance.

Figure 1. Citrix CloudBridge 4000, front panel (without FTW cards)

Figure 2. Citrix CloudBridge 4000, front panel (with FTW cards)

The Citrix CloudBridge 4000 appliances have the following ports:

• 10/100Base-T copper Ethernet Port (RJ45), also called LOM port. You can use this portto remotely monitor and manage the appliance independently of the appliance'ssoftware.

Note: The LEDs on the LOM port are not operational by design.

• RS232 serial console port.

• Two 10/100/1000Base-T copper Ethernet management ports (RJ45). These ports areused to connect directly to the appliance for system administration functions.

• Network Ports

• CloudBridge 4000 (without FTW cards). Eight 1G SFP ports and four 10G SFP+ ports.

• CloudBridge 4000 (with FTW cards). Eight 1G copper Ethernet ports and four 10Gports.

The following figure shows the back panel of the Citrix CloudBridge 4000 appliance.

Figure 3. Citrix CloudBridge 4000, back panel

The following components are visible on the back panel of the Citrix CloudBridge 4000appliance:

• Four 600 GB removable solid-state drives, which store the appliance's compressionhistory. The 256 GB solid-state drive below the hard disk drive stores the appliance'ssoftware.


• A 1 TB removable hard disk drive.

• Power switch, which turns off power to the appliance, just as if you were to unplug thepower supply. Press the switch for five seconds to turn off the power.

• Disable alarm button. This button is functional only when the appliance has two powersupplies.

Press this button to stop the power alarm from sounding when you have plugged theappliance into only one power outlet or when one power supply is malfunctioning andyou want to continue operating the appliance until it is repaired.

• Dual power supplies (either AC or DC), each rated at 850 watts, 100-240 volts.


182

183


Citrix CloudBridge 5000 are 2U appliances. Each model has two 6-core processors for a totalof 12 physical cores (24 cores with hyper-threading), and 96 gigabytes (GB) of memory. TheCitrix CloudBridge 5000 have a bandwidth of 1.5Gbps and 2Gbps respectively.

The following figure shows the front panel of the Citrix CloudBridge 5000 appliance.


The Citrix CloudBridge 5000 appliance has the following ports:





• Eight 10G ports.




• Six 600 GB removable solid-state drives, which store the appliance's compressionhistory. The 256 GB solid-state drive next to the power supplies store the appliance'ssoftware.








184

185


The following tables summarize the specifications of the Citrix CloudBridge 4000/5000hardware platforms.

Table 1. Citrix CloudBridge 4000/5000 Appliances

Citrix CloudBridge 4000/5000


Bandwidth 310 Mbps 500 Mbps 1.0 Gbps 1.5 Gbps 2.0 Gbps

Maximum HDXsessions

750 1,200 2,500 3,500 5,000

Total sessions 40,000 60,000 120,000 20,000 160,000

AccelerationPlug-in CCUs

1,100 1,800 3,000 3,600 4,800


Processor Dual Intel E5645 Dual Intel E5645 Dual Intel E5645 Dual Intel X5680 Dual Intel X5680

Total disk space 3.2 TB 3.2 TB 3.2 TB 4.2 TB 4.2 TB

SSD (dedicatedcompressionhistory)

2 TB 2 TB 2 TB 3 TB 3 TB

HDD 1 TB 1 TB 1 TB 1 TB 1 TB

RAM 48 GB 48 GB 48 GB 96 GB 96 GB

Networkinterfaces

4 x 10GigE SX and8 x 1GigE TXBypass

4 x 10GigE SX and8 x 1GigE TXBypass*


8 x10GigE SRBypass

8 x10GigE SRBypass

*See Citrix CloudBridge 4000.

Transceiversupport

N/A N/A N/A N/A N/A

Note: Some non fail-to-wire CloudBridge 4000 appliances require SFP+ transceivers.

Power supplies 2 2 2 2 2

Physical Dimensions

Rack units 2 2 2 2 2

System width EIA 310-D, IEC60297, DIN 41494SC48D rack widthwith mountingbrackets

EIA 310-D, IEC60297, DIN 41494SC48D rack widthwith mountingbrackets




System depth 25.4"/64.5 cm 25.4"/64.5 cm 25.4"/64.5 cm 25.4"/64.5 cm 25.4"/64.5 cm

System weight 46 lbs (20.9 kg) 46 lbs (20.9 kg) 46 lbs (20.9 kg) 49 lbs (22.2 kg) 49 lbs (22.2 kg)

Shippingdimensions andweight

37” x 24” by 11”

59 lbs

94 x 61 x 28 cm

26.8 kg

37” x 24” by 11”

59 lbs

94 x 61 x 28 cm

26.8 kg

37” x 24” by 11”

59 lbs

94 x 61 x 28 cm

26.8 kg

37” x 24” by 11”

61 lbs

94 x 61 x 28 cm

27.7 kg

37” x 24” by 11”

61 lbs

94 x 61 x 28 cm

27.7 kg


Input voltage andfrequency ranges

100-240 VAC

47-63 Hz

100-240 VAC

47-63 Hz

100-240 VAC

47-63 Hz

100-240 VAC

47-63 Hz

100-240 VAC

47-63 Hz

Powerconsumption

650 watts 2,200BTU per hour.





Operatingtemperature

32–104° F

0–40° C

32–104° F

0–40° C

32–104° F

0–40° C

32–104° F

0–40° C

32–104° F

0–40° C

Operating altitude 0–4921'

(1,500 m)

0–4921'

(1,500 m)

0–4921'

(1,500 m)

0–4921'

(1,500 m)

0–4921'

(1,500 m)

Non-operatingtemperature

-4–140° F

20–60° C

-4–140° F

20–60° C

-4–140° F

20–60° C

-4–140° F

20–60° C

-4–140° F

20–60° C

Allowed relativehumidity

5%-95%,non-condensing





Safetycertifications

UL, TUV-C UL, TUV-C UL, TUV-C UL, TUV-C UL, TUV-C

Electromagneticemissionscertifications andsusceptibilitystandards

FCC (Part 15 ClassA), DoC,

CE, VCCI, CNS,AN/NES









Environmentalcompliance

RoHS, WEEE RoHS, WEEE RoHS, WEEE RoHS, WEEE RoHS, WEEE


186

187




188

Unpacking the Appliance

Unpack the box that contains your new appliance on a sturdy table with plenty of space andinspect the contents.





• Two power cables

• One fiber patch cable







189


There are specific site and rack requirements for the CloudBridge 4000/5000 appliance. Youmust make sure that adequate environmental control and power density are available.Racks must be bolted to the ground, have sufficient airflow, and have adequate power andnetwork connections. Preparing the site and rack are important steps in the installationprocess and help ensure a smooth installation.


Environment control


Power density





Power connections


Network connections

At minimum, Ethernet connection per rack unit.

Space requirements

Two empty rack units for CloudBridge 4000/5000 appliances.





190

191




























192









193

194



195


Most appliances can be installed in standard server racks that conform to EIA-310-Dspecification. The appliances ship with a set of rails, which you must install before youmount the appliance. The only tools that you need for installing an appliance are a Phillipsscrewdriver and a flathead screwdriver.

Caution: If you are installing the appliance as the only unit in the rack, mount it at thebottom. If the rack contains other units, make sure that the heaviest unit is at thebottom. If the rack has stabilizing devices available, install them before mounting theappliance.

Citrix CloudBridge 4000/5000 appliance requires two rack units.

Each appliance ships with a mounting rail kit that contains two rail assemblies, one for theleft side and the other for the right side of the appliance, and screws to attach the rails. Anassembly consists of an inner rail and a rack rail. The supplied rail kit is 28 inches long (38inches extended). Contact your Citrix sales representative to order a 23-inch (33 inchesextended) rail kit.

Note: The same rail kit is used for both square-hole and round-hole racks. See figure 4 forspecific instructions for threaded, round-hole racks.

To mount the appliance, you must first install the rails and then install the appliance in therack.

Perform the following tasks to mount the appliance:




• Install the appliance in the rack.

To remove the inner rails from the rail assembly1. Place the rail assembly on a flat surface.


3. Depress the latch until the inner rail comes all the way out of the rail assembly.

4. Repeat steps 1 through 3 to remove the second inner rail.

To attach the inner rails to the appliance1. Position the right inner rail behind the handle on the right side of the appliance.

2. Align the holes on the rail with the corresponding holes on the side of the appliance.

3. Attach the rail to the appliance with the provided screws: 5 per side, as shown in thefollowing figure.

Figure 1. Attaching inner rails

4. Repeat steps 1 through 3 to install the left inner rail on the other side of the appliance.


196

To install the rack rails on the rack1. If you have a round-hole, threaded rack, skip to step 3.

2. Install square nut retainers into the front post and back post of the rack as shown in thefollowing figures. Before inserting a screw, be sure to align the square nut with thecorrect hole for your appliance. The three holes are not evenly spaced.

Figure 2. Installing Retainers into the Front Rack Posts Figure 3. Installing Retainers intothe Rear Rack Posts

3. Install the adjustable rail assembly into the rack as shown in the following figures. Usea screw to lock the rear rail flange into the rack. With the screw securing the rail inplace, you can optionally remove the latching spring.


197

Figure 4. Installing the Rail Assembly to the Rack


198

To install the appliance in the rack1. Align the inner rails, attached to the appliance, with the rack rails.

2. Slide the appliance into the rack rails, keeping the pressure even on both sides.

3. Verify that the appliance is locked in place by pulling it all the way out from the rack.



199

200

Installing and Removing 1G SFPTransceivers

Note: Some CloudBridge 4000/5000 appliances do not require SFP transceivers.

A Small Form-Factor Pluggable (SFP) is a compact transceiver that can operate at speeds ofup to 1 gigabit per second and is available in both copper and fiber types. Inserting a 1GSFP copper transceiver converts the 1G SFP port to a 1000BASE-T port. Inserting a 1G SFPfiber transceiver converts the 1G SFP port to a 1000BASE-X port. Auto-negotiation isenabled by default on the 1G SFP port into which you insert your 1G SFP transceiver. Assoon as a link between the port and the network is established, the speed and mode arematched on both ends of the cable.

Caution: CloudBridge 4000/5000 appliances do not support 1G SFP transceivers fromvendors other than Citrix Systems. Attempting to install third-party 1G SFP transceiverson your CloudBridge 4000/5000 appliance voids the warranty.

Insert 1G SFP transceivers into the 1G SFP ports on the front panel of the appliance.Frequent installation and removal of transceivers shortens their life span. Follow theremoval procedure carefully to avoid damaging the 1G SFP transceiver or the appliance.

Caution: Do not install the transceivers with the cables attached. Doing so can damagethe cable, the connector, or the optical interface of the transceiver.

To install a 1G SFP transceiver1. Remove the 1G SFP transceiver carefully from its box.

Danger: Do not look directly into fiber optic transceivers or cables. They emit laserbeams that can damage your eyes.

2. Align the 1G SFP transceiver to the front of the 1G SFP transceiver port on the frontpanel of the appliance, as shown in the following figure.

Note: The illustration in the following figures might not represent your actualappliance.

Figure 1. Installing a 1G SFP transceiver

3. Hold the 1G SFP transceiver between your thumb and index finger and insert it into the1G SFP transceiver port, pressing it in until you hear the transceiver snap into place.

4. Lock the transceiver.

5. Verify that the LED is green and blinks twice, which indicates that the transceiver isfunctioning correctly.

6. If you are using a fiber 1G SFP transceiver, do not remove the dust caps attached to thetransceiver and the cable until you are ready to insert the cable.

Installing and Removing 1G SFP Transceivers

201

To remove a 1G SFP transceiver1. Disconnect the cable from the 1G SFP transceiver. If you are using a fiber optic cable,

replace the dust cap on the cable before putting it away.


2. Unlock the 1G SFP transceiver.

3. Hold the 1G SFP transceiver between your thumb and index finger and slowly pull it outof the port.

4. If you are removing a fiber 1G SFP transceiver, replace the dust cap before putting itaway.

5. Put the 1G SFP transceiver into its original box or another appropriate container.


202

203

Installing and Removing 10G SFP+Transceivers

Note: Some CloudBridge 4000/5000 appliances do not require SFP+ transceivers.

A 10-Gigabit Small Form-Factor Pluggable (SFP+) is a compact optical transceiver that canoperate at speeds of up to 10 gigabits per second. Autonegotiation is enabled by default onthe 10G SFP+ ports into which you insert your 10G SFP+ transceiver. As soon as a linkbetween the port and the network is established, the mode is matched on both ends of thecable and for 10G SFP+ transceivers, the speed is also autonegotiated.

Caution: CloudBridge 4000/5000 appliances do not support 10G SFP+ transceiversprovided by vendors other than Citrix Systems. Attempting to install third-party 10G SFP+transceivers on your CloudBridge 4000/5000 appliance voids the warranty.

Insert the 10G SFP+ transceivers into the 10G SFP+ ports on the front panel of theappliance. Frequent installation and removal of transceivers shortens their life span. Followthe removal procedure carefully to avoid damaging the transceiver or the appliance.


To install a 10G SFP+ transceiver1. Remove the 10G SFP+ transceiver carefully from its box.

Danger: Do not look directly into fiber optic transceivers and cables. They emit laserbeams that can damage your eyes.

2. Align the 10G SFP+ transceiver to the front of the 10G SFP+ transceiver port on thefront panel of the appliance.

3. Hold the 10G SFP+ transceiver between your thumb and index finger and insert it intothe 10G SFP+ transceiver port, pressing it in until you hear the transceiver snap intoplace.

4. Move the locking hinge to the DOWN position.


6. Do not remove the dust caps attached to the transceiver and cable until you are readyto insert the cable.

To remove a 10G SFP+ transceiver1. Disconnect the cable from the 10G SFP+ transceiver. Replace the dust cap on the cable

before putting it away.


2. Unlock the 10G SFP+ transceiver by moving the locking hinge to the UP position.

3. Hold the 10G SFP+ transceiver between your thumb and index finger and slowly pull itout of the port.

4. Replace the dust cap on the transceiver before putting it away.

5. Put the 10G SFP+ transceiver into its original box or another appropriate container.

Installing and Removing 10G SFP+ Transceivers

204

205

Install Fiber Patch Cable in Ports 10/3and 10/4

On a CloudBridge 4000/5000 appliance, ports 10/3 and 10/4 must be connected with theprovided cable as shown in the following figure.

F i g

u r e 1 . I n s t a l l i n g t h e P a t c h C a b l e

To install the patch cable1. Connect the LC-to-LC cable to the ports as shown in the figures above.

2. Install one end of the cable into port 10/3.

3. Install the other end of the cable into port 10/4.

Install Fiber Patch Cable in Ports 10/3 and 10/4

206

207


Through release 7.2.1, on an appliance, CloudBridge ports 10/3 and 10/4 must beconnected with the provided cable, as shown in the following figure.

Starting with release 7.2.2, the patch cable is no longer required, and can be omitted if:

• The appliance was shipped from the factory with release 7.2.2 or later, or

• The appliance was shipped from the factory with release 7.2.1 or earlier, but youupgrade it to 7.2.2 or later and change the default loopback in the management service(on System > Configuration > System > Configure Loopback Settings).

Note: If you decide to eliminate the need to use loopback cable, the ports 10/3 and 10/4are still reserved. These ports are not available for WAN optimization.

Figure 1. Installing the Patch Cable


208

To install the patch cable

1. Connect the LC-to-LC cable to the ports as shown in the figures above.

2. Insert one end of the cable into port 10/3.

3. Insert the other end of the cable into port 10/4.


209

210


When the appliance is securely mounted on the rack, you are ready to connect the cables.Ethernet cables and the optional console cable are connected first. Connect the powercable last.

Danger: Before installing or repairing the appliance, remove all jewelry and other metalobjects that might come in contact with power sources or wires. When you touch both alive power source or wire and ground, any metal objects can heat up rapidly and causeburns, set clothing on fire, or fuse the metal object to an exposed terminal.

Connecting the Appliance to the NetworkEthernet cables connect your appliance to the network. The type of cable you needdepends on the type of port used to connect to the network. Use a category 5e or category6 Ethernet cable with a standard RJ-45 connector on a 10/100/1000BASE-T port.






Connecting the Console CableYou can use the console cable to connect your appliance to a computer or terminal, fromwhich you can configure the appliance. Before connecting the console cable, configure thecomputer or terminal to support VT100 terminal emulation, 9600 baud, 8 data bits, 1 stop

bit, parity, and flow control set to NONE. Then connect one end of the console cable to theRS232 serial port on the appliance and the other end to the computer or terminal.

To connect the console cable to a computer or terminal1. Insert the DB-9 connector at the end of the cable into the console port that is located





Connecting the Appliance to a Power SourceThe CloudBridge 4000/5000 appliance has two power supplies, with one serving as abackup. A separate ground cable is not required, because the three-prong plug providesgrounding. Power up the appliance by installing one or both power cords.





3. Repeat steps 1 and 2 to connect the second power supply.

Note: The appliance emits a high-pitched alert if one power supply fails or if youconnect only one power cable to the appliance. To silence the alarm, you can pressthe small red button located on the back panel of the appliance.


211

212







213

Lights Out Management Port of theCloudBridge 4000/5000 Appliance

The CloudBridge 4000/5000 appliances have an Intelligent Platform Management Interface(IPMI), also known as the Lights out Management (LOM), port on the front panel of theappliance. By using the LOM, you can remotely monitor and manage the appliance,independently of the CloudBridge 4000/5000 software. You can remotely change the IPaddress, perform different power operations, and obtain health monitoring information ofthe appliance by connecting to the appliance through the LOM port.

By connecting the LOM port over a dedicated channel that is separate from the datachannel, you can make sure that connectivity to the appliance is maintained even if thedata network is down.

Accessing the LOM Port by using a Web BrowserBy using a web browser you can remotely log on to the LOM port to obtain informationabout the appliance and perform different operations on the appliance.

To access the LOM by using a web browser

1. In a web browser, type the IP address of the LOM port. For initial configuration, typethe port’s default address: http://192.168.1.3

2. In the User Name box, type nsroot.

3. In the Password box, type nsroot.

Configuring the LOM PortFor initial configuration of the lights-out management (LOM) port, connect to the port'sdefault IP address and change it to the address that you want to use for remote monitoringand management. Also specify the administrator credentials and the network settings.

Note: The LEDs on the LOM port are unoperational by design.

To Configure the NetScaler LOM Port1. Connect the NetScaler LOM port to a management workstation or network.

2. In a web browser, type: http://192.168.1.3.

Note: The NetScaler LOM port is preconfigured with the IP address 192.168.1.3 andsubnet mask 255.255.255.0.



5. In the Configuration tab, click Network and type values for the following parameters:

• IP Address—IP address of the LOM port.

• Subnet Mask—Subnet mask used to define the subnet of the LOM port.

• Default Gateway—IP address of the router that connects the LOM port to thenetwork.

6. Click Save.

Power Cycling the ApplianceYou can remotely turn off the appliance and turn it back on. The result is similar to pressingthe power button on the back panel of the appliance for less than four seconds.

To power cycle the appliance1. In a web browser, type the IP address of the LOM port.

2. In the User Name and Password boxes, type the administrator credentials.

3. In the Menu bar, click Remote Control.

4. Under Options, click Power Control, and then click Power Cycle System.

5. Click Perform Action.

Accessing the Appliance by using the AccessConsole

The LOM port allows you to remotely access and manage the appliance by logging on to aredirected console.

To access the appliance by using the access console

1. In a web browser, type the IP address of the LOM port.


Lights Out Management Port of the CloudBridge 4000/5000 Appliance

214

http://192.168.1.3/


4. Under Options, click Console Redirection.

5. Click Launch Console, and then click Yes.

6. Type the administrator credentials for the appliance.

Obtaining Health Monitoring InformationYou can log on to the LOM port to view the health information about the appliance. Allsystem sensor information, such as system temperature, CPU temperature, status of fanand power supplies, appears on the sensor readings page.

To obtain health monitoring information



3. In the Menu bar, click System Health.

4. Under Options, click Sensor Readings.

Power Control Operations using the LOM PortYou can remotely perform different power control operations, such as restarting theappliance, performing a graceful shutdown, and performing a forced shutdown, by using theLOM port.

To perform power control operations

1. In a web browser, log on to the LOM port by using the administrator credentials.


3. Under Options, click Power Control, and then select one of the following options:

• Reset System—Restart the appliance.

• Power Off System – Immediate—Disconnect power to the appliance withoutshutting down the appliance.

• Power On System—Turn on the appliance.

• Power Cycle System—Turn off the appliance, and then turn it back on.4. Click Perform Action.


215

216

Planning the Deployment

CloudBridge 4000/5000 deployments require adequate planning, especially for unitsdeployed in large datacenters:

• An appropriate appliance or group of appliances must be selected to support both thecurrent and anticipated load.

• A deployment mode must be selected to match the requirements of your site.

• Other aspects must also be considered.

217

Sizing Guidelines

For successful deployment of one or more CloudBridge 4000/5000 appliances in yourdatacenter, keep the following principles in mind:

• You must provide enough CloudBridge 4000/5000 peak-load capacity, in terms of WANbandwidth and the number of users. See the current specifications sheet for thecapacities of different CloudBridge 4000/5000 models: http://www.citrix.com/content/dam/citrix/en_us/documents/products/cloudbridge-branch-repeater-spec-sheet.pdf(In the spec sheet, the number of users is referred to as "HDX sessions"). Ensureadequate peak-load capacity, both for now and for the time until you expect toupgrade. Acceleration is resource intensive, and performance suffers if the applianceruns short of resources. Never overcommit any CloudBridge appliance, especially in thedatacenter. Provision your datacenter to easily accommodate peak loads.

• Provide enough capacity for expected expansion over the life of the deployment.CloudBridge 4000/5000 appliances using the same hardware platform can have theircapacity upgraded with a new license as part of the Citrix pay-as-you-grow program.CloudBridge 4000/5000 models 310, 500, and 1000 use one hardware platform, andmodels 1500 and 2000 use another hardware platform. This means that, for example, aCloudBridge 4000/5000 500 can be converted through a license upgrade to aCloudBridge 4000/5000 1000, but not to a CloudBridge 4000/5000 1500.

• For more capacity than can be provided by a single appliance, multiple CloudBridge4000/5000 appliances can be cascaded behind a stand-alone NetScaler appliance.

• Different models have differing numbers of traffic ports. If you require multiplebridges, make sure your model has at least as many as you need.

http://www.citrix.com/content/dam/citrix/en_us/documents/products/cloudbridge-branch-repeater-spec-sheet.pdf


218

Selecting a Deployment Mode

The CloudBridge 4000/5000 appliance can be deployed inline or in a one-arm mode. Inlinedeployments do not require router reconfiguration; one-arm modes do. CloudBridge4000/5000 offers internal port bypassing (fail-to-wire) to allow traffic to continue flowing ininline mode if the appliance fails.

Note: Only the one-arm WCCP mode (with a single router) is documented at this time.Inline mode is not yet documented. Citrix recommends WCCP mode at this time.

Different CloudBridge 4000/5000 models offer different numbers of accelerated bridges.Models with multiple accelerated bridges can accelerate multiple inline WAN links. See thespecifications sheet for more details, http://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/cloudbridge-data-sheet.pdf.

Deploying a Single CloudBridge 4000/5000 Appliance(or HA Pair)

A standalone CloudBridge 4000/5000 appliance can be deployed in either of these tworecommended modes:

• Inline, bridged (L2 inline). This closely resembles a standard CloudBridge inlinedeployment. Packets enter one bridge port and exit the other bridge port.

• One-arm, WCCP. This resembles a standard CloudBridge WCCP deployment.

Citrix also supports the following two modes (which are outside the scope of thisdocument):

• Inline, routed. The NetScaler instance uses routing rules instead of bridging rules todetermine how to forward packets.

• Virtual inline. This resembles WCCP, but lacks built-in health-checking.

In L2 inline mode, CloudBridge 4000/5000 is placed between your LAN and your WAN router(or other aggregation point at the LAN-WAN boundary). In a one-arm mode, CloudBridge4000/5000 is generally connected directly to a dedicated port on your WAN router.

In cases where the WAN router ports are not as fast as the LAN (for example, when the WANrouter has gigabit Ethernet, but the LAN has10 gigabit Ethernet), inline mode providesbetter performance, because its LAN-side traffic is not limited to the speed of the routerinterface. (Compression allows the LAN-side traffic to be much faster than WAN-boundtraffic under favorable conditions.)

Considerations:

• The inline modes require no reconfiguration of your routers, but involves a servicedisruption when bringing the appliance into service.

http://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/cloudbridge-data-sheet.pdf


• One-arm modes require router reconfiguration but do not require a servicedisruption.

• Inline mode has higher performance than the other modes.

• One-arm modes are limited to half the speed of the router or switch port they areattached to.

• With WCCP mode, configuring the router to send only a fraction of the WAN traffic toCloudBridge 4000/5000 (as little as the traffic from a single remote site or even asingle remote IP address) makes it easy to bring up and test the installationgradually. Inline mode requires that all WAN traffic pass through the appliance.

• WCCP mode requires more configuration of the CloudBridge 4000/5000 appliancethan do other modes, but is more standardized and provides more status informationon the router.

Recommendation:

• The greater control provided by WCCP, and especially the ability to put thedeployment into service in stages, makes WCCP the mode of choice for larger, morecomplex datacenters, especially if there might be a possibility of overloading theCloudBridge 4000/5000 appliance.

• Inline mode is convenient for smaller WAN networks and simpler datacenters. It ismost commonly used with the CloudBridge 4000/5000 310 and 500, and more rarelywith the larger appliances.

• Cascaded installations should use WCCP.

Note: Only WCCP mode (with a single router) is currently documented.


219

220

Selecting a Load Balancing Method

By default, the CloudBridge 4000/5000 Provisioning Wizard sets up load balancing to handledifferent kinds of connections appropriately. This default behavior is adequate for mostinstallations.

Sending all the connections from the same remote accelerator to the same localaccelerator maximizes the benefits of CloudBridge compression, and the default loadbalancing method accomplishes this. If an instance becomes overloaded or unavailable, newconnections are reallocated.

Default Load Balancing BehaviorBy default, the NetScaler instance uses the least-connection method to balance the loadacross the accelerators. This method applies whether or not the connections areaccelerated. Connections are persistent, but persistency is discontinued for an instancethat becomes overloaded, and is lost if the local appliance is restarted or when no trafficfrom a remote appliance is seen for more than 24 hours.

Accelerated connectionsFor incoming accelerated connections (that is, connections with CloudBridge options in theheader of the SYN packet), all connections from a given remote CloudBridge are sent to thesame local accelerator.

The identity of the remote CloudBridge is determined by one of the CloudBridge SYNoptions: the "AgentID" field, which contains the management IP address of the remoteCloudBridge.

This method is used for connections from remote CloudBridge appliances and remoteCloudBridge Plug-ins.

Other connectionsIncoming non-accelerated connections and all outgoing connections are also distributedamong the accelerators according to the least-connection method, but since they do notcontain an AgentID field, they cannot use AgentID persistence. Instead, they useSRCIPDESTIP persistence, meaning that connections with the same IP addresses use thesame accelerator.

Bypassing Overloaded InstancesIf an instance is overloaded, the NetScaler instance bypasses it for new connections,sending them through without acceleration. Existing connections continue to be sent to theinstance.

This behavior is controlled by the skipPersistency parameter. The default behavior is-skippersistency ReLB. The alternative behavior, -skippersistency bypass, instructs theNetScaler instance to pass the connection through without sending it to an accelerator.

Optional Load Balancing BehaviorThe default load balancing behavior is adequate for most installations, but sometimescustomization is needed. This is most commonly true when a few remote sites have muchmore traffic than the rest. In that case, it can be worthwhile to assign these large sites toaccelerators explicitly.

Optional load balancing behavior includes the use of static routing (for hand-crafted loadbalancing) and variations on the least-connection with AgentID and SRCIPDESTIP persistencemethods used in the default configuration. The behavior for dealing with overloadedinstances can be changed from assigning connections to a difference instance to passingthem through as unaccelerated.


221

222

Gathering Information Needed forConfiguration

Accurate information about both the local and the remote sites is essential totroubleshooting. Before installing the CloudBridge 4000/5000 appliance, make sure that youhave done the following:

1. Obtained or drawn an accurate network diagram of your local site (the one in which youare installing CloudBridge 4000/5000). The local network topology and the capabilitiesof your WAN routers determine which deployment modes are appropriate for the site.

2. Chosen the deployment mode of the local CloudBridge 4000/5000 appliance (forexample, WCCP or inline, with or without HA and cascading).

3. Compiled a list of critical applications that must be tested to validate the deployment.

4. Obtained or drawn an accurate network diagram of your WAN, including both the localand the remote WAN links, their bandwidths in both directions, their subnets, andwhether they are accelerated. In deployments with many remote sites, an aggregate ofthe different categories (accelerated and non-accelerated) is probably sufficient, andonly the largest remote sites need to be considered individually.

5. Determined whether there are multiple datacenters with datacenter-to-datacentertraffic, and whether any remote datacenters have a CloudBridge 4000/5000 appliance.

6. Decided whether you plan to increase WAN capacity, the number of sites, or thenumber of users in the next 24 months. If so, the corresponding CloudBridge 4000/5000capacity should be installed now.

7. If possible, formed an idea of the traffic breakdown over the WAN, including TCP trafficto and from CloudBridge-accelerated sites, other TCP traffic, ICA users, HDX sessions,and real-time traffic such as VoIP. CloudBridge 4000/5000 needs to be provisioned forthe peak loads in terms of accelerated TCP connections, ICA users, and total WAN linkcapacity.

8. Determined the number of WAN links in the local site. Are they independent, or arethey load balanced? If so, are they active-active or active-standby?

9. Determined the current, unaccelerated RTT of the remote sites during peak periods.

10. Identified any QoS devices or proxies in the path between the local and remote sites.QoS devices should be on the WAN side of CloudBridge 4000/5000. Proxies should be onthe LAN side.

223

Hardware Platforms

Citrix CloudBridge 4000 and 5000 is a high-performance WAN accelerator for busydatacenters that combines multiple virtual instances of the CloudBridge appliance with asingle virtual instance of the NetScaler load-balancer, providing the performance ofmultiple CloudBridge appliances in a single package.

224


Citrix CloudBridge 4000/5000 appliances are the highest-performing products in CitrixCloudBridge Product line. The appliances achieve this performance by combining aNetScaler VPX load balancer with three to eight accelerators, all in a singlehigh-performance server that meets the needs of busy datacenters.

225

Hardware Components

Each platform has front panel and back panel hardware components. The front panel has anLCD display and an RS232 serial console port. The number, type, and location ofports—copper Ethernet, copper and fiber 1G SFP and 10G SFP+—vary by hardware platform.The back panel provides access to the fan and the field replaceable units (power supplies,and solid-state and hard-disk drives).

226

Ports

Note: Some CloudBridge appliances do not require SFP transceivers.

Ports are used to connect the appliance to external devices. Citrix CloudBridge 4000/5000appliances support RS232 serial ports, 10/100/1000Base-T copper Ethernet ports, fiber 1GSFP ports and 10-gigabit fiber SFP+ ports. All Citrix CloudBridge 4000/5000 appliances havea combination of some or all of these ports. For details on the type and number of portsavailable on your appliance, see the section describing that platform.

RS232 Serial PortThe RS232 serial console port provides a connection between the appliance and acomputer, allowing direct access to the appliance for initial configuration ortroubleshooting.

Copper Ethernet PortsThe copper Ethernet ports installed on the appliances are standard RJ45 ports.


The 10/100/1000BASE-T port has a maximum transmission speed of 1 gigabit per second,ten times faster than the other type of copper Ethernet port.



1G SFP and 10G SFP+ PortsA 1G SFP port can operate at a speed of 1 Gbps. It accepts either a copper 1G SFPtransceiver, for operation as a copper Ethernet port, or a fiber 1G SFP transceiver foroperation as a fiber optic port.

The 10G SFP+ ports are high-speed ports that can operate at speeds of up to 10 Gbps. Youneed a fiber optic cable to connect to a 10G SFP+ port.

LED Port-Status IndicatorsThe port LEDs show whether the link is established and traffic is flowing through the port.For information about the LED indicators for each card type, see Networking BypassAdapters.

Ports

227



228


Citrix CloudBridge 4000/5000 field replaceable units (FRU) are components that can bequickly and easily removed from the appliance and replaced by the user or a technician atthe user's site. The FRUs in a Citrix CloudBridge 4000/5000 appliance can include DC or ACpower supplies, and solid-state and hard-disk drives.

Note: By default the appliance ships with AC power supplies. DC power supply isorderable.

229

Power Supply

Citrix CloudBridge 4000/5000 appliances are configured with dual power supplies but canoperate with only one power supply. The second power supply serves as a backup.

For power-supply specifications, see "Hardware Platforms," which describes the variousplatforms and includes a table summarizing the hardware specifications.








DC OFF No power to any powersupply.


Flashing BLUE Power supply is in standbymode.

BLUE Power supply is functional.






Replacing an AC Power SupplyReplace an AC power supply with another AC power supply. All power supplies must be ofthe same type (AC or DC).


To install or replace an AC power supply on a Citrix CloudBridge 4000/5000 appliance

1. Align the semicircular handle perpendicular to the power supply. Loosen thethumbscrew and press the lever toward the handle and pull out the existing powersupply, as shown in the following figure.

Figure 1. Removing the Existing AC Power Supply

2. Carefully remove the new power supply from its box.






Power Supply

230

Replacing a DC Power SupplyReplace a DC power supply with another DC power supply. All power supplies must be ofthe same type (AC or DC).


To install or replace a DC power supply on a Citrix CloudBridge 4000/5000 appliance

1. Loosen the thumbscrew and press the lever towards the handle and pull out the existingpower supply, as shown in the following figure.

Figure 3. Removing the Existing DC Power Supply2. Carefully remove the new power supply from its box.


4. Insert the power supply into the slot while pressing the lever towards the handle. Applyfirm pressure to insert the power supply firmly into the slot.

Figure 4. Inserting the Replacement DC Power Supply5. When the power supply is completely inserted into its slot, release the lever.



Power Supply

231

232

Solid-State Drive

A solid-state drive (SSD) is a high-performance device that stores data in solid-state flashmemory.

Replacing a Solid-State DriveThe CloudBridge 4000/5000 software is stored on the solid-state drive (SSD).

To replace a solid-state drive


Figure 1. Removing the Existing Solid-State Drive

2. Verify that the replacement SSD is the correct type for the platform.

3. Pick up the new SSD, open the drive handle fully to the left or up, and insert the driveinto the slot as far as possible. To seat the drive, close the handle flush with the rear ofthe appliance so that the drive locks securely into the slot.


Figure 2. Inserting the Replacement Solid-State Drive


5. Log on to the default IP address by using a web browser, or connect to the serialconsole by using a console cable, to perform the initial configuration.

Solid-State Drive

233

234

Hard Disk Drive

The NetScaler and CloudBridge virtual machines are hosted on the hard-disk drive.

Replacing a Hard Disk DriveVerify that the replacement hard disk drive is the correct type for the CloudBridge4000/5000 platform.

To install a hard disk drive


2. Locate the hard disk drive on the back panel of the appliance.

3. Disengage the hard disk drive by pushing the safety latch of the drive cover to the rightor down, depending on the platform, while pulling out on the drive handle todisengage. Pull out the faulty drive.

Figure 1. Removing the Existing Hard Disk Drive

4. Pick up the new disk drive, open the drive handle fully to the left, and insert the newdrive into the slot as far as possible. To seat the drive, close the handle flush with therear of the appliance so that the hard drive locks securely into the slot.

Important: When you insert the drive, make sure that the Citrix product label is atthe top.

Figure 2. Inserting the Replacement Hard Disk Drive


235

Hardware Platforms

The CloudBridge 4000/5000 hardware platforms offer a wide range of features,communication ports, and processing capacities. All platforms have multicore processors.

236


Citrix CloudBridge 4000 are 2U appliances. Each model has two 6-core processors for a totalof 12 physical cores (24 cores with hyper-threading), and 48 gigabytes (GB) of memory. TheCitrix CloudBridge 4000 have a bandwidth of 310Mbps, 500Mbps, and 1Gbps, respectively.

The following figures shows the front panel of the Citrix CloudBridge 4000 appliance.

Figure 1. Citrix CloudBridge 4000, front panel (without FTW cards)

Figure 2. Citrix CloudBridge 4000, front panel (with FTW cards)

The Citrix CloudBridge 4000 appliances have the following ports:





• Network Ports

• CloudBridge 4000 (without FTW cards). Eight 1G SFP ports and four 10G SFP+ ports.

• CloudBridge 4000 (with FTW cards). Eight 1G copper Ethernet ports and four 10Gports.




• Four 600 GB removable solid-state drives, which store the appliance's compressionhistory. The 256 GB solid-state drive below the hard disk drive stores the appliance'ssoftware.








237

238


Citrix CloudBridge 5000 are 2U appliances. Each model has two 6-core processors for a totalof 12 physical cores (24 cores with hyper-threading), and 96 gigabytes (GB) of memory. TheCitrix CloudBridge 5000 have a bandwidth of 1.5Gbps and 2Gbps respectively.

The following figure shows the front panel of the Citrix CloudBridge 5000 appliance.


The Citrix CloudBridge 5000 appliance has the following ports:





• Eight 10G ports.




• Six 600 GB removable solid-state drives, which store the appliance's compressionhistory. The 256 GB solid-state drive next to the power supplies store the appliance'ssoftware.








239

240


The following tables summarize the specifications of the Citrix CloudBridge 4000/5000hardware platforms.

Table 1. Citrix CloudBridge 4000/5000 Appliances

Citrix CloudBridge 4000/5000


Bandwidth 310 Mbps 500 Mbps 1.0 Gbps 1.5 Gbps 2.0 Gbps

Maximum HDXsessions

750 1,200 2,500 3,500 5,000

Total sessions 40,000 60,000 120,000 20,000 160,000

AccelerationPlug-in CCUs

1,100 1,800 3,000 3,600 4,800


Processor Dual Intel E5645 Dual Intel E5645 Dual Intel E5645 Dual Intel X5680 Dual Intel X5680

Total disk space 3.2 TB 3.2 TB 3.2 TB 4.2 TB 4.2 TB

SSD (dedicatedcompressionhistory)

2 TB 2 TB 2 TB 3 TB 3 TB

HDD 1 TB 1 TB 1 TB 1 TB 1 TB

RAM 48 GB 48 GB 48 GB 96 GB 96 GB

Networkinterfaces

4 x 10GigE SX and8 x 1GigE TXBypass



8 x10GigE SRBypass

8 x10GigE SRBypass

*See Citrix CloudBridge 4000.

Transceiversupport

N/A N/A N/A N/A N/A

Note: Some non fail-to-wire CloudBridge 4000 appliances require SFP+ transceivers.

Power supplies 2 2 2 2 2

Physical Dimensions

Rack units 2 2 2 2 2

System width EIA 310-D, IEC60297, DIN 41494SC48D rack widthwith mountingbrackets





System depth 25.4"/64.5 cm 25.4"/64.5 cm 25.4"/64.5 cm 25.4"/64.5 cm 25.4"/64.5 cm

System weight 46 lbs (20.9 kg) 46 lbs (20.9 kg) 46 lbs (20.9 kg) 49 lbs (22.2 kg) 49 lbs (22.2 kg)

Shippingdimensions andweight

37” x 24” by 11”

59 lbs

94 x 61 x 28 cm

26.8 kg

37” x 24” by 11”

59 lbs

94 x 61 x 28 cm

26.8 kg

37” x 24” by 11”

59 lbs

94 x 61 x 28 cm

26.8 kg

37” x 24” by 11”

61 lbs

94 x 61 x 28 cm

27.7 kg

37” x 24” by 11”

61 lbs

94 x 61 x 28 cm

27.7 kg


Input voltage andfrequency ranges

100-240 VAC

47-63 Hz

100-240 VAC

47-63 Hz

100-240 VAC

47-63 Hz

100-240 VAC

47-63 Hz

100-240 VAC

47-63 Hz

Powerconsumption






Operatingtemperature

32–104° F

0–40° C

32–104° F

0–40° C

32–104° F

0–40° C

32–104° F

0–40° C

32–104° F

0–40° C

Operating altitude 0–4921'

(1,500 m)

0–4921'

(1,500 m)

0–4921'

(1,500 m)

0–4921'

(1,500 m)

0–4921'

(1,500 m)

Non-operatingtemperature

-4–140° F

20–60° C

-4–140° F

20–60° C

-4–140° F

20–60° C

-4–140° F

20–60° C

-4–140° F

20–60° C

Allowed relativehumidity






Safetycertifications

UL, TUV-C UL, TUV-C UL, TUV-C UL, TUV-C UL, TUV-C

Electromagneticemissionscertifications andsusceptibilitystandards











Environmentalcompliance

RoHS, WEEE RoHS, WEEE RoHS, WEEE RoHS, WEEE RoHS, WEEE


241

242




243

Unpacking the Appliance

Unpack the box that contains your new appliance on a sturdy table with plenty of space andinspect the contents.





• Two power cables

• One fiber patch cable







244


There are specific site and rack requirements for the CloudBridge 4000/5000 appliance. Youmust make sure that adequate environmental control and power density are available.Racks must be bolted to the ground, have sufficient airflow, and have adequate power andnetwork connections. Preparing the site and rack are important steps in the installationprocess and help ensure a smooth installation.


Environment control


Power density





Power connections


Network connections

At minimum, Ethernet connection per rack unit.

Space requirements

Two empty rack units for CloudBridge 4000/5000 appliances.





245

246




























247









248

249



250


Most appliances can be installed in standard server racks that conform to EIA-310-Dspecification. The appliances ship with a set of rails, which you must install before youmount the appliance. The only tools that you need for installing an appliance are a Phillipsscrewdriver and a flathead screwdriver.

Caution: If you are installing the appliance as the only unit in the rack, mount it at thebottom. If the rack contains other units, make sure that the heaviest unit is at thebottom. If the rack has stabilizing devices available, install them before mounting theappliance.

Citrix CloudBridge 4000/5000 appliance requires two rack units.

Each appliance ships with a mounting rail kit that contains two rail assemblies, one for theleft side and the other for the right side of the appliance, and screws to attach the rails. Anassembly consists of an inner rail and a rack rail. The supplied rail kit is 28 inches long (38inches extended). Contact your Citrix sales representative to order a 23-inch (33 inchesextended) rail kit.

Note: The same rail kit is used for both square-hole and round-hole racks. See figure 4 forspecific instructions for threaded, round-hole racks.

To mount the appliance, you must first install the rails and then install the appliance in therack.

Perform the following tasks to mount the appliance:




• Install the appliance in the rack.

To remove the inner rails from the rail assembly1. Place the rail assembly on a flat surface.


3. Depress the latch until the inner rail comes all the way out of the rail assembly.

4. Repeat steps 1 through 3 to remove the second inner rail.

To attach the inner rails to the appliance1. Position the right inner rail behind the handle on the right side of the appliance.

2. Align the holes on the rail with the corresponding holes on the side of the appliance.

3. Attach the rail to the appliance with the provided screws: 5 per side, as shown in thefollowing figure.

Figure 1. Attaching inner rails

4. Repeat steps 1 through 3 to install the left inner rail on the other side of the appliance.


251

To install the rack rails on the rack1. If you have a round-hole, threaded rack, skip to step 3.

2. Install square nut retainers into the front post and back post of the rack as shown in thefollowing figures. Before inserting a screw, be sure to align the square nut with thecorrect hole for your appliance. The three holes are not evenly spaced.

Figure 2. Installing Retainers into the Front Rack Posts Figure 3. Installing Retainers intothe Rear Rack Posts

3. Install the adjustable rail assembly into the rack as shown in the following figures. Usea screw to lock the rear rail flange into the rack. With the screw securing the rail inplace, you can optionally remove the latching spring.


252

Figure 4. Installing the Rail Assembly to the Rack


253

To install the appliance in the rack1. Align the inner rails, attached to the appliance, with the rack rails.

2. Slide the appliance into the rack rails, keeping the pressure even on both sides.

3. Verify that the appliance is locked in place by pulling it all the way out from the rack.



254

255

Installing and Removing 1G SFPTransceivers

Note: Some CloudBridge 4000/5000 appliances do not require SFP transceivers.

A Small Form-Factor Pluggable (SFP) is a compact transceiver that can operate at speeds ofup to 1 gigabit per second and is available in both copper and fiber types. Inserting a 1GSFP copper transceiver converts the 1G SFP port to a 1000BASE-T port. Inserting a 1G SFPfiber transceiver converts the 1G SFP port to a 1000BASE-X port. Auto-negotiation isenabled by default on the 1G SFP port into which you insert your 1G SFP transceiver. Assoon as a link between the port and the network is established, the speed and mode arematched on both ends of the cable.

Caution: CloudBridge 4000/5000 appliances do not support 1G SFP transceivers fromvendors other than Citrix Systems. Attempting to install third-party 1G SFP transceiverson your CloudBridge 4000/5000 appliance voids the warranty.

Insert 1G SFP transceivers into the 1G SFP ports on the front panel of the appliance.Frequent installation and removal of transceivers shortens their life span. Follow theremoval procedure carefully to avoid damaging the 1G SFP transceiver or the appliance.


To install a 1G SFP transceiver1. Remove the 1G SFP transceiver carefully from its box.


2. Align the 1G SFP transceiver to the front of the 1G SFP transceiver port on the frontpanel of the appliance, as shown in the following figure.

Note: The illustration in the following figures might not represent your actualappliance.

Figure 1. Installing a 1G SFP transceiver

3. Hold the 1G SFP transceiver between your thumb and index finger and insert it into the1G SFP transceiver port, pressing it in until you hear the transceiver snap into place.

4. Lock the transceiver.


6. If you are using a fiber 1G SFP transceiver, do not remove the dust caps attached to thetransceiver and the cable until you are ready to insert the cable.


256

To remove a 1G SFP transceiver1. Disconnect the cable from the 1G SFP transceiver. If you are using a fiber optic cable,

replace the dust cap on the cable before putting it away.


2. Unlock the 1G SFP transceiver.

3. Hold the 1G SFP transceiver between your thumb and index finger and slowly pull it outof the port.

4. If you are removing a fiber 1G SFP transceiver, replace the dust cap before putting itaway.

5. Put the 1G SFP transceiver into its original box or another appropriate container.


257

258

Installing and Removing 10G SFP+Transceivers

Note: Some CloudBridge 4000/5000 appliances do not require SFP+ transceivers.

A 10-Gigabit Small Form-Factor Pluggable (SFP+) is a compact optical transceiver that canoperate at speeds of up to 10 gigabits per second. Autonegotiation is enabled by default onthe 10G SFP+ ports into which you insert your 10G SFP+ transceiver. As soon as a linkbetween the port and the network is established, the mode is matched on both ends of thecable and for 10G SFP+ transceivers, the speed is also autonegotiated.

Caution: CloudBridge 4000/5000 appliances do not support 10G SFP+ transceiversprovided by vendors other than Citrix Systems. Attempting to install third-party 10G SFP+transceivers on your CloudBridge 4000/5000 appliance voids the warranty.

Insert the 10G SFP+ transceivers into the 10G SFP+ ports on the front panel of theappliance. Frequent installation and removal of transceivers shortens their life span. Followthe removal procedure carefully to avoid damaging the transceiver or the appliance.


To install a 10G SFP+ transceiver1. Remove the 10G SFP+ transceiver carefully from its box.

Danger: Do not look directly into fiber optic transceivers and cables. They emit laserbeams that can damage your eyes.

2. Align the 10G SFP+ transceiver to the front of the 10G SFP+ transceiver port on thefront panel of the appliance.

3. Hold the 10G SFP+ transceiver between your thumb and index finger and insert it intothe 10G SFP+ transceiver port, pressing it in until you hear the transceiver snap intoplace.

4. Move the locking hinge to the DOWN position.


6. Do not remove the dust caps attached to the transceiver and cable until you are readyto insert the cable.

To remove a 10G SFP+ transceiver1. Disconnect the cable from the 10G SFP+ transceiver. Replace the dust cap on the cable

before putting it away.


2. Unlock the 10G SFP+ transceiver by moving the locking hinge to the UP position.

3. Hold the 10G SFP+ transceiver between your thumb and index finger and slowly pull itout of the port.

4. Replace the dust cap on the transceiver before putting it away.

5. Put the 10G SFP+ transceiver into its original box or another appropriate container.

Installing and Removing 10G SFP+ Transceivers

259

260


On a CloudBridge 4000/5000 appliance, ports 10/3 and 10/4 must be connected with theprovided cable as shown in the following figure.

F i g

u r e 1 . I n s t a l l i n g t h e P a t c h C a b l e

To install the patch cable1. Connect the LC-to-LC cable to the ports as shown in the figures above.

2. Install one end of the cable into port 10/3.

3. Install the other end of the cable into port 10/4.


261

262


Through release 7.2.1, on an appliance, CloudBridge ports 10/3 and 10/4 must beconnected with the provided cable, as shown in the following figure.

Starting with release 7.2.2, the patch cable is no longer required, and can be omitted if:

• The appliance was shipped from the factory with release 7.2.2 or later, or

• The appliance was shipped from the factory with release 7.2.1 or earlier, but youupgrade it to 7.2.2 or later and change the default loopback in the management service(on System > Configuration > System > Configure Loopback Settings).

Note: If you decide to eliminate the need to use loopback cable, the ports 10/3 and 10/4are still reserved. These ports are not available for WAN optimization.

Figure 1. Installing the Patch Cable


263

To install the patch cable

1. Connect the LC-to-LC cable to the ports as shown in the figures above.

2. Insert one end of the cable into port 10/3.

3. Insert the other end of the cable into port 10/4.


264

265


When the appliance is securely mounted on the rack, you are ready to connect the cables.Ethernet cables and the optional console cable are connected first. Connect the powercable last.

Danger: Before installing or repairing the appliance, remove all jewelry and other metalobjects that might come in contact with power sources or wires. When you touch both alive power source or wire and ground, any metal objects can heat up rapidly and causeburns, set clothing on fire, or fuse the metal object to an exposed terminal.

Connecting the Appliance to the NetworkEthernet cables connect your appliance to the network. The type of cable you needdepends on the type of port used to connect to the network. Use a category 5e or category6 Ethernet cable with a standard RJ-45 connector on a 10/100/1000BASE-T port.






Connecting the Console CableYou can use the console cable to connect your appliance to a computer or terminal, fromwhich you can configure the appliance. Before connecting the console cable, configure thecomputer or terminal to support VT100 terminal emulation, 9600 baud, 8 data bits, 1 stop

bit, parity, and flow control set to NONE. Then connect one end of the console cable to theRS232 serial port on the appliance and the other end to the computer or terminal.

To connect the console cable to a computer or terminal1. Insert the DB-9 connector at the end of the cable into the console port that is located





Connecting the Appliance to a Power SourceThe CloudBridge 4000/5000 appliance has two power supplies, with one serving as abackup. A separate ground cable is not required, because the three-prong plug providesgrounding. Power up the appliance by installing one or both power cords.





3. Repeat steps 1 and 2 to connect the second power supply.

Note: The appliance emits a high-pitched alert if one power supply fails or if youconnect only one power cable to the appliance. To silence the alarm, you can pressthe small red button located on the back panel of the appliance.


266

267







268

Lights Out Management Port of theCloudBridge 4000/5000 Appliance

The CloudBridge 4000/5000 appliances have an Intelligent Platform Management Interface(IPMI), also known as the Lights out Management (LOM), port on the front panel of theappliance. By using the LOM, you can remotely monitor and manage the appliance,independently of the CloudBridge 4000/5000 software. You can remotely change the IPaddress, perform different power operations, and obtain health monitoring information ofthe appliance by connecting to the appliance through the LOM port.

By connecting the LOM port over a dedicated channel that is separate from the datachannel, you can make sure that connectivity to the appliance is maintained even if thedata network is down.

Accessing the LOM Port by using a Web BrowserBy using a web browser you can remotely log on to the LOM port to obtain informationabout the appliance and perform different operations on the appliance.

To access the LOM by using a web browser

1. In a web browser, type the IP address of the LOM port. For initial configuration, typethe port’s default address: http://192.168.1.3



Configuring the LOM PortFor initial configuration of the lights-out management (LOM) port, connect to the port'sdefault IP address and change it to the address that you want to use for remote monitoringand management. Also specify the administrator credentials and the network settings.

Note: The LEDs on the LOM port are unoperational by design.

To Configure the NetScaler LOM Port1. Connect the NetScaler LOM port to a management workstation or network.

2. In a web browser, type: http://192.168.1.3.

Note: The NetScaler LOM port is preconfigured with the IP address 192.168.1.3 andsubnet mask 255.255.255.0.



5. In the Configuration tab, click Network and type values for the following parameters:

• IP Address—IP address of the LOM port.

• Subnet Mask—Subnet mask used to define the subnet of the LOM port.

• Default Gateway—IP address of the router that connects the LOM port to thenetwork.

6. Click Save.

Power Cycling the ApplianceYou can remotely turn off the appliance and turn it back on. The result is similar to pressingthe power button on the back panel of the appliance for less than four seconds.

To power cycle the appliance1. In a web browser, type the IP address of the LOM port.



4. Under Options, click Power Control, and then click Power Cycle System.

5. Click Perform Action.

Accessing the Appliance by using the AccessConsole

The LOM port allows you to remotely access and manage the appliance by logging on to aredirected console.

To access the appliance by using the access console




269

http://192.168.1.3/


4. Under Options, click Console Redirection.

5. Click Launch Console, and then click Yes.

6. Type the administrator credentials for the appliance.

Obtaining Health Monitoring InformationYou can log on to the LOM port to view the health information about the appliance. Allsystem sensor information, such as system temperature, CPU temperature, status of fanand power supplies, appears on the sensor readings page.

To obtain health monitoring information



3. In the Menu bar, click System Health.

4. Under Options, click Sensor Readings.

Power Control Operations using the LOM PortYou can remotely perform different power control operations, such as restarting theappliance, performing a graceful shutdown, and performing a forced shutdown, by using theLOM port.

To perform power control operations

1. In a web browser, log on to the LOM port by using the administrator credentials.


3. Under Options, click Power Control, and then select one of the following options:

• Reset System—Restart the appliance.

• Power Off System – Immediate—Disconnect power to the appliance withoutshutting down the appliance.

• Power On System—Turn on the appliance.

• Power Cycle System—Turn off the appliance, and then turn it back on.4. Click Perform Action.


270

271

Planning the Deployment

CloudBridge 4000/5000 deployments require adequate planning, especially for unitsdeployed in large datacenters:

• An appropriate appliance or group of appliances must be selected to support both thecurrent and anticipated load.

• A deployment mode must be selected to match the requirements of your site.

• Other aspects must also be considered.

272

Sizing Guidelines

For successful deployment of one or more CloudBridge 4000/5000 appliances in yourdatacenter, keep the following principles in mind:

• You must provide enough CloudBridge 4000/5000 peak-load capacity, in terms of WANbandwidth and the number of users. See the current specifications sheet for thecapacities of different CloudBridge 4000/5000 models: http://www.citrix.com/content/dam/citrix/en_us/documents/products/cloudbridge-branch-repeater-spec-sheet.pdf(In the spec sheet, the number of users is referred to as "HDX sessions"). Ensureadequate peak-load capacity, both for now and for the time until you expect toupgrade. Acceleration is resource intensive, and performance suffers if the applianceruns short of resources. Never overcommit any CloudBridge appliance, especially in thedatacenter. Provision your datacenter to easily accommodate peak loads.

• Provide enough capacity for expected expansion over the life of the deployment.CloudBridge 4000/5000 appliances using the same hardware platform can have theircapacity upgraded with a new license as part of the Citrix pay-as-you-grow program.CloudBridge 4000/5000 models 310, 500, and 1000 use one hardware platform, andmodels 1500 and 2000 use another hardware platform. This means that, for example, aCloudBridge 4000/5000 500 can be converted through a license upgrade to aCloudBridge 4000/5000 1000, but not to a CloudBridge 4000/5000 1500.

• For more capacity than can be provided by a single appliance, multiple CloudBridge4000/5000 appliances can be cascaded behind a stand-alone NetScaler appliance.

• Different models have differing numbers of traffic ports. If you require multiplebridges, make sure your model has at least as many as you need.



273


The CloudBridge 4000/5000 appliance can be deployed inline or in a one-arm mode. Inlinedeployments do not require router reconfiguration; one-arm modes do. CloudBridge4000/5000 offers internal port bypassing (fail-to-wire) to allow traffic to continue flowing ininline mode if the appliance fails.

Note: Only the one-arm WCCP mode (with a single router) is documented at this time.Inline mode is not yet documented. Citrix recommends WCCP mode at this time.

Different CloudBridge 4000/5000 models offer different numbers of accelerated bridges.Models with multiple accelerated bridges can accelerate multiple inline WAN links. See thespecifications sheet for more details, http://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/cloudbridge-data-sheet.pdf.

Deploying a Single CloudBridge 4000/5000 Appliance(or HA Pair)

A standalone CloudBridge 4000/5000 appliance can be deployed in either of these tworecommended modes:

• Inline, bridged (L2 inline). This closely resembles a standard CloudBridge inlinedeployment. Packets enter one bridge port and exit the other bridge port.

• One-arm, WCCP. This resembles a standard CloudBridge WCCP deployment.

Citrix also supports the following two modes (which are outside the scope of thisdocument):

• Inline, routed. The NetScaler instance uses routing rules instead of bridging rules todetermine how to forward packets.

• Virtual inline. This resembles WCCP, but lacks built-in health-checking.

In L2 inline mode, CloudBridge 4000/5000 is placed between your LAN and your WAN router(or other aggregation point at the LAN-WAN boundary). In a one-arm mode, CloudBridge4000/5000 is generally connected directly to a dedicated port on your WAN router.

In cases where the WAN router ports are not as fast as the LAN (for example, when the WANrouter has gigabit Ethernet, but the LAN has10 gigabit Ethernet), inline mode providesbetter performance, because its LAN-side traffic is not limited to the speed of the routerinterface. (Compression allows the LAN-side traffic to be much faster than WAN-boundtraffic under favorable conditions.)

Considerations:

• The inline modes require no reconfiguration of your routers, but involves a servicedisruption when bringing the appliance into service.



• One-arm modes require router reconfiguration but do not require a servicedisruption.

• Inline mode has higher performance than the other modes.

• One-arm modes are limited to half the speed of the router or switch port they areattached to.

• With WCCP mode, configuring the router to send only a fraction of the WAN traffic toCloudBridge 4000/5000 (as little as the traffic from a single remote site or even asingle remote IP address) makes it easy to bring up and test the installationgradually. Inline mode requires that all WAN traffic pass through the appliance.

• WCCP mode requires more configuration of the CloudBridge 4000/5000 appliancethan do other modes, but is more standardized and provides more status informationon the router.

Recommendation:

• The greater control provided by WCCP, and especially the ability to put thedeployment into service in stages, makes WCCP the mode of choice for larger, morecomplex datacenters, especially if there might be a possibility of overloading theCloudBridge 4000/5000 appliance.

• Inline mode is convenient for smaller WAN networks and simpler datacenters. It ismost commonly used with the CloudBridge 4000/5000 310 and 500, and more rarelywith the larger appliances.

• Cascaded installations should use WCCP.

Note: Only WCCP mode (with a single router) is currently documented.


274

275


By default, the CloudBridge 4000/5000 Provisioning Wizard sets up load balancing to handledifferent kinds of connections appropriately. This default behavior is adequate for mostinstallations.

Sending all the connections from the same remote accelerator to the same localaccelerator maximizes the benefits of CloudBridge compression, and the default loadbalancing method accomplishes this. If an instance becomes overloaded or unavailable, newconnections are reallocated.

Default Load Balancing BehaviorBy default, the NetScaler instance uses the least-connection method to balance the loadacross the accelerators. This method applies whether or not the connections areaccelerated. Connections are persistent, but persistency is discontinued for an instancethat becomes overloaded, and is lost if the local appliance is restarted or when no trafficfrom a remote appliance is seen for more than 24 hours.

Accelerated connectionsFor incoming accelerated connections (that is, connections with CloudBridge options in theheader of the SYN packet), all connections from a given remote CloudBridge are sent to thesame local accelerator.

The identity of the remote CloudBridge is determined by one of the CloudBridge SYNoptions: the "AgentID" field, which contains the management IP address of the remoteCloudBridge.

This method is used for connections from remote CloudBridge appliances and remoteCloudBridge Plug-ins.

Other connectionsIncoming non-accelerated connections and all outgoing connections are also distributedamong the accelerators according to the least-connection method, but since they do notcontain an AgentID field, they cannot use AgentID persistence. Instead, they useSRCIPDESTIP persistence, meaning that connections with the same IP addresses use thesame accelerator.

Bypassing Overloaded InstancesIf an instance is overloaded, the NetScaler instance bypasses it for new connections,sending them through without acceleration. Existing connections continue to be sent to theinstance.

This behavior is controlled by the skipPersistency parameter. The default behavior is-skippersistency ReLB. The alternative behavior, -skippersistency bypass, instructs theNetScaler instance to pass the connection through without sending it to an accelerator.

Optional Load Balancing BehaviorThe default load balancing behavior is adequate for most installations, but sometimescustomization is needed. This is most commonly true when a few remote sites have muchmore traffic than the rest. In that case, it can be worthwhile to assign these large sites toaccelerators explicitly.

Optional load balancing behavior includes the use of static routing (for hand-crafted loadbalancing) and variations on the least-connection with AgentID and SRCIPDESTIP persistencemethods used in the default configuration. The behavior for dealing with overloadedinstances can be changed from assigning connections to a difference instance to passingthem through as unaccelerated.


276

277

Gathering Information Needed forConfiguration

Accurate information about both the local and the remote sites is essential totroubleshooting. Before installing the CloudBridge 4000/5000 appliance, make sure that youhave done the following:

1. Obtained or drawn an accurate network diagram of your local site (the one in which youare installing CloudBridge 4000/5000). The local network topology and the capabilitiesof your WAN routers determine which deployment modes are appropriate for the site.

2. Chosen the deployment mode of the local CloudBridge 4000/5000 appliance (forexample, WCCP or inline, with or without HA and cascading).

3. Compiled a list of critical applications that must be tested to validate the deployment.

4. Obtained or drawn an accurate network diagram of your WAN, including both the localand the remote WAN links, their bandwidths in both directions, their subnets, andwhether they are accelerated. In deployments with many remote sites, an aggregate ofthe different categories (accelerated and non-accelerated) is probably sufficient, andonly the largest remote sites need to be considered individually.

5. Determined whether there are multiple datacenters with datacenter-to-datacentertraffic, and whether any remote datacenters have a CloudBridge 4000/5000 appliance.

6. Decided whether you plan to increase WAN capacity, the number of sites, or thenumber of users in the next 24 months. If so, the corresponding CloudBridge 4000/5000capacity should be installed now.

7. If possible, formed an idea of the traffic breakdown over the WAN, including TCP trafficto and from CloudBridge-accelerated sites, other TCP traffic, ICA users, HDX sessions,and real-time traffic such as VoIP. CloudBridge 4000/5000 needs to be provisioned forthe peak loads in terms of accelerated TCP connections, ICA users, and total WAN linkcapacity.

8. Determined the number of WAN links in the local site. Are they independent, or arethey load balanced? If so, are they active-active or active-standby?

9. Determined the current, unaccelerated RTT of the remote sites during peak periods.

10. Identified any QoS devices or proxies in the path between the local and remote sites.QoS devices should be on the WAN side of CloudBridge 4000/5000. Proxies should be onthe LAN side.

278

Initial Configuration

After you have mounted your appliance in a rack, connected the cables, and connected thepower cord, you are ready to configure the appliance. To configure the appliance,complete the following tasks:

• Make sure that the prerequisites are met.

• In the Deployment worksheet, record all IP addresses and other values you would use toconfigure the appliance. Preferably, take a printout of the worksheet before you startthe configuration process.

• Access the appliance

• Configure the appliance

By default, the initial configuration deploys the appliance in the inline mode. For simpleinline mode, no further configuration is necessary. Other deployment modes requireadditional configuration.

279

Prerequisites

To deploy Citrix CloudBridge 4000/5000 appliance, you must complete the followingprerequisite setup before configuring the appliance.

Software VersionsThis document covers release 7.0 of the CloudBridge software. See the release notes for therecommended versions of the NetScaler software corresponding to the desired release ofthe CloudBridge software. Never use any versions other than those recommended forCloudBridge 4000/5000.

License FileThe number of accelerator appliances depend on the hardware platform and the type oflicense you apply to the appliance. The following list displays the number of acceleratorsthat will be provisioned automatically by the Configuration Wizard:CloudBridge 4000/5000appliance depends on the hardware platform and the type of license you apply to theappliance. The following list displays the number of accelerators that will be provisionedautomatically by the Configuration Wizard:

• Model 310: Two

• Model 500: Three

• Models 1000 and 1500: Six

• Model 2000: Eight

Before you start provisioning the appliance, Citrix recommends that you have the licensefile with you, as it is required early in the configuration process To download a license file,complete the procedure available in the My Account All Licensing Tools - User Guide.

Installing the HardwareAfter you receive the hardware appliance from Citrix, you need to install it in the network.Complete the following procedures to install the hardware.

Installing the Hardware in the Network

To install the CloudBridge 4000/5000 appliance hardware, follow the installationprocedure at Installing the Hardware.

Creating a Loopback Adapter


Plug in the provided loopback cable available with the appliance into ports 10/3 and10/4 ports to create a loopback adapter. The loopback adapter is used for thecommunication between the NetScaler and accelerators.

Prerequisites

280

281

Deployment Worksheet

The appliance uses at least two ports: the management port (typically 0/1) and the trafficport (such as 10/1). Inline mode uses traffic ports in pairs, such as ports 10/1 and 10/2.Ports need to be selected in advance, since the configuration depends on their identity.

The appliance uses three subnets directly: the management subnet, the external trafficsubnet, and the internal traffic subnet. Multiple IP addresses are used on each subnet. Eachsubnet must be specified along with the correct subnet mask.

VLANs are also used internally to isolate management traffic from data traffic. Whenmultiple bridges are used, internal VLANs also restrict traffic to the correct bridge.

The following figure, below, is a worksheet for these parameters. It supports inline andWCCP modes, with and without HA. The table below the figure describes what each entrymeans.

Figure 1. Deployment worksheet

Table 1. Deployment Worksheet Parameters

Parameter Example Your Value Description

Management Subnet


282

M1. ManagementPort

0/1 Ethernet portused forconfigurationandmanagement.

M2. Gateway IPaddress

10.199.79.254

Defaultgatewayserving themanagementsubnet.

M3. Subnet Mask 255.255.255.128

Subnet maskfor themanagementsubnet.

M4. XenHypervisorIP address

10.199.79.225

IP address ofXenHypervisor.

M5. Service VMIP address

10.199.79.226

IP address ofService VM,whichcontrols configuration.

M6. AcceleratorUI

10.199.79.227

UnifiedAcceleratorInterface,also calledthe Broker UI,whichmanages theinstances as aunit.

M7-M15. CloudBridgeManagementIP addresses

10.199.79.227-235

A block of 2-8IP addresses(dependingon model).These are themanagementIP addressesof theindividualinstances.

M16. InternalManagementVLAN

400 Usedinternally(only) toisolatemanagementtraffic fromWAN traffic.


283

M17. NetScalerManagementIP address

10.199.79.245

IP address ofthe NetScalerinstance's GUIand CLIinterfaces.

External Traffic Subnet

T1. Router IPaddress

172.17.17.1

IP address ofrouter onexternaltrafficsubnet.

T2. Subnet Mask 255.255.255.0

Subnet maskof externaltrafficsubnet.

T3. NetScaler IPaddress

172.17.17.2

NetScaler IPaddress onexternaltrafficsubnet.

T4. ExternalSignaling IPaddress

172.17.17.10

Traffic to thisIP address is load-balancedbetween thesignaling IPaddresses oftheaccelerators.

T5. ExternalWCCP IPaddress #1

172.17.17.11

Maps via NATto WCCP VIPonaccelerator#1.

T6. ExternalWCCP IPaddress #2

172.17.17.12

Maps via NATto WCCP VIPonaccelerator#2.

T7. Local LANSubnets

10.200.0.0/16

A list of allthe local LANsubnets atthe sitecontainingtheappliance,with theexception ofthemanagementsubnet.


284

T8. GRE RouterHostID

NA WCCP-GREonly. Host IDof GRErouter.

T9. Traffic Port 10/1 Port used foracceleratedtraffic.

T10+. (Inline)AdditionalTraffic Port

Other trafficport in pair.

T11, T12 (WCCP)ServiceGroups:TCP, UDP

71, 72 Servicegroups usedbyaccelerator#1 for WCCP.First is forTCP traffic,second is forUDP.

T13, T14 (WCCP-L2)ServiceGroups

73, 74 Servicegroups usedbyaccelerator#2 for WCCP.Not used withWCCP-GRE.

T15, T16 (Inline)Ports usedby link #2

10/5, 10/6 If multiplelinks are usedwith inlinemode, theseports areused for link#2.

T17, T18 (Inline)Ports usedby link #3

10/7, 10/8 If multiplelinks are usedwith inlinemode, theseports areused for link#3.

T19 VLAN forBridge #1

1000 Internal(untagged)VLAN forbridge #1.Should be aVLAN notused by yournetwork


285





VLAN1.1,

VLAN1.2,

VLAN1.3,

VLAN1.4

ExternalVLANs forBridge #1

412 When VLANtrunking isused, theseare taggedVLANscrossingbridge #1.

VLAN2.1,

VLAN2.2,

VLAN2.3,

VLAN2.4

When VLANtrunking isused, theseare taggedVLANscrossingbridge #2.

VLAN3.1,

VLAN3.2,

VLAN3.3,

VLAN3.4

ExternalVLANs forBridge #1

When VLANtrunking isused, theseare taggedVLANscrossingbridge #3.

Private Traffic Subnet

P1. Gateway(NetScalerIP address)

192.0.2.1 NetScaler IPaddress onprivatetrafficsubnet. Thiscan be anysubnet that isnever used byyourorganization.

P2. Subnet Mask 255.255.255.0

Privatetraffic subnetmask.


286

P3-P10. accelerators'apAAddresses

192.0.2.10 Block of 2-8IP addresses,depending onmodel, forthe apA portson the 2-8accelerators.

P11-P18. accelerators'Signaling IPAddresses

192.0.2.20 Block of 2-8IP addresses,depending onmodel, forthe signalingIP addresseson the 2-8accelerators.

P19 VLAN 500 For portaffinity,VLANs mustbe assignedto the privatenetwork.


287

288

Accessing the Appliance

Before you start configuring the appliance, you must log on to the Management Service userinterface of the appliance. To do so, complete the following procedure:

1. In the address field of a web browser, enter the management service IP address, whichdefaults to http://192.168.100.1.

2. On the Login page, in the User Name box, type nsroot.


Figure 1. Login page of the CloudBridge 4000/5000 appliance

4. Click Login.

Note: If you want to set a timeout value for the session or display a specific tab afterlogging on to the appliance, click the Show Options link and make changes, asappropriate, before you click Login.

http://192.168.100.1

289

Configuring the Appliance

After filling out the configuration worksheet, you are ready to provision the connector andaccelerator instances. The first time you log on to the appliance, the configuration wizardappears.

When using the configuration wizard, keep the following points in mind:

• This procedure assumes that you have already filled out the configuration worksheet.

• If you change the IP addresses of the Management Network, or change the defaultgateway to an address not on the Management Network, you lose connectivity to theappliance unless you are on the same Ethernet segment as the management port.

• When using the configuration wizard, check your entries carefully. The wizard has noBack button. If you need to modify the previous screen, use the Back button on yourbrowser. This takes you to the logon page, then the previous screen.

• The configuration wizard is displayed only when you log on to the appliance for the firsttime to configure the appliance. After you finish configuring the appliance, this Wizardbecomes inaccessible. To run it again, delete the NetScaler, Accelerator (Broker) andindividual Accelerator instances and log out. Upon logon, the wizard runs again. Checkyour entries carefully.

• The configuration wizard does not do range checking. For example, it will accept adefault gateway that is not on the same subnet as the interface, and it will allowoverlapping IP address assignments. Check your entries carefully.

This wizard walks you through a fresh configuration of the appliance.

To configure the appliance by using the configuration wizard:

1. On the Welcome page, click Get Started.

2. On the Platform Configuration page, specify values for the various fields according tothe network settings. The following figure displays sample values used in thisdocumentation. Enter values as follows:

a. The Network Configuration section specifies the basic configuration of themanagement network. The settings are:

• Interface—(Item M1 on your worksheet.) This is the network port used formanagement. Use the default value of 0/1.

• XenServer IP Address—(Item M4 on your worksheet, or H4 if this is the secondappliance in an HA pair.) The management address of the built-in XenServerhypervisor. This must be a valid address on the management network.

• Management Service IP Address—(Item M5 on your worksheet, or H5 if this is the second appliance in an HA pair). The address of the Service VM that you use to perform most system management. This must be a valid address on the

management network.

• Netmask—(Item M3 on your worksheet). The subnet mask of the managementnetwork.

• Gateway— (Item M2 on your worksheet). The default gateway For themanagement network.

• DNS Server—(Optional) The IP address of the DNS server.

b. The System Settings section contains miscellaneous settings:

• NetScaler Encryption—Type of access, either HTTP or HTTPS, to the service VMGUI.

• Reserved Interface—One port of the loopback interface. Always set this to10/3.

• Load Balancing Interface—The other port of the loopback interface. Always setthis to 10/4.

• VM Auto Power On—Start the virtual machines when the appliance powers up.Always leave this option checked.

• Secure Access Only—Leave unchecked for now.

• Time Zone—Select your time zone from the pull-down menu.c. The Admin Password section requires that you set an nsroot password for the

Service VM. Recovery is awkward if this password is lost, so be careful.

d. Check your settings and click Done. The Manage License Files page appears.


290

Figure 1.Samplevalues forthe fields intheNetwork Configurationpage of theconfiguration wizard

3. In the Manage License Files page, see if an appropriate license is already listed in theName field. If so, skip to step 7.

4. Click Choose File.

5. Navigate to the folder that contains the license file and open the file.


291

6. Click Add License and upload the license file provided to you by Citrix. The license isadded to the appliance, as shown in the following figure.

Figure 2. Sample license added to the appliance in the Manage License Files page of theconfiguration wizard

You can also get a license file from the Citrix.com website by clicking the Get Licenselink and using your My Citrix credentials.

7. Select the license in the Name field and click Continue. The CloudBridge Setup pageappears. Fill in the fields as follows:

a. Network Section—This section informs the accelerators of the managementnetwork.

• Start IP Address—Enter the value of M6 from your worksheet (or H6, if this is thesecond appliance in an HA pair). This is the management address of the BrokerUI, which allows you to manage the accelerator instances as if they were asingle instance. The management addresses of the individual acceleratorsfollow this address. For example, an appliance with three accelerator instanceswould use M6+1, M6+2, and M6+3 as the IP addresses for these instances. The IPaddress following the last accelerator instance (M6+4 in this example) isassigned to the NetScaler instance.

• Netmask—Enter the value of M3 from your worksheet. This is the subnet mask(netmask) of the management network (note that you have already entered thisonce, on the Network Configuration page).

• Gateway—Enter the value of M2 from your worksheet again.b. Provision CloudBridge Section—This section contains a mixture of information

about the virtual machine used by the CloudBridge Accelerators and the definitionof the private internal traffic network.

• Provision Type field—Specify Template Based (note that this is not the default).

• Template field—Select a template file from the pull-down menu. For a newappliance, only one template is available.


292

• apA Start IP Address field—Enter the value of P3 from your worksheet. This isthe IP address of apA of accelerator #1. The wizard allocates a range 2-8 IPaddresses, depending on model number, beginning with this address.

• Signaling Start IP Address field—Enter the value of P4 from your worksheet. Thisis the signaling IP address of CloudBridge #1. The wizard allocates a range 2-8 IPaddresses, depending on model number, beginning with this address. These areon the same subnet as the apA addresses, and the signaling IP addresses mustnot overlap the apA addresses.

• Netmask field—Enter the value of P2 from your worksheet. This is the subnetmask of your private internal traffic subnet.

• Gateway field—Enter the value of P1 from your worksheet. This is the gatewayfor your private internal traffic subnet.

c. Provision NetScaler Section—This section selects the template to apply to theNetScaler instance, and an externally visible IP address on the external trafficnetwork. This address is mapped (through NAT) and load-balanced across theaccelerators' signaling IP addresses.

• Provision Type field—Select Template Based.

• Template field—Select a template from the pull-down menu. For a new unit,only one option is available.

• Signaling IP Address field—Enter the value of T4 from your worksheet,specifying an available, externally visible signaling port address on the externaltraffic network. This address is used to reach the signaling IPs through theNetScaler’s load balancing.


293

Figure3.CloudBridgeSetuppage

8. Click Continue. The wizard starts provisioning the required instances, as shown in thefollowing figure.


294

Figure 4. Provisioning progress indicator

9. Wait for the instances to come on line. Open a new browser tab or window and navigateto the appliance. For each instance, Configuration > Repeater > Instances orConfiguration > NetScaler > Instances should show a green status for both VM State andInstance State. This may take several minutes.

10. (Release 6.2.3 and earlier) After the instances are provisioned, add your local LANsubnets to the Forwarding Session section from list T7 in your worksheet, as shown inthe following figure. This list should contain all the local subnets with servers or clients,except for the management subnet. Click Add to add each subnet, and Done once youhave added your last subnet.

Figure 5. Sample values for the fields under the Forwarding Session section of theCloudBridge Setup page


295

11. (Release 6.2.4 and later). No forwarding sessions need be added. Instead, the pageallows you to add routes and define subnets if desired. These are optional.

12. On the Configuration > System page, click the Upgrade Resources or Enable QoS link(the name of the link varies by release). This will perform the final provisioning step,and may take several minutes to complete.

13. Add Subnet IP. On the NetScaler instance, two Subnet IP (SNIP) addresses must bedefined. One subnet IP address declares the external traffic subnet . The other declaresthe private traffic subnet. Setting these subnet IP addresses is done from the NetScalerinstance.

14. From the Service VM (Item M17 on your worksheet), access the NetScaler instance byclicking the NetScaler instance’s IP address on the Configuration > Instances > NetScalerpage. You will be logged into the NetScaler instance automatically. Note that theNetScaler GUI uses Java, which must be enabled on the system you using to manage theappliance.


296

15.

In the Navigation pane, expand the Network node. Select the IPs node. Figure 6.Creating a SNIP address on the NetScaler instance

16. In the Create IP dialog box, specify a SNIP address in the IP Address field if it has notbeen created already by the configuration wizard (it will be listed on the IPs page if ithas already been created). The first SNIP declares the external traffic network. ClickAdd. In the IP Address field, type the IP address (entry T1 in your worksheet). In theNetmask field, specify the network mask (entry T2 in your worksheet). From IP Type,make sure that the Subnet IP option is selected. Click Create and Close. You havecreated a SNIP address to communicate with the router.

17. Repeat the previous step to declare the private traffic network. using worksheet entryP1 as the IP address and entry P2 as the netmask, and click Create and Close.

18. Configure the management subnet VLAN. Navigate to System > Settings > ConfigureNSVLAN Settings. In the NSVLAN Id field, enter the VLAN Id for the management subnet(M16 on your configuration worksheet). Clear the Tagged checkbox (tagging is notsupported on the management interfaces). In the Available Interfaces field, select theport from entry M1 in your worksheet (typically port 0/1) and click Add.


297

19. Click OK and then click Close. When prompted to save your configuration and restartthe NetScaler instance. Click Save (near the upper right-hand corner of the page) andthen restart the NetScaler instance.

20. Wait for the instance to restart and then log on again.

21. Basic configuration is complete.

Basic configuration is complete. Next, perform deployment-mode-specific configuration(such as for WCCP mode).

Notes:

• You can also create an instance from an XVA image file uploaded to the appliance. Donot do so unless it is recommended by Support. To upload an XVA image to theappliance, select the Software Images node in the Configuration tab and upload the XVAimage from the XVA Files tab.

• After provisioning instances, you cannot run the setup wizard again. If you need to runthe wizard again to make any changes to the setup, you must perform a factory resetfrom Configuration > Management Services > Backup Files.

• After the wizard completes, the appliance is configured for the basic setup. Toconfigure the appliance for a specific deployment scenario, see Deployment Modes.


298

299

Deployment Modes

CloudBridge 4000/5000 appliances have two recommended deployment modes: WCCP andinline. These modes are commonly used without high availability (HA), and less commonlywith HA.

At this time, Citrix recommends WCCP mode, with a single router and without HA, for mostdeployments. Use inline mode when WCCP is not available.

Although not all of the following modes are recommended at this time, they are allsupported:

• WCCP mode with a single router

• WCCP mode with a single router and high availability

• Cascade of two or more appliances in WCCP mode along with a NetScaler MPX Appliance

• Cascade of two or more appliances in WCCP mode along with a NetScaler MPX Appliancein HA

• Inline mode

• Inline mode in HA

• Virtual inline mode

• Virtual inline mode in HA

Note: While modes other than WCCP and inline are supported, they are incompletelydocumented and are not recommended for typical installations. Please contact yourCitrix representative when considering one of these modes.

300

WCCP Mode

Web Cache Communication Protocol (WCCP) is a content-routing protocol developed byCisco Systems. This protocol provides a mechanism for redirecting traffic flow betweenrouters and appliances in real-time, with built-in health checking.

In the WCCP mode, your routers use WCCP 2.0 protocol to divert WAN traffic through theappliance. In this mode, the appliance uses only a single traffic port. You can either deploythe appliance on a dedicated router port (recommended) or use a shared router port if youisolate the appliances from other traffic through a VLAN.

In addition to being the recommended mode for most deployments, WCCP mode is usefulwhen network packets from the same connection arrive over different WAN links(asymmetric routing).

The appliance contains several virtual machines. In particular, it contains a NetScalerinstance, a management instance, and several accelerators. The accelerators connect tothe NetScaler instance over a private internal traffic subnet, and the NetScaler isconnected to the external traffic networks. Additionally, the instances share a managementsubnet.

As shown in the following figure, WCCP is a one-arm mode, typically using a dedicatednetwork port on the WAN router.

Figure 1. Basic cabling for WCCP

The CloudBridge 4000/5000 appliance uses a private internal traffic subnet, and theNetScaler instance forwards traffic to and from the accelerators as necessary foracceleration. It also applies NAT to allow direct access to the accelerators' signaling IP andWCCP command channels. A NetScaler-owned subnet IP address (SNIP) is used tocommunicate with the accelerator. You must enable the MAC Based Forwarding (MBF) andUse Subnet IP address (USNIP) options on the NetScaler instance.

The following figure shows the two traffic networks of an appliance in one-arm mode(again, omitting the management subnet for clarity).

Figure 2. A CloudBridge 4000/5000 appliance deployed in the one-arm mode

PrerequisitesTo begin configuring, managing, and monitoring the appliance, Management Service,accelerators, and NetScaler instance, use a web browser to connect to the ManagementService user interface, and then provision a NetScaler instance on the appliance.

You are then ready to install your appliance in its rack and connect the power and networkcables.

WCCP Mode

301

Use a web browser to connect to the Management Service user interface, and thenprovision a NetScaler instance on the appliance, by following the provisioning procedure.

Configuring a WCCP Deployment

When the CloudBridge appliance is installed and you have provisioned its NetScalerinstance, you are ready to configure the NetScaler instance for WCCP.Finally, follow theconfiguring WCCP procedure. With that done, configure the router, and then configurethe accelerators.

WCCP Mode

302

http://support.citrix.com/proddocs/topic/brsdx-70-map/brsdx-base-prov-instances-config-wiz-tsk-corrupt.html

303

Best Practices

Citrix recommends that you consider the following best practices when configuring aCloudBridge 4000/5000 appliance in WCCP mode:

Redundancy when Configuring WCCP with L2Forwarding

For a CloudBridge 4000/5000 deployment with a router using L2 forwarding, Citrixrecommends that you configure two accelerators for WCCP negotiation with the router orlist of routers for each protocol. The following details outline this recommendation:

• For each accelerator configured for WCCP negotiation, add a VIP address to theNetScaler instance.

• On the NetScaler instance, configure the apA port of the accelerator to make sure thatthe port is “natted” to the newly added VIP address on the NetScaler instance.

• On the router(s), for every protocol, add an additional WCCP service group for eachaccelerator. If a service group is limited by an ACL list, apply that ACL to all servicegroups.

• On each WCCP accelerator, configure a service group corresponding to the servicegroups created on the router(s). Make sure that each service group has a differentpriority value. Additionally, the service group configuration on each accelerator musthave a unique value for the NetScaler WCCP VIP Address field. This value is unique andmatches the assigned VIP address available on the NetScaler instance.

In this deployment, all WCCP service groups are initiated and active. The router directspackets (as limited by the ACLs) to the VIP address of the service group with the highestpriority. If there is an outage on CloudBridge 4000/5000 appliance and the router times outthat service group, the router uses the next highest service group to redirect traffic.

Redundancy when Configuring WCCP with GREForwarding

Citrix recommends that, for each protocol (TCP and/or UDP), you configure at least twoaccelerators for WCCP negotiation with the same service group for the same router or listof routers. The following details outline this recommendation:

• For each accelerator configured for WCCP negotiation, add a VIP address to theNetScaler instance.

• On the NetScaler instance, configure the apA port of the accelerator to make sure thatthe port is “natted” to the newly added VIP address on the NetScaler instance.

• On the router(s), you need to configure only one service group for each protocol.

• On each WCCP accelerator, configure the same service group. Additionally, the servicegroup configuration on each accelerator must have a unique value for the NetScalerWCCP VIP Address field. This value is unique and matches the assigned VIP addressavailable on the NetScaler instance.

In this deployment, only one WCCP service group (or two, if UDP is added) is initiated, butonly one WCCP-enabled accelerator per service group is active. The other WCCP enabledaccelerators send an Other Cache alert to indicate that the service group is in use. Therouter directs packets, as limited by the ACLs, to the VIP address of the active servicegroup.

If there is an outage on a CloudBridge 4000/5000 appliance, such as: a failure of theWCCP-enabled accelerator, or the NetScaler instance or the appliance is not available, theappliance and router perform the following tasks are:

1. The router delivers packet to the NetScaler instance until the router times out theservice group when the active negotiator is not available. The time out lasts for thirtyseconds after the router receives the last "Here I Am" packet from the active cache.

2. After the router times out the service group, no traffic on that service group isredirected to the NetScaler instance.

3. As soon as one of the stand-by CloudBridge negotiators sends the next "Here I AM'packet, which occurs every 10 seconds, the router responds that the service group isinactive.

4. One of the standby negotiators becomes active in approximately 40 to 70 seconds.During this period, the router just uses forwarding to handle the traffic.

5. If the protocol of the service group, that was not available, was TCP, all theaccelerated TCP connections are reset as a result of rotated sequence numbers of theCloudBridge. This does not apply to connections that are members of service classes setto “Acceleration: None.”.

6. One of the backup WCCP negotiators completes negotiation with the router.

7. The router starts redirecting the traffic to the NetScaler instance.

8. The NetScaler instance load balances the traffic among the accelerators.

The existing TCP connections remain unaccelerated. Any new TCP connection is a candidatefor acceleration as determined by the NetScaler load balancing and CloudBridge serviceclass configurations.

Best Practices

304

305

Known Limitations

Following are the known limitation of deploying a Citrix CloudBridge 4000/5000 appliance inWCCP mode with a single router:

• You cannot configure WCCP from the accelerator UI.

• Multicast operation is not supported.

• The WCCP status of the accelerator does not display the packet count for a servicegroup. You can verify the status of WCCP from the Active Connections page If traffic isflowing, WCCP is working.

• WCCP forward and return methods must match.

• There is an issue with multiple WCCP Routers with L2 forwarding, such as indeployments that have multiple WANs and WAN routers, or use active-active HotStandby Router Protocol (HSRP). The outbound L2 packet is sent as an L2 packet byusing the routing table of the NetScaler instance. The receiving router just forwards thepacket toward the destination. If one of these routers is the “gateway” (default or instatic routes), the return packets are not necessarily “balanced.” For example, theremight be a single routing path to the data center servers, through only a single router.

• Deployments of the WCCP solutions with WCCP/GRE and multiple Routers have an issuewith packets on the same connection migrating from one router to another. TheNetScaler instance expects packets for both directions of a WCCP/GRE-deliveredconnection to:

• Remain WCCP/GRE delivered

• Come from the same MAC address.Therefore, the support for HSRP GSLB does not correctly balance traffic from theNetScaler instance to the routers. For example, if the packet stream on a connection isoriginally delivered by Router A and then at some point is delivered by Router B,packets from Router B for this connection are terminated. You must configure HSRPGSLB to operate at a connection level or higher; certainly not at the packet level. Aconnection migrating from one router (with GRE) to another router fails.

• MD5 security is not supported between the router and the appliance.

306

brsdx-wccp-single-router-config-nw-conDue to technical difficulties, we are unable to display this topic. Citrix is currently fixingthis problem. In the meantime, you can view this topic online:

http://support.citrix.com/proddocs/index.jsp?lang=en&topic=/brsdx-70-map/brsdx-wccp-single-router-config-nw-con.html



307

Configuring the NetScaler Instance forWCCP

Note:

To configure the NetScaler instance for WCCP you must at least add a virtual IP (VIP)address, and configure NAT. The VIP address is used for communication between theNetScaler instance and the accelerator instances. The NetScaler instance uses NAT to directclient requests to the accelerator instances, and responses to the clients.

To use WCCP mode with GRE forwarding, you must configure a static route that includesthe IP address of the WCCP router that performs GRE forwarding for the service groups.When NetScaler instance configuration is complete, be sure to save your changes.

308

Adding a Subnet IP

To use WCCP mode with GRE forwarding, you must configure a static route that includesthe IP address of the WCCP router that performs GRE forwarding for the service groups.When NetScaler instance configuration is complete, be sure to save your changes.

309

Adding Virtual IP Addresses

You must create Virtual IP (VIP) address in the subnet that includes the router, that is, inthe external traffic subnet. You use these VIP addresses in the WCCP configuration of thefirst and second accelerator instances. You declare this VIP on the NetScaler instance andagain on the accelerator.

To create a WCCP VIP addresses on the NetScaler instance

1. Navigate to the NetScaler instance at Configuration > NetScaler > Instances and click onthe IP address of the NetScaler instance.

2. In the Navigation pane, Select Network > IPs.

3. Click Add.

4. In the Create IP dialog box, specify a VIP address in the external traffic subnet in the IPAddress field, using entry T5 from your worksheet.

5. In the Netmask field, specify the external traffic subnet's network mask (entry T2 fromyour worksheet).

6. From IP Type, select the Virtual IP option.

7. Clear the Virtual Server option.

8. Click Create, and then click Close.

9. Repeat the procedure for the second WCCP VIP address, using entry T6 instead of T5 forthe IP address and T2 for the netmask.

10. Click Create and Close.

Adding Virtual IP Addresses

310

311

Configuring Network Address Translation

The NetScaler instance uses Network Address Translation (NAT) to allow communicationbetween the external traffic network and the private internal traffic network. In a WCCPdeployment, you define two NAT addresses for the two accelerators handling WCCPcommunications with the router. Each NAT address is defined with an INAT command andan RNAT command.

Configuring Inbound NATInbound Network Address Translation (INAT) translates the public destination IP address ofthe packet into a private destination IP address and forwards the packet to the acceleratorat that address.

To configure INAT entry on the NetScaler instance

1. Select the Network > Routes node.

2. On the INAT tab, click Add, as shown in the following figure.

3. In the Create INAT dialog box, in the Name field, specify a name for the INAT entry.Good names identify the accelerator and the purpose of the address (for example,Accelerator1WCCP).

4. Specify the public and private IP addresses for accelerator instance #1 in the respectivefields, as shown in the following figure, using worksheet entry T5 as the external trafficIP address and 169.254.10.21 as the private IP address.

5. Click Create and then click Close.

6. Click Create, and then click Close.

7. Repeat the process for the second WCCP address, using a name such as"Accelerator2WCCP" for the name, worksheet entry T6 for the public IP address andP3+1 for the private IP address.

Configuring Reverse NATIn Reverse Network Address Translation (RNAT), the NetScaler instance replaces the sourceIP address in the packets generated by the accelerator with a public NAT IP address. Bydefault, the appliance uses a Subnet IP (SNIP) address as the NAT IP address. You can alsoconfigure the appliance to use a unique NAT IP address for each subnet.

To create an RNAT entry

1. On the RNAT tab, click Configure RNAT, as shown in the following figure.


312

2. In the Configure RNAT dialog box, specify the network IP address and network mask inthe respective fields. These are the same values that you used for the INAT entry. Useworksheet entry P3 for the Network field, and entry P2 as the network mask .

3. From the Available NAT IP(s) list, select the NAT IP address (entry T5) that you created,as shown in the following figure.


5. Repeat the procedure with entries P3+1, P2, and T6 from your worksheet.



313

314

Adding a Static Route

Note: If you are not configuring the setup in the WCCP mode with GRE forwarding, skipthis section.

When you configure WCCP mode with GRE forwarding, the NetScaler instance removes the28 bytes of overhead, including the outer IP header, GRE header, and WCCP header.Additionally, the NetScaler instance determines the accelerator to which the TCP SYNpacket should be directed. The NetScaler instance then stores the Router IP and MACaddress and the service group number in an internal structure, which is associated with theconnection, in the connection table. The NetScaler instance uses this information to directpackets of the connection to the designated accelerator after removing the 28 bytes ofoverhead. Similarly, after receiving packets from the accelerator, the NetScaler instanceuses the information to direct the packets to the correct router.

For the setup to work as expected, you must configure a static route on the NetScalerinstance. The static route must include the IP address of the WCCP router that performsGRE forwarding for the service group.

Note: You can find the Router ID IP address by running the show ip wccp<Service_Group> command from the management interface of the router. The IPaddress that is returned should be entered on your worksheet as T8.

To configure a static route on the NetScaler instance

1. On the Basic tab of the Routes node, click Add.

2. In the Create Route dialog box, specify the Router ID IP address (Entry T8 from yourworksheet) in the Network field.

3. In the Netmask field, specify 255.255.255.255.

4. In the Gateway field, specify the IP address of the router’s interface, (Entry T1 fromyour worksheet), in the Gateway field, as shown in the following figure.

Figure 1. Sample values for a static route on the NetScaler instance5. Click Create and Close.

Adding a Static Route

315

316

Modifying Load Balancing Virtual Servers

Set the Connection Failover parameter to STATELESS for all load balancing virtual servers.This setting ensures that the NetScaler instance processes the existing connections from thedata center to the remote sites, instead of resetting them.

To set the Connection Failover parameter of a load balancing virtual server

1. In the navigation pane, expand the Load Balancing node.

2. Select the Virtual Servers node.

3. Select the first load balancing virtual server.

4. Click Open.

5. On the Advanced tab, from the Connection Failover list, select STATELESS, as shown inthe following figure.

Figure 1. Setting the Connection Failover parameter of a load balancing virtual server6. Click OK.

317

Saving the NetScaler InstanceConfiguration

When finished configuring the NetScaler instance, save the configuration:

• In the upper right-hand area of the screen, click the Save button to save your changes.

• NetScaler instance configuration is complete.

• Click Create, and then click Close.

318

Configuring a Router in Standard WCCPMode

Note: This information is for standard WCCP mode. For WCCP Clustering, see theCloudBridge WCCP Clustering topics, especially the, “Configuring WCCP Clustering on theRouter” subtopic.

An accelerator automatically negotiates WCCP-GRE or WCCP-L2. The CloudBridge4000/5000 appliance supports only unicast operation of a router. For unicast operation, theaccelerator is configured with the IP address of the router.

The basic approach to redirecting traffic from the router to the appliance involves one ofthe following methods:

• On the WAN port only, add a wccp redirect in statement and a wccp redirectout statement.

• On every port on the router, add a wccp redirect in statement, except for portsthat are isolated from the WAN.

The first method redirects only WAN traffic to the appliance, while the second methodredirects all router traffic to the appliance, whether it is WAN-related or not. On a routerwith several LAN ports and heavy LAN-to-LAN traffic, sending all traffic to the appliancecan overload its LAN segment and burden the appliance with a substantial, unnecessaryload. If you are using GRE, the unnecessary traffic can even overload the router as well.Therefore, the first method is preferred.

Some routers and WCCP-capable switches do not support wccp redirect out. Therefore,you must use the second method. In this case, try to avoid routing large numbers of portsthrough the appliance, possibly by using two routers, one for WAN routing and one forLAN-to-LAN routing.

In general, the first method is preferable because it isolates the appliance-centricconfiguration to the WAN ports and avoids sending unnecessary traffic to the appliance. Onsome routers, the "redirect in" path is faster and puts less of a load on the router's CPU thandoes the "redirect out" path. Such routers should not be used with CloudBridge 4000/5000.

For a normal operation, you must declare WCCP version 2 and the WCCP group ID for therouter as a whole, and then enable redirection on each WAN interface.

Either two or four WCCP service groups can be used, but using four is recommended. TheWCCP standard requires that TCP and UDP traffic use different service groups, and, forrobustness, we enable WCCP management on two accelerators, adding up to four servicegroups. The router negotiates with the first TCP and UDP service groups that respond. If theaccelerator handling these groups fails, the router tries the other accelerator's .

WCCP-GRE can use the same service groups on both instances, each with the same priority.WCCP-L2 uses different service groups on the two instances, each with different priorities.

Following is an example of configuring a Cisco IOS router that supports unicast operation:

! This example is for standard WCCP mode, not WCCP clustering! (which is covered elsewhere)config termip wccp version 2! We will configure the appliance to use group 72 for TCP and 73! for UDP. This traffic will go to accelerator #1ip wccp 72ip wccp 73! For WCCP-L2 only, we also define WCCP Group 74 and 75, as above, ! for accelerator #2. (WCCP-GRE uses group 72 and 73 on! both instances.)ip wccp 74ip wccp 75

! Repeat the following lines for each WAN interface! you wish to accelerate:interface <WAN_Interface>ip wccp 72 redirect outip wccp 72 redirect inip wccp 73 redirect outip wccp 73 redirect inip wccp 74 redirect outip wccp 74 redirect inip wccp 75 redirect outip wccp 75 redirect in

^Z

Configuring a Router in Standard WCCP Mode

319

320

Configuring accelerators for WCCPNegotiation

One accelerator instance manages WCCP control traffic on behalf of all the instances. TheWCCP control traffic is negligible. The actual data traffic is divided among all theaccelerators.

Two procedures are provided: one for WCCP mode and one for WCCP cluster mode.

Note: The GUI calls standard WCCP mode “single cache.”

To configure the accelerators for standard WCCPmode

1. Navigate to CloudBridge > Configuration. You are logged in automatically.

2. Navigate to the Appliance Settings > WCCP page. If the Enable button is displayed, clickit to enable WCCP mode on the appliance. (If the Disable button is displayed, WCCPmode is already enabled.)

3.

In the Select Mode area, select WCCP mode.

Note: The GUI mistakenly calls accelerator instances “caches.”

4. Starting with accelerator instance #1 (labeled “WCCP Cache 1” on the page), configurethe “CloudBridge VIP Details” by entering the external VIP you defined for acceleratorinstance 1 (T5 on your worksheet for instance #1, T6 for instance #2), and the subnetmask for the external traffic network (T2 on your worksheet). Click Continue.

Configuring accelerators for WCCP Negotiation

321

5.

Click Add Service Group, as show in the following figure. Figure 1. Adding a WCCPService Group

6. In the Service Group Details area, specify a WCCP service group ID in the ID field. Thismust match one of the service groups that you have defined on your router. Start withthe lowest-numbered service group in your list (T11 in your worksheet for instance #1,T19 for instance #2).

7. In the Priority field, set the WCCP priority to 1 for instance #1, or 0 for instance #2.

8. From the Protocol list, select a protocol. You will eventually perform this step with forboth TCP and UDP. Start with TCP.

9. In the Service Group Password field, enter a password if your router is configured torequire one. Otherwise, leave the field blank.

10. In the Router Communications Details area, enter the IP address of the router in theRouter IP Address field. This is the router’s IP for its appliance-facing interface (T8 onyour worksheet). If you use multiple routers to communicate with the appliance, listthem all here.

11. From the Router Assignment list, select a router assignment (Hash, Mask, or Auto). IfAuto is selected Hash is negotiated if the router supports it, otherwise Mask is used.


322

12. From the Router Forwarding list, select Auto, Level 2 or GRE, according to thecapabilities of your router. If Auto is selected, Level 2 is negotiated if possible (whichrequires that your router support Level 2, and that the router’s IP and the VIP be in thesame subnet. Otherwise, GRE is used).

13. Click Add.

14. Repeat steps 5-14 with the next service group in sequence, but selecting UDP instead ofTCP.

15. Repeat the entire process on instance #2 (called “WCCP Cache 2” in the GUI), exceptthat the NetScaler VIP is T6 from your worksheet (instead of T5), the service groups areT19 and T20, (instead of T11 and T12) and a priority value of zero instead of one.

Note: You must consider the following points when configuring a Citrix CloudBridge4000/5000 appliance:

• Citrix recommends that you configure WCCP on the first two accelerators that youcreated on the appliance.

• You cannot configure a CloudBridge instance from accelerator.

• You can monitor the WCCP configuration only from a designated WCCP acceleratorYoucan monitor the WCCP configuration only from a designated WCCP accelerator, which isthe accelerator on which you have configured WCCP.

• Traffic is load balanced across the accelerators on the basis of NetScaler load balancingpolicies.

• The WCCP service group ID that you assign to the accelerator must match a servicegroup defined on your router, or the WCCP negotiation will fail.


323

To configure an accelerator for WCCP negotiation1. Access the first accelerator that you created, by clicking on the IP address of the

CloudBridge-1 instance on the Configuration > CloudBridge > Instances page of the SVMGUI. You will be logged in automatically.

2. In the Navigation pane, expand the Configuration node.

3. Select the Advanced Deployment node.

4. On the Advanced Deployments: WCCP Configuration page, click Enable to enable WCCPmode on the appliance.

5.

Click Add New WCCP Service Group, as show in the following figure. Figure 2. The CitrixCloudBridge 4000/5000 user interface for configuring WCCP on the accelerator

6. In the New Services Group section, specify a WCCP service group ID in the ID field. Thismust match one of the service groups you have defined on your router. Start with thelowest-numbered service group in your list.

7. From the Protocol list, select a protocol. You will eventually perform this step with forboth TCP and UDP. Start with TCP.

8. In the Priority field, set the WCCP priority to 1.

9. From the Router Assignment list, select a router assignment (Hash, Mask, or Auto). Thismust match the capabilities your router.


324

10.

From the Router Forwarding list, select Level 2, as shown in the following figure.Select Level 2 even if your router is using GRE forwarding, because the NetScalerinstance handles GRE encapsulation/decapsulation, and the accelerator always receivesLevel 2 traffic. Figure 3. Sample values for the New Service Group section to configurea WCCP service group

11. Under Router Addressing, click New.

12. In the Enter Router IP Address field, specify the IP address of the router that youconfigured for WCCP (T1 from your worksheet ).

13. Click Save.


325

14. In the NetScaler WCCP VIP Addressfield, specify the VIP address that youcreated on the NetScaler instance (T5from your worksheet), as shown in thefollowing figure. Figure 4. Samplevalues for NetScaler and router in theNew Service Group section toconfigure a WCCP service group.

15. Select an appropriate value from the VIP network prefix list. The value you select mustmatch the netmask from worksheet entry T2. In this example, the netmask is255.255.255.0, and the prefix value is 24.

16. Click Create.

17. Repeat steps 1-16 with the next service group in sequence, but selecting UDP instead ofTCP.

18. Navigate to CloudBridge-2 instance and repeat steps 1-17, but with the followingalterations:

a. Use entry T6 instead of T5.

b. For WCCP-L2, use Priority 0 instead of Priority one, and use the last two servicegroup numbers instead of the first two.

c. For WCCP-GRE, use the same priority and service group numbers as with instance#1.

Note: You must consider the following points when configuring a Citrix CloudBridge4000/5000 appliance:

• Citrix recommends that you configure WCCP on the first two accelerators that youcreated on the appliance.

• You cannot configure a CloudBridge instance from accelerator.

• You can monitor the WCCP configuration only from a designated WCCP acceleratorYoucan monitor the WCCP configuration only from a designated WCCP accelerator, which isthe accelerator on which you have configured WCCP.

• Traffic is load balanced across the accelerators on the basis of NetScaler load balancingpolicies.


326

• The WCCP service group ID that you assign to the accelerator must match a servicegroup defined on your router, or the WCCP negotiation will fail.


327

328

Verifying the WCCP Mode

You can monitor the WCCP configuration from the CloudBridge GUI.

To monitor WCCP configuration

1. Make sure that Monitoring node is expanded.

2. Select the WCCP node. The WCCP Monitoring page displays the WCCP configuration, asshown in the following figure.

Figure 1. Monitoring the WCCP configuration

329

Inline Mode

When you deploy a CloudBridge 4000/5000 appliance in inline mode, pairs of Ethernet portson the appliance function as accelerated bridges. Traffic flows into one bridge port and outthe other. When two sites with appliances communicate, TCP connections between thesites can be accelerated. Traffic that cannot be accelerated is passed throughtransparently, as if the appliance were not there.

For maximum reliability, the bridge pairs are equipped with a bypass feature that causesthe two ports to be connected to each other should the appliance fail or lose power,allowing traffic to continue flowing even during such an outage.

Inline mode depends on VLAN definitions that you create in the NetScaler instance to keepthe traffic on different networks separate. These internal VLANs are not visible outside theappliance. If you use VLAN trunking, you declare these VLANs in the NetScaler instance aswell.

Inline mode is currently recommended only for sites where WCCP is not practical, andwhich have a single WAN link, or have fully independent WAN links that do not use dynamicrouting, load-balancing, or fail-over.

330

Deployment Topology

The following figure shows a CloudBridge 4000/5000 appliance in inline mode.

Figure 1. Basic cabling for inlinemode

As shown in the above figure, inline mode is a two-arm mode. For inline deployments, theNetScaler instance is configured in L2 (bridged) mode, but the accelerators are connectedinternally to the NetScaler instance in a one-arm configuration.

Inline mode is the easiest mode to configure. You connect one port of an accelerated pairto the WAN router and the other to the LAN network. The appliance transparently

Deployment Topology

331

accelerates traffic flowing between the two ports, which to the rest of the network appearto be an Ethernet bridge.

You can also deploy the appliance to accelerate traffic from certain resources only, such asback-end servers, and not the traffic of the entire network. Such an arrangement reservesthe appliance's resources for the selected traffic. In this case, you install the appliance onthe branch network that includes the resources for with you want to accelerate traffic.

The following figure shows partial site acceleration:

Figure 2. Partial site acceleration

Deployment Topology

332

333

Known Limitations

Inline mode has the following limitations:

• HSRP is not supported.

• The use of multiple bridges for multiple links is supported only when the links are fullyindependent. That is, the links are not load-balanced, and dynamic routing must notshift connections from one link to another.

• Network bypassing is not active until L2 mode is enabled, which is not the default.

334

Prerequisites

To begin configuring, managing, and monitoring the appliance, Management Service,accelerators, and NetScaler instance, use a web browser to connect to the ManagementService user interface, and then provision a NetScaler instance on the appliance.

To deploy Citrix CloudBridge 4000/5000 appliance, complete these preliminary steps beforeconfiguring the appliance:

• IP Addresses

• Provisioning Instances

IP AddressesThe Provisioning Wizard will require blocks of IP addresses on the external traffic network,the private traffic subnet, and the management subnet, and will also require gatewayaddresses, DNS server addresses, and so on.

Figure 1. Internal and external subnets

Use the Deployment Worksheet for the IP addresses, netmasks, ports, and so on for thisphase of the deployment.

335

Port Affinity and VLANs

By default, the NetScaler instance has no port affinity. A packet entering on one port mightexit on any port. But inline mode relies on the use of pairs of ports, where traffic entersone port of the pair and exits the other.

NetScaler uses VLANs to indicate port affinity. A packet assigned to one VLAN uses onlyports assigned to that same VLAN. Assigning pairs of ports to the same VLAN constrainstraffic to that one pair of ports.

A VLAN can be either tagged or untagged. With an untagged VLAN, packets are not taggedwith the VLAN ID of that VLAN. With tagged VLANs, packets arrive with VLAN tags, andthese tags are preserved by the appliance. An interface has only one untagged VLAN butcan be associated with multiple tagged VLANs.

By default, all network interfaces on the NetScaler instance are included in a single,port-based VLAN as untagged network interfaces. This is the default VLAN which has a VLANID (VID) 1. This VLAN exists permanently. You can neither delete this VLAN nor change itsVID.

When you add a network interface to a different VLAN as an untagged member, thenetwork interface is automatically removed from the default VLAN. If you unbind a networkinterface from its current port-based VLAN, it is added to the default VLAN again.

To isolate traffic to the respective networks, always use the NetScaler instance to define aninternal VLAN for each independent network on the device, that is:

• The management subnet.

• The internal traffic subnet.

• Every bridged pair of ports in use.

See the following figure, for an example of VLAN assignments. These VLANs are declared inaddition to any trunked VLANs that are in use on your networks.

Figure 1. Using VLANs for port isolation

If VLAN trunking is used (that is, if VLAN-tagged packets enter the appliance), these VLANsmust also be defined.

Port Affinity and VLANs

336

337

VLAN Trunking

VLAN trunking is also known as tagged VLAN and 802.1Q tagging. The 802.1Q taggingenables a networking device to add information to a frame at Layer 2 to identify the VLANmembership of the frame. Tagging also enables network environments to have VLANs thatspan multiple devices. A device that receives the packet reads the tag and recognizes theVLAN to which the frame belongs.

You can configure a network interface as a tagged or untagged member of a VLAN. Eachnetwork interface is an untagged member of only one VLAN, known as its native VLAN. Thisnetwork interface transmits the frames for the native VLAN as untagged frames. A networkinterface can be a part of more than one VLAN if the other VLANs are tagged.

When you configure tagging on bridged interfaces, the VLAN configuration must be identicalon both ports of the bridge.

Tagged VLANs are not supported on the management interfaces (ports 0/1 and 0/2).

For example, if your WAN link uses VLAN 412, you declare VLAN 412 as a tagged VLAN in theNetScaler instance, and bind it to both ports of the bridge (such as ports 10/1 and 10/2), asshown in the example below.

Figure 1. Tagged VLANs for VLAN trunking. VLAN 412 is tagged

VLANs can be declared in either of two ways:

1. From the System > Settings > Configure NSVLAN Settings dialog box. This methoddeclares a VLAN whose broadcast traffic is isolated from other VLANS. This method isrecommended for the management subnet. It requires a restart to take effect.

Note: This VLAN configuration method is neither synchronized nor propagated in highavailability mode. Therefore, you must perform the configuration independently oneach appliance of a high availability setup.

2. From the Create VLANs dialog box (reached from Network > VLANs > Add..). Thismethod does not create an isolated broadcast domain, from traffic originating in theNetScaler instance until we bind the NetScaler IP addresses to the VLAN. Adding such aVLAN does not require a restart. This method is recommended for all VLANs except themanagement subnet.

VLAN Trunking

338

339

Ethernet Bypass

The appliance includes a bypass feature for inline mode. In a power failure, a relay closesand the input and output ports become electrically connected. This feature allows theEthernet signal to pass through from one port to the other, as if the appliance were notthere. The appliance functions like a cross-over cable connecting the two ports.

Besides a power failure, any failure of the appliance hardware or software also closes therelay. When the appliance is restarted, the bypass relay remains closed until the applianceis fully initialized, maintaining network continuity at all times. This feature is automaticand requires no user configuration.

When the bypass relay is closed, the bridge ports of the appliance are inaccessible.

Bypass Considerations• The bypass feature is disabled when the NetScaler instance is set to L3 mode. Because

L3 mode is the factory default, inline mode should be configured before the applianceis placed in line with data traffic.

• The bypass feature is disabled when the appliance is in HA mode.

• A bypass event causes all bypass-enabled port pairs (except the loopback ports) toenter the bypass mode.

• The loopback ports never enter bypass mode.

• A bypass event occurs if the NetScaler instance or the bypass daemon in Dom-0becomes unresponsive.

• A bypass event is not triggered by accelerators becoming unresponsive.

• The 1-Gigabit bypass ports are copper, and 10-Gigabit bypass ports are fiber ports.

340

Configuring Inline Mode

Basic configuration for inline mode is done entirely in the NetScaler instance. The tasks areto set the NetScaler instance to L2 mode, define VLANs for the subnets, and bind theseVLANs to the ports.

The procedure below uses the configuration worksheet.

All VLANs in the following procedure are used inside the appliance only; they are notpropagated to the outside, and must not be already in use on your network for tagged VLANtraffic.

http://support.citrix.com/proddocs/topic/brsdx-70-map/brsdx-base-deploy-worksheet-con.html

To configure inline mode1. From the main (Service VM) GUI, navigate to the NetScaler GUI: Configuration >

NetScaler > Instances. Click on the IP address of the NetScaler Instance.

2. Install the appliance in its rack, connecting management interface 0/1 but leaving theinline ports empty.

3. Provision the appliance with the configuration wizard.

4. From the main (Service VM) GUI, navigate to the NetScaler GUI: Configuration >NetScaler > Instances. Click on the IP address of the NetScaler Instance.

5. Navigate to System > Settings > Configure Modes. Select "Layer 2 Mode" and clear "Layer3 Mode." Click OK.


341

http://support.citrix.com/proddocs/topic/brsdx-70-map/brsdx-base-prov-instances-config-wiz-tsk-corrupt.html

6. Configure the traffic VLAN for the first port of accelerated bridge #1. Navigate to theNetwork > VLANs page and click Add. In the Create VLAN dialog box, in the VLAN idfield, enter the VLAN ID (T19 on your worksheet). Click the Deactivate All link and thenselect the Active checkbox for the two bridge ports (T9 and T10 on your worksheet).Click Create.


342

7. If you are using a second accelerated bridge, repeat the previous two steps, using T20instead of T19, T15 instead of T9, and T16 instead of T10.

8. If you are using a third accelerated bridge, repeat Steps 7 and 8 , using T21 instead ofT19, T17 instead of T9, and T18 instead of T10.

9. Configure private traffic VLAN. In the VLAN ID field, enter the VLAN ID of the privateinternal subnet (P19 on your worksheet). Deselect all ports, then select port 10/3 asActive. Click Create.

10. Using the same VLAN ID as in the previous step, deselect all ports. Find the entry in theIPs list matching the subnet and mask of the private traffic VLAN (P1 and P2 on yourworksheet) and select its Active checkbox. Click Create.

11. VLAN Trunking. If the traffic passing through the appliance uses VLAN trunking, youmust declare the VLANs entering the appliance as tagged VLANs, as follows:

a. Still in the Create VLAN dialog box, configure the tagged VLANs to use bridge #1. Inthe VLAN Id field, enter the VLAN ID of the first tagged VLAN (VLAN1.1 on your


343

worksheet). Under Interfaces, clear all the check boxes. Then, select Active andTagged for the first port of the bridge (T9 on your worksheet) and the second portof the bridge (T10). Click Create.

b. Repeat the previous step for any remaining VLANs, assigning them to bridge #1(VLAN1.2, VLAN1.3, and so on).

c. If you are using additional pairs of bridged ports, repeat the entire process to assignthe VLANs to bridges #2, #3, and so on.

d. Click Close.

12. Click Save to save your configuration.

Configuration is complete.


344

345

Configuring the High Availability Setup onthe Appliances

High availability(HA) works directly between the NetScaler instances of two CloudBridge4000 or 5000 appliances. As shown in the configuration worksheet, the two appliances areconfigured almost identically, except for management network IP addresses.

Note: The accelerator instances on the two appliances are not synchronized, and must bekept consistent manually. Take this into account when deciding whether to use HA.

Note: For a smooth installation, install and test one appliance before adding the secondone, noting all configuration changes, especially to the accelerator.

Note: You must use the same aPA and signaling addresses on both appliances. However,all management subnet IP addresses must be unique on each appliances.

If the active appliance becomes unavailable, the passive appliance transparently takes overthe function of the primary appliance. This is called “failover.” As a result, disruption ofservices over the network is minimal. After a failover, all clients must reestablish theirconnections to the managed servers, but the session persistence rules are maintained asthey were before the failover.

HA is supported in all deployment modes, and the HA configuration procedure is the samefor all modes. The two appliances should be running identical hardware, licensing, andsoftware releases, and must be deployed identically, using the same deployment modes onthe same subnets.

When you enable HA, the configuration of the primary appliance’s NetScaler instance iscopied to the secondary appliance as part of the NetScaler HA synchronization process.

To configure a high availability setup of NetScaler instances

1. Complete the configuration worksheet for your chosen deployment mode (inline orWCCP). Note that all parameters for the external traffic subnet and the privatetraffic subnet are identical for both appliances, but some management subnet valuesare different on the two appliances.

2. Fully configure appliance #1 and test it thoroughly. If inline mode is used, do notconnect the traffic network to the bridge ports on appliance #2.

3. Fully configure appliance #2. Note that some parameters are different on the twoappliances: H1, H4, H5, H6, and H17 are used on the second appliance in place ofM1, M4, M5, M6, and M17. Make sure that the accelerators are configured identicallyto the ones on appliance #1, and that both appliances have identical VLAN definitionsin the NetScaler instances.

4. Access the NetScaler instance on appliance #1, by specifying its IP address (M17) in aweb browser.

5. Log on to the NetScaler instance.

http://support.citrix.com/proddocs/topic/cloudbridge-70/brsdx-base-deploy-worksheet-con.html

http://support.citrix.com/proddocs/topic/cloudbridge-70/brsdx-base-deploy-worksheet-con.html

6. In the Navigation pane, expand the System node.

7. Select the High Availability node.

8. Click Add, as shown in the following figure.

Figure 1. Configuring a high availability setup of the NetScaler instances

9. In the remote Node IP Address field of the High Availability Setup dialog box, specifythe NSIP address of the NetScaler instance of the other appliance #2 (H17 on yourworksheet), as shown in the following figure.

Configuring the High Availability Setup on the Appliances

346

Figure 2. Configuring a high availability setup of the NetScaler instances

10. Click OK. The appliances are now configured as a high availability pair, as shown inthe following figure.

Figure 3. Configuring high availability on the NetScaler instance


347

Note: To learn more about setting up high availability on a NetScaler instance, see theHigh Availability node of the Citrix eDocs website.


348

http://support.citrix.com/proddocs/topic/netscaler-advanced-networking-93-map/ns-nw-ha-intro-wrppr-con.html

349

Evaluating the Configuration

Putting your appliance online in a production network requires special attention to preventdisruption or confusion, especially in a complex environment

Rollout ExampleWhen deploying CloudBridge 4000/5000, the basic rollout decision is whether to activatethe entire deployment at once or to roll it out in stages. In a large or complex environment,a phased approach avoids trouble, and the deployment can be extended at will. This typeof approach calls for the use of WCCP. The following example illustrates one approach forsuch a site:

1. Configure the system as described in the installation procedure, except for the router.There, instead of setting up WCCP redirection for all incoming and outgoing WANtraffic, set it up for traffic to and from either a single remote site or a single IP addressat that site. The remote site must already contain an enabled CloudBridge appliance.

2. The accelerator page. If not, check your WCCP configuration on the router and on theaccelerators, and check your NAT definitions on the NetScaler instance by usingMonitoring: WCCP page. If not, check your WCCP configuration on the router and onthe accelerators, and check your NAT definitions on the NetScaler instance by usingnstrace. If nstrace reveals an issue, and your definitions look correct, rebooting theappliance may resolve the issue.

3. Test acceleration between the new site and the remote site, with the remote site asthe client side and the CloudBridge 4000/5000 equipped site as the server side, asdescribed in General Monitoring.

4. If traffic does not appear, the router is not sending traffic to the CloudBridge4000/5000 properly. The error could be in the Router configuration, the NetScalerconfiguration, or the CloudBridge WCCP configuration. Double-check these settings.

5. If traffic appears but is not accelerated, you might have a problem with asymmetricalrouting, with not having a CloudBridge license installed, or with having accelerationdisabled either globally or on the service classes associated with the traffic.

6. When all is working properly, test reverse connections, where a site on the CloudBridge4000/5000 side is the client and the remote site is the server, if applicable.

7. If using NetScaler HA, save the configuration of the individual WCCP-enabled instancesfrom the individual instances' GUIs, and save the configuration of the accelerator, dobasic configuration manually, then restore the saved configurations, first of theaccelerators as a whole, and then restore the two WCCP-enabled instances. Once this isdone (and NetScaler HA is enabled), test failover by powering down the primaryappliance. Be careful to avoid IP address conflicts.CloudBridge 4000/5000, do basicconfiguration manually, then restore the saved configurations, first of the acceleratorsas a whole, and then restore the two WCCP-enabled instances. Once this is done (andNetScaler HA is enabled), test failover by powering down the primary appliance. Becareful to avoid IP address conflicts.

8. If using NetScaler HA, save the configuration of the individual WCCP-enabled instancesfrom the individual instances' GUIs, and save the configuration of the accelerator,restore these saved configurations, first of the accelerators as a whole, and thenrestore the two WCCP-enabled instances. Once this is done (and NetScaler HA isenabled), test failover by powering down the primary appliance.CloudBridge4000/5000, restore these saved configurations, first of the accelerators as a whole, andthen restore the two WCCP-enabled instances. Once this is done (and NetScaler HA isenabled), test failover by powering down the primary appliance.

9. Expand the scope of acceleration to include more remote sites, and repeat the abovetesting. When doing so, also examine the Monitoring: System Load page, especiallyduring peak periods, to verify that the CloudBridge 4000/5000 is not heavily loaded.

10. Continue this process until the entire WAN is being accelerated.

MonitoringUse the CloudBridge 4000/5000Use the CloudBridge 4000/5000 GUI to monitor traffic afteryou configure a LAN link and a WAN link. CloudBridge 4000/5000 allows a very simple linkdefinition.

Configuring the Links

To enable monitoring, you must first configure one LAN link and one WAN link. To do so,edit the default links on the Configure: Links page as follows:

1. Edit one link so its name is "LAN," its type is "LAN," and its speed is 10 Gbps in bothdirections. Delete its existing filter rule, then click Add Rule, and then click Save tosave a link definition that matches all traffic.

2. Edit the other link so that its name is "WAN," its type is "WAN," its speed is 95% of theaggregate speed of your site's WAN links in each direction. Delete its existing filterrule, then click Add Rule, and then click Save to save a link definition that matchesall traffic.

T o v e r i f y t h a t l i n k c o n f i g u r a t i o n i s w o r k i n g c o r r e c t l y , t r a f fi c m u s t b e f l o w i n g . I f t h e n e t w o r k d o e s n o t h a v e e n o u g h t r


350

a f f i c t o f i l l t h e W A N l i n k t o c a p a c i t y , r u n t e s t t r a f f i c t o fi l l t h e n e t w o r k t o c a p a c i t y . T h e n l o o k a t t h e l i n k r e p o r t s o n t h e R e p o r t s : L i n k U s a g e t a b . T h e f o l l o w i n g f i g u r e s h o ws t h e s e r e p o r t s .

General Monitoring

1. If WCCP is configured, verify that the service groups are in operation and the routersare redirecting traffic. (Note that the CloudBridge WCCP page packet counts are notpresent in CloudBridge 4000/5000. Check traffic by other means, such as on theMonitoring: Active Connections page, and on the router.)

2. On the remote CloudBridges, verify that outgoing connections are being accelerated,and that all accelerated connections to the datacenter report the same Partner Uniton the remote appliance's Monitoring: Connections page. When load-balancing isworking properly, all outgoing accelerated connections show the same Partner Unit.(However, incoming accelerated connections might show different units.)

3. Double-check remote CloudBridges for correctly set bandwidth limits, to preventremote issues from being misidentified as datacenter issues.

4. Generally monitor the CloudBridge 4000/5000 unit for alerts.

5. In the broker UI, use the Dashboard, the Monitoring: Remote Partners, and perhapsthe Monitoring: Appliance Load pages to monitor the overall activity and load of thesystem.


351

352


CloudBridge 4000/5000 is an appliance containing multiple virtual CloudBridge WANaccelerators controlled by a single virtual NetScaler load balancer. This combinationprovides a high-performance WAN accelerator for busy datacenters.

353

Managing the Appliance by using theManagement Service

The Management Service lets you manage client sessions and perform configuration tasks,such as creating and managing user accounts and tweaking backup and pruning policiesaccording to your requirements. You can also restart the Management Service and upgradethe version of the Management Service. You can further create tar files of the ManagementService and the XenServer and send it to technical support.

354

Automatically Configuring CloudBridgeDevices

If you are using Citrix Command Center to manage your Citrix appliances, theAutoConfiguration feature enables a CloudBridge appliance to automatically register itselfwith Citrix Command Center.

After you have specified a DNS IP address in the setup wizard, the appliance performsreverse and forward lookups to identify the Command Center IP address. If you opt forhaving the appliance automatically configured by the Command Center server, the serverstarts configuring the appliance automatically soon after the appliance is registered with it.The Command Center server uses configuration profiles selected for the appliance to runconfiguration commands on the appliance. For more information about how theautoconfiguration feature works on the Command Center server, see AutomaticallyConfiguring CloudBridge Devices.

Additionally, you can use Citrix Command Center to manage and monitor the applianceremotely.

Note: This feature is supported with Citrix Command Center release 5.2 build 41 andlater.

http://support.citrix.com/proddocs/topic/command-center-52/cc-pure-cs-citrix-network-auto-config-map.html

http://support.citrix.com/proddocs/topic/command-center-52/cc-pure-cs-citrix-network-auto-config-map.html

355

Platforms Supported

The autoconfiguration feature is supported on the following appliances

• CloudBridge 400 appliance




• CloudBridge 1000 appliance with Windows Server

• CloudBridge 2000 appliance with Windows Server

356

Registering a CloudBridge Appliance withCitrix Command Center

Before you can use Citrix Command Center to manage a CloudBridge appliance, you mustregister the appliance with it.

To configure a CloudBridge appliance for autoconfiguration

1. In the CloudBridge setup wizard (System > Configuration > System > Setup Wizard ),specify the IP address of the DNS server used by the CloudBridge device.

2. Enter the registration password that you specified in Configure CloudBridge RegistrationSettings on the Command Center server, and click OK. Leave this field blank if you havenot changed the password.

The CloudBridge appliance sends a registration request to the Command Center server,which automatically discovers the device and runs the commands available in theconfiguration profile.

Alternatively, you can navigate to the CloudBridge > Configuration > Appliance Settings >Logging/Monitoring page and specify the Command Center details on the Command Centertab.

To register the appliance with Citrix Command Center

1. Navigate to the CloudBridge > Configuration > Appliance Settings > Logging/Monitoringpage.

2. Click the Command Center tab.

3. In the IP Address field, type the IP address of the Citrix Command Center appliancewith which you want to register the CloudBridge appliance.

4. In the Port field, type the port number used for Citrix Command Center. 8443 is thedefault port number used for Citrix Command Center.

5. In the Registration Password field, type the password that the Command Centeradministrator has set for a CloudBridge appliance to log on to Citrix Command Center.Do not specify any password if the Command Center administrator has accepted thedefault password for registering the appliance.

6. Click Update.

7. Select AutoConfiguration By Citrix Command Center option to automatically configurethe appliance through Command Center.

The Status field changes from Disabled to Initiated registration, which later changes toRequest accepted if the registration of the appliance with Citrix Command Center issuccessful.

Your CloudBridge appliance is registered with Citrix Command Center and you can nowmanage the appliance remotely by using Citrix Command Center.

Registering a CloudBridge Appliance with Citrix Command Center

357

358

Updating the appliance through theManagement Service

The software update is distributed in a single file. This file has the correct versions of themanagement service , NetScaler, CloudBridge Accelerator , and XenServer files for aparticular release. This eliminates problems that can arise from using incompatibleversions.

To update the appliance

1. If the appliance does not have the correct version of the management service, uploadand install the management service for the target release before running thisprocedure.

2. Acquire the update file . If you log on to citrix.com using your MyCitrix credentials, youwill find CloudBridge software in the Downloads section. The upgrade file has a .upgextension and is several hundred megabytes long. Download the file to a convenientsystem. To minimize transfer time, this system should be in the same facility as theappliance and have a fast link to it (Gigabit Ethernet rather than 54 Mbps wireless).

3. Log on to the appliance and navigate to the System > Configuration page .

4. Click the Update Software link.

5. In the text box that appears, specify the upgrade file, and then click Upload.

6. When a message announces that the upload was successful, click Install.

7. The appliance performs the upgrade, which takes roughly half an hour. It displays aseries of status messages, starting with “Preparing to upgrade” and ending with“Upgrade completed Successfully.”

8. Click OK to display the updated user interface. Clear your browser cache to ensuresuccessful operation.

359

Managing Client Sessions

A client session is created when a user logs on to the Management Service. You can view allthe client sessions on the appliance in the Sessions pane.

In the Sessions pane, you can view the following details:

User Name

The user account that is being used for the session.

IP Address

The IP address of the client from which the session has been created.

Port

The port being used for the session.

Login Time

The time at which the current session was created on the SDX appliance.

Last Activity Time

The time at which user activity was last detected in the session.

Session Expires In

Time left before session expiry.

To view client sessions, on the Configuration tab, in the navigation pane, expand System,and then click Sessions.

To end a client session, in the Sessions pane, click the session you want to remove, andthen click End Session.

You cannot end a session with the client that initiated that session.

360

Configuring User Accounts

Note:

A user logs on to the appliance to perform appliance management tasks. To allow a user toaccess the appliance, you must create a user account on the appliance for that user. (Note:the Repeater virtual machines use their own user accounts, managed on the individualRepeater virtual machines). Users are authenticated locally, on the appliance.

Important: The password applies to the appliance, Management Service, and XenServer.Do not change the password directly on the XenServer.

To configure a user account1. In the navigation pane, expand System, and then click UsersOn the Configuration tab,

under System, expand Administration, and then click Users. The Users pane displays alist of existing user accounts, with their permissions.

2. In the Users pane, do one of the following:

• To create a user account, click Add.

• To modify a user account, select the user, and then click Modify.3. In the Create System User or Modify System User dialog box, set the following

parameters:

• Name*—The user name of the account. The following characters are allowed in thename: letters a through z and A through Z, numbers 0 through 9, period (.), space,and underscore (_). Maximum length: 128. You cannot change the name.

• Password*—The password for logging on to the appliance. Maximum length: 128

• Confirm Password*—The password.

• Permission*—The user's privileges on the appliance. Possible values:

• superuser—The user can perform all administration tasks related to theManagement Service.

• readonly—The user can only monitor the system and change the password of theaccount.

Default: superuser.

• Enable External Authentication—Enables external authentication for this user.Management Service attempts external authentication before database userauthentication. If this parameter is disabled, user is not authenticated with theexternal authentication server.

• Configure Session Timeout—Enables you to configure the time period for how long auser can remain active. Specify the following details:

• Session Timeout—The time period for how long a user session can remainactive.

• Session Timeout Unit—The timeout unit, in minutes or hours.• Groups—Assign the groups to the user.

*A required parameter

4. Click Create or OK, and then click Close. The user that you created is listed in the Userspane.


361

To remove a user account1. On the Configuration tab, in the navigation pane, expand System, expand

Administration, and then click Users.

2. In the Users pane, select the user account, and then click Delete.

3. In the Confirm message box, click OK.


362

363

SNMP Trap Destinations

You can use Simple Network Management Protocol (SNMP) to configure the SNMP agent onthe appliance to generate asynchronous events, which are called traps. The traps aregenerated whenever abnormal conditions occur on the appliance. They are sent to a remotedevice called a trap listener, so that administrators can monitor the appliance and respondpromptly to any issues.

The SNMP agent on the appliance generates traps that are compliant with SNMPv2 only. Thesupported traps can be viewed in the SDX MIB file. You can download this file from theDownloads page in the Management Service user interface.

To add a trap destination1. In the navigation pane, expand System, and then click SNMP Trap Destinations.

2. In the SNMP Trap Destinations pane, click Add.

3. In the Add SNMP Trap Destination dialog box, specify values for the followingparameters:

• Destination Server*—IPv4 address of the trap listener to which to send the SNMPtrap messages.

• Port*—UDP port at which the trap listener listens for trap messages. Must match thesetting on the trap listener, or the listener drops the messages. Minimum value: 1.Default: 162.

• Community*—Password (string) sent with the trap messages, so that the traplistener can authenticate them. Can include letters, numbers, and hyphen (-),period (.) pound (#), space ( ), at (@), equals (=), colon (:), and underscore (_)characters.

Note: You must specify the same community string on the trap listener device, orthe listener drops the messages. Default: public.


4. Click Add, and then click Close. The SNMP trap destination that you added appears inthe SNMP Traps pane.

To modify the values of the parameters of an SNMP trap destination, in the SNMP TrapDestinations pane, select the trap you want to modify, and then click Modify. In the ModifySNMP Trap Destination dialog box, modify the parameters.

To remove an SNMP trap, in the SNMP Trap Destinations pane, select the trap you want toremove, and then click Delete. In the Confirm message box, click Yes to remove the SNMPtrap.

364

Restarting the Management Service

You can restart the Management Service from the System pane. Restarting the ManagementService does not affect the working of the NetScaler instances. The NetScaler instancescontinue to function during the Management Service restart process.

To restart the Management Service1. On the Configuration tab, in the navigation pane, click System.

2. In the System pane, under System Administration, click Reboot Management Service.

365

Upgrading the Management Service

The process of upgrading the Management Service involves uploading the build file of thetarget build and the documentation file to the SDX appliance, and then upgrading theManagement Service.

366

Uploading the Management Service Buildand Documentation Files

You can upload the Management Service build and documentation files from a clientcomputer to the appliance. You can also download build and documentation files to a localcomputer as a backup.

To upload the Management Service build file1. In the navigation pane, expand Management Service, and then click Software Images.

2. In the Software Images pane, click Upload.

3. In the Upload Management Service Software Image dialog box, click Browse, navigate tothe folder that contains the build file, and then double-click the build file.

4. Click Upload.

To create a backup by downloading a ManagementService build file

1. In the Software Images pane, select the file you want to download, and then clickDownload.

2. In the message box, from the Save list, select Save as.

3. In the Save As message box, browse to the location where you want to save the file,and then click Save.

To upload the Management Service documentationfile

1. In the navigation pane, expand Management Service, and then click Software Images.

2. In the Software Images pane, on the Documentation Files tab, click Upload.

3. In the Upload Management Service Documentation File dialog box, click Browse,navigate to the folder that contains the documentation file, and then double-click thefile.

4. Click Upload.

To create a backup by downloading a ManagementService documentation file




Uploading the Management Service Build and Documentation Files

367

368

Upgrading the Management Service to aLater Version

After you have uploaded the Management Service image to the appliance, use this image toupgrade the version of the Management Service. The Management Service will restart afterthe upgrade. Restarting the Management Service does not affect your NetScaler VPXinstances and the appliance.

To upgrade the Management Service1. In the navigation pane, click System.

2. In the System pane, under System Administration, click Upgrade Management Service.

3. In the Upgrade Management Service dialog box, in Software Image, select the softwareimage file to which you want to upgrade the Management Service.

4. In Documentation File, select the documentation file you want to use for the upgrade.

5. Click OK.

369

Upgrading the XenServer Software

You need to upgrade to configure VLAN filtering on an interface assigned to a NetScalerinstance. The process of upgrading the XenServer software involves uploading the build fileof the target build to the Management Service, and then upgrading the XenServer software.

Note: In some CloudBridge 4000 and CloudBridge 5000 releases, you might find the optionto upgrade XenServer from the management service, but the upgrade process does notwork.

Contact Citrix Support if you need to upgrade XenServer.

370

Backing Up and Restoring theConfiguration Data of the Appliance

The backup policy runs at 00:30 A.M. every day. You can create a backup file at any time if,for example, you want to immediately back up changes to the configuration. You can usethe backup file to restore the configuration data on the appliance. You can restore theconfiguration data of the XenServer, Management Service, and all the NetScaler instances,or selected NetScaler instances.

To restore the configuration data on an SDX appliance, the Management Service selects thelatest NetScaler .XVA image to provision the NetScaler instances. Citrix recommends thatyou store only the version of the NetScaler .XVA image that you require to reprovision theNetScaler instances. If you store multiple .XVA images, the Management Service mightprovision a NetScaler instance by using an image that is different from the one that yourequire. In this case, after restoring you must log on to the NetScaler instance and upgradethe software.

Important: You must manually back up other files, such as licenses and SSL certificates,outside the appliance before restoring the NetScaler instance because only theconfiguration files are restored.

To perform an immediate backup1. In the navigation pane, expand Management Service, and then click Backup

FilesNavigate to Configuration > Management Service > Backup Files.

2. In the Backup File pane, under Action drop-down list, click Back Up.

3. In the Confirm dialog box, click Yes. This process may take a few minutes, dependingon the amount of data to be backed up.

To restore the configuration1. In the navigation pane, expand Management Service, and then click Backup

FilesNavigate to Configuration > Management Service > Backup Files.

2. In the Backup File pane, select the backup file from the list, and then under Action,click Restore.

3. In the Restore WizardRestore dialog box, select one of the following:

• Restore Appliance—Restores the XenServer, Management Service, and all theNetScaler instances.

Note: Perform a Factory Reset before selecting this option.

• All instances—Restores all the NetScaler instances.

• Specific instances—Restores only the selected NetScaler instances.4. In the Restore WizardRestore dialog box, do one of the following:

• Restore Appliance—Restores the XenServer, Management Service, and all theNetScaler instances.

Note: Perform a Factory Reset before selecting this option.

• Select the check box next to the instance(s) to restore the NetScaler instance(s).5. Click Next, and then click Finish. The progress status is displayed.

6. Click OK, and then click Close. Click OK.

Backing Up and Restoring the Configuration Data of the Appliance

371

372

Performing a Factory Reset

Before performing a factory reset, back up all the data stored on the appliance, includingthe settings of the accelerator and the NetScaler instance. Citrix recommends that youstore the files outside the appliance. Performing a factory reset terminates all currentclient sessions with the Management Service, so you have to log back on to the ManagementService for any additional configuration tasks. When you are ready to restore the data,import the backup files by using the Management Service.

You also have the option to reset while retaining the current IP addresses of theManagement Service and XenServer or to reset with the default IP addresses of theManagement Service and XenServer. In either case, the software automatically performsthe following actions:

• Deletes NetScaler and accelerator instances.

• Deletes SSL certificate and key files.

• Deletes license and technical archive files.

• Deletes the NTP configuration on the appliance.

• Restores the time zone to UTC.

• Restores prune and backup policies to their default settings.

• Deletes the Management Service image and documentation files.

• Deletes the NetScaler image and documentation files.

• Deletes all XVA images except the last image file that was accessed on the appliance.

• Restores default interface settings.

• Restores the default configuration of the appliance, including default profiles, users,and system settings.

• Restores default IP addresses for XenServer and the Management Service.

• Restores default passwords for XenServer and the Management Service.

• Restarts the Management Service.

You can also perform a pseudo-factory reset that retains the currently running managementservice and its IP addresses, rather than reverting to the factory-installed managementservice. A pseudo-factory reset is recommended when the need to perform a reset is notcaused by a problem with the management service itself.

To perform a factory resetImportant: Make sure you connect a serial console cable to the appliance beforeperforming a factory reset.

1. In the navigation pane, expand Management Service, and then click Backup Files.

2. Under Configuration tab, in the navigation pane, expand Management Service > BackupFiles, and then in the Action drop down menu select Factory Reset.

3. In the Backup Files pane, click Factory Reset.

4. In the Factory Reset dialog box, select the type of reset from the following options:

• Reset (Without Network Configuration)—Retain the IP addresses of the ManagementService and XenServer.

• Reset (With Network Configuration)—Management Service and XenServer restartwith the default IP addresses.

• Appliance Reset—The appliance settings are restored to the default factorysettings, such as default IP addresses for Management Service and XenServer. Noinstances are installed, and only the default SSL certificate is available on theappliance.

5. Click OK, and then click Close. Click OK.

6. When the reset is complete, log on with the default credentials and run theconfiguration wizard.

To perform a pseudo-factory reset

1. On Configuration > NetScaler > Instance, delete the NetScaler instance.

2. On Configuration > CloudBridge > Accelerator, delete the accelerator masterinstance.

3. On Configuration > CloudBridge > Instances, delete all the accelerator instances.

4. Log out.

5. Log in with default credentials and run the configuration wizard.

Performing a Factory Reset

373

374

Removing Management Service Files

You can remove any unneeded Management Service build and documentation files from theappliance.

To remove a Management Service file1. On the Configuration tab, in the navigation pane, expand Management Service, and

then click the file that you want to remove.

2. In the details pane, select the file name, and then click Delete.

375

Generating a Tar Archive for TechnicalSupport

You can use the Technical Support option to generate a tar archive of data and statistics forsubmission to Citrix technical support. This tar can be generated for the ManagementService or the XenServer, or for both at the same time. You can then download the file toyour local system and send it to Citrix technical support.

None

In the Technical Support pane, you can view the following details.

Name

The name of the tar archive file. The file name indicates whether the tar is for theManagement Service or the XenServer server.

Last Modified

The date when this file was last modified.

Size

The size of the tar file.

To generate the tar archive for technical support1. On the Configuration tab, navigate to Diagnostics > Technical Support.

2. In the details pane, from the Action list, select Generate Technical Support File.

3. In the Generate Technical Support File dialog box, from the Mode list, select theappropriate option for whether you want to archive data of XenServer, ManagementService, Appliance (including XenServer and Management Service), Instances, orAppliance (including instances).

4. Click OK.

To download the tar archive for technical support1. In the Technical Support pane, select the technical support file that you want to

download.

2. From the Action list, select Download. The file is saved to your local computer.

376

Managing the NetScaler Instance

After you have provisioned NetScaler instances on your appliance, you can perform thefollowing tasks to configure and manage these instances.

• Save the Configuration

• Upgrade a NetScaler Instance

• Manage a NetScaler Instance

• Removing NetScaler Instance Files

377

Saving the Configuration

You can save the running configuration of the NetScaler instance from the ManagementService.

To save the configuration on a NetScaler instance1. On the Configuration tab, in the navigation pane, click Netscaler, then NetScaler.

2. In the details pane, under NetScaler Configuration, click Click Save Configuration.

3. In the Save Configuration dialog box, in Instance IP Address, select the IP addresses ofthe NetScaler instances whose configuration you want to save.

4. Click OK, and then click Close.

378

Upgrading a NetScaler Instance

The process of upgrading the NetScaler instance involves uploading the build file softwareimage and the documentation file of the target build to the appliance, and then upgradingthe NetScaler instance.

379

Uploading NetScaler Resources

You have to upload the NetScaler software images to the appliance before upgrading theNetScaler instance. Citrix recommends that you upload the latest documentation file alongwith the image file. You can also download the image and documentation files to a localcomputer as a backup. For installing a new instance, you need the NetScaler XVA file.

In the NetScaler Software Images pane, you can view the following details.

Name

Name of the NetScaler instance software image file. The file name contains the releaseand build number. For example, the file name build-9.3-53.5_nc.tgz refers to release 9.3build 53.5build-10-53.5_nc.tgz refers to release 10 build 53.5 .

Last Modified

Date when the file was last modified.

Size

Size, in MB, of the file.

To upload a NetScaler software image1. On the Configuration tab, in In the navigation pane, expand NetScaler, and then click

Software Images and then click the Software Images tab.

2. In the Software Images pane, click Upload.

3. In the Upload NetScaler Software Image dialog box, click Browse and select theNetScaler image file that you want to upload.

4. Click Upload. The image file appears in the NetScaler Software Images pane.

If you want to remove a NetScaler image file that you no longer want to use, you canremove it from the appliance. To remove the file, in the Software Images pane, select thefile you want to remove, and then click Delete. In the Confirm message box, click Yes.

To create a backup by downloading a NetScaler buildfile




To upload a NetScaler documentation file1. In the navigation pane, expand NetScaler, and then click Software Images.

2. In the Software Images pane, on the Documentation Files tab, click Upload.

3. In the Upload NetScaler Documentation File dialog box, click Browse and select theNetScaler documentation file you want to upload.

4. Click Upload. The documentation file appears in the Documentation Files pane.

To create a backup by downloading a NetScalerdocumentation file

1. In the Documentation Files pane, select the file you want to download, and then clickDownload.



To upload a NetScaler XVA file1. In the navigation pane, expand NetScaler, and then click Software Images.

2. In the Software Images pane, on the XVA Files tab, click Upload.

3. In the Upload NetScaler XVA File dialog box, click Browse and select the NetScalerXVAfile you want to upload.

4. Click Upload. The XVA file appears in the XVA Files pane.


380

To create a backup by downloading a NetScaler XVAfile

1. In the XVA Files pane, select the file you want to download, and then click Download.




381

382

Upgrading the Instance

After you have uploaded the NetScaler resources, you can upgrade the NetScaler instanceto the required release.

To upgrade the NetScaler instance

1. Expand the NetScaler node.

2. Select the Instances node.

3. In the Instances page, select the available NetScaler instance.

4. Click Upgrade.

Note: You need to click Right Scroll to display the Upgrade button.

383

Deleting the NetScaler Instance

As an alternate to the factory resent, you can delete the NetScaler instance to prepare theappliance to provision instances again. To delete a NetScaler instance, see Performing aFactory Reset.

384

Managing a NetScaler Instance

The Management Service lets you perform the following operations on the NetScalerinstance, both from the NetScaler Instances pane in the Configuration tab and in theNetScaler Instances gadget on the Home page.

Start a NetScaler Instance

Start any NetScaler instance from the Management Service user interface. When theManagement Service UI forwards this request to the Management Service, it starts theNetScaler instance.

Shut down a NetScaler instance

Shut down any NetScaler instance from the Management Service user interface. Whenthe Management Service UI forwards this request to the Management Service, it stops theNetScaler instance.

Reboot a NetScaler instance

Restart the NetScaler instance.

Delete a NetScaler instance

If you do not want to use a NetScaler instance, you can delete that instance by using theManagement Service. Deleting an instance permanently removes the instance and itsrelated details from the database of the appliance.

To start, stop, delete, or restart a NetScaler instance1. On the Configuration tab, in the navigation pane, click NetScaler Instances.

2. In the NetScaler Instances pane, select the NetScaler instance on which you want toperform the operation, and then click Start or Shut Down or Delete or Reboot.

3. In the Confirm message box, click Yes.

385

Removing NetScaler Instance Files

You can remove any NetScaler instance files, such as XVAs, builds, documentation, SSL keysor SSL certificates, from the appliance.

To remove NetScaler instance files1. On the Configuration tab, in the navigation pane, expand NetScaler Configuration, and

then click the file that you want to remove.

2. In the details pane, select the file name, and then click Delete.

386

Managing a CloudBridge Accelerator

The management service VM lets you perform the following operations on the CloudBridgeAccelerator, both from the CloudBridge Accelerators pane in the Configuration tab and inthe CloudBridge Accelerators gadget on the Home page.

• Start Add a CloudBridge Accelerator—Starts a Create another CloudBridge VM.

• Modify a CloudBridge Accelerator—Change the instance settings

• Shut Delete down a NetScaler instance—Shut downRemoves a CloudBridge VM.

• RebootStart a NetScaler instance—Restart the Starts CloudBridge VM.

• DeleteShut down a NetScaler instance—RemovesShuts down a CloudBridge VM.

• Reboot a CloudBridge Accelerator—Restart the CloudBridge VM.

• Force Shut Down a CloudBridge AcceleratorForce Shut Down a CloudBridgeAccelerator—Stops a CloudBridge Accelerator even if it is unresponsive to normalshutdown commands.

• Force Reboot a CloudBridge Accelerator—As forced shutdown, but restarts the instanceafter shutting it down.

• Current Configuration—Gives the CloudBridge Accelerator’s configuration, formatted forthe CloudBridge CLI.

• Ping—Sends pings to the specified address.

• TraceRoute—Runs traceroute to the specified address.

• Rediscover—Scans the CloudBridge VMs.

387

Configuring CloudBridge Instances byusing CloudBridge Accelerator Interface

The CloudBridge Accelerator Interface is a user interface that controls all CloudBridgeAccelerators as a unit. The CloudBridge Accelerator Interface appears identical to anindividual instance’s UI, but changes are propagated to all the instances automatically.

To use the CloudBridge Accelerator Interface:

1. On the Configuration tab, in the navigation pane, expand CloudBridge, click on theother occurrence of CloudBridge, and finally click on the IP address of the“CloudBridge.” (This is not actually a CloudBridge, but the virtual machine containingthe CloudBridge Accelerator Interface.)

2. Manage the CloudBridge Accelerators as if they were a single CloudBridge. Changes willbe propagated to the actual CloudBridge Accelerators automatically.

Details of CloudBridge management and the CloudBridge GUI are covered in the BranchRepeater Family Installation and User’s Guide, rel. 6.0.

388

Managing Individual CloudBridgeAccelerator

The individual CloudBridge Accelerators are reached from the Configuration tab byexpanding CloudBridge, clicking on Instances, then clicking on the IP Address of anindividual instance.

Details of CloudBridge management and the CloudBridge GUI are covered in the BranchRepeater Family Installation and User's Guide, rel. 6.0.

389

Upgrading a CloudBridge Accelerator

The process of upgrading a CloudBridge Accelerator involves either uploading deleting theexisting instance and recreating it with a new virtual machine image (xva file) or upgradingthe CloudBridge software within the virtual machine.

See To upgrade the CloudBridge software within the virtual machine, see BasicConfiguration.

Note: To prevent any loss of the configuration when upgrading the CloudBridge virtualmachine, save the CloudBridge configuration using the “Save/Restore Configuration”feature of the CloudBridge’s management interface.

http://support.citrix.com/proddocs/topic/brsdx-70-map/br-initial-config-wrapper-con.html

http://support.citrix.com/proddocs/topic/brsdx-70-map/br-initial-config-wrapper-con.html

390

Deleting the CloudBridge Instance

As an alternate to the factory resent, you can delete the NetScaler instance to prepare theappliance to provision instances again. To delete a NetScaler instance, see Performing aFactory Reset.

391


After your appliance is up and running, you can perform various tasks to manage theappliance from the Management Service user interface.

392

Modifying the Network Configuration ofthe Appliance

(If you have run the Setup Wizard, you have already set these parameters.) You can modifythe network configuration details that you provided for the appliance during initialconfiguration.

To modify the network configuration of the SDX appliance, click System. In the Systempane, under the Setup Appliance group, click Network Configuration and enter the detailsin the wizard.

To modify the network configuration of the appliance1. In the navigation pane, click System.

2. In the System pane, under Setup Appliance, click Network Configuration.

3. In the Modify Network Configuration dialog box, specify values for the followingparameters:

• Interface*—The interface through which clients connect to the Management Service.Possible values: 0/1, 0/2. Default: 0/1.

• XenServer IP Address*—The IP address of the XenServer.

• Management Service IP Address*—The IP address of the Management Service.

• Netmask*—The netmask for the subnet in which the appliance is located.

• Gateway*—The default gateway for the network.

• DNS Server—The IP address of the DNS server.* A required parameter

4. Click OK.

393

Changing the Password of the DefaultUser Account

(If you have run the Setup Wizard, you have already set these parameters.)The default useraccount provides complete access to all features of the appliance. Therefore, to preservesecurity, the nsroot account should be used only when necessary, and only individualswhose duties require full access should know the password for the nsroot account. Citrixrecommends changing the nsroot password frequently. If you lose the password, you canreset the password to the default by reverting the appliance settings to factory defaults .

To change the password of the default user account, click System > User Administration >Users. Select a user and click Edit to change the password.

You can change the password of the default user account in the Users pane. In the Userspane, you can view the following details:

Name

Lists the user accounts configured on the appliance.

Permission

Displays the permission level assigned to the user account.

To change the password of the default user account1. On the Configuration tab, in the navigation pane, expand System, and then click Users.

2. In the Users pane, click the default user account, and then right-click on Modify.

3. In the Modify System User dialog box, in Password and Confirm Password, enter thepassword of your choice.

4. Click OK.

394

Configuring Clock Synchronization

You can configure your appliance to synchronize its local clock with a Network TimeProtocol (NTP) server. As a result, the clock on the appliance has the same date and timesettings as the other servers on your network. The clock synchronization configuration doesnot change if the appliance is restarted, upgraded, or downgraded. However, theconfiguration does not get propagated to the secondary NetScaler instance in a highavailability setup.

The clock is synchronized immediately if you add a new NTP server or change any of theauthentication parameters. You can also explicitly enable and disable NTP synchronization.

Note: If you do not have a local NTP server, you can find a list of public, open access,NTP servers at the official NTP site, http://www.ntp.org. Before configuring yourNetScaler to use a public NTP server, be sure to read the Rules of Engagement page (linkincluded on all Public Time Servers pages).

To configure an NTP server, click System > NTP Servers.

http://www.ntp.org/

To configure an NTP server1. In the navigation pane, expand System, and then click NTP Servers.

2. In the details pane, do one of the following:

• To add a new NTP server, click Add.

• To modify settings for an existing NTP server, select the NTP server, and then clickOpen.

3. In the Create NTP Server or Configure NTP Server dialog box, set the followingparameters:

• Server Name/IP Address*—The domain name of the NTP server or the IP address ofthe NTP server. The name or IP address cannot be changed for an existing NTPserver.

• Minimum Poll Interval— The minimum number of seconds after which the NTPserver must poll the NTP messages, expressed as a power of 2. Minimum value: 4(2^4=16 seconds). Maximum value: 6 (2^6=64 seconds). Default: 6 (2^6=64 seconds).

• Maximum Poll Interval— The maximum number of seconds after which the NTPserver must poll the NTP messages, expressed as a power of 2. Minimum value: 10(2^10=1024 seconds). Maximum value: 17 (2^17=36 hours). Default : 10 (2^10=1024seconds).

• Key Identifier—The key to be used for the specified server. This key identifiershould be added to the list of Trusted Key IDs in the Authentication Parameters.Minimum value: 1. Maximum value: 65534.

Note: Do not add if Autokey is selected.

• Autokey—Use the Autokey protocol for the specified server.

• Preferred—Synchronize with this server first. Applicable if more than one server isconfigured.


4. Click Add, and then click Close.

5. In the details pane, verify that the settings displayed for the NTP server that you justcreated are correct.

To enable NTP synchronization1. In the navigation pane, expand System, and then click NTP Servers.

2. In the details pane, click NTP Synchronization.

3. In the NTP Synchronization dialog box, select Enable NTP Sync.



395

To modify Authentication options1. In the navigation pane, expand System, and then click NTP Servers.

2. In the details pane, click Authentication Parameters.

3. In the Modify Authentication Options dialog box, set the following parameters:

• Authentication—Enable NTP authentication. Possible values: YES, NO. Default: YES.

• Trusted Key IDs—The trusted key IDs. While adding an NTP server, you select a keyidentifier from this list. Minimum value: 1. Maximum value: 65534.

• Revoke Interval—The interval between re-randomization of certain cryptographicvalues used by the Autokey scheme, as a power of 2, in seconds. Default value: 17(2^17=36 hours).

• Automax Interval—The interval between regeneration of the session key list usedwith the Autokey protocol, as a power of 2, in seconds. Default value: 12 (2^12=1.1hours).



396

397

Installing an SSL Certificate on theAppliance

The appliance is shipped with a default SSL certificate. For security reasons, you may wantto replace this certificate with your own SSL certificate. To do so, you must first uploadyour SSL certificate to the Management Service and then install the certificate. Installing anSSL certificate terminates all current client sessions with the Management Service, so youhave to log back on to the Management Service for any additional configuration tasks.

To install an SSL certificate, click System. In the Set Up Appliance group, click Install SSLCertificate and enter the details in the wizard.

To install an SSL certificate on the ManagementService

1. In the navigation pane, click System.

2. In the System pane, click Install SSL Certificate.

3. In the Install SSL Certificate on the Management Service dialog box, set the followingparameters:

• Certificate File*—The file name of a valid certificate. The certificate file must bepresent on the appliance.

• Key File*—The file name of the private-key used to create the certificate. The keyfile must be present on the appliance.

• Password*—The pass-phrase that was used to encrypt the private-key. This optioncan be used to load encrypted private-keys. Max length: 32.

Note: Password protected private key is supported only for the PEM format.* A required parameter


398

Restarting the Appliance

The Management Service provides an option to restart the appliance. During the restart,the appliance shuts down all hosted NetScaler instances, and then restarts XenServer. WhenXenServer restarts, it starts all hosted NetScaler instances along with the ManagementService.

To restart the appliance, click Configuration > System and in the System Administrationgroup, click Reboot Appliance.

To restart the appliance1. On the Configuration tab, in the navigation pane, click System.

2. In the System pane, click Reboot Appliance.

399

Shutting Down the Appliance

You can shut down the appliance from the Management Service.

To shut down the appliance, click Configuration > System, and in the System Administrationgroup, click Shut Down Appliance.

To shut down the appliance1. On the Configuration tab, in the navigation pane, click System.

2. In the System pane, click Shutdown Appliance.

400

Modifying the Time Zone on theAppliance

You can modify the time zone of the Management Service and the Xen Server. The defaulttime zone is UTC.

To modify the time zone, click System and in the System Settings group, click Change TimeZone.

To modify the time zone on the appliance1. On the Configuration tab, in the navigation pane, click System.

2. In the System pane, under System Settings, click Change Time Zone.

3. In the Modify Time Zone dialog box, select a time zone from the list, and then click OK.

401

Modifying System Settings

For security reasons, you can specify that the Management Service and a NetScaler VPXinstance should communicate with each other only over a secure channel. You can alsorestrict access to the Management Service user interface. Clients can log on theManagement Service user interface only by using https.

To modify system settings, click Configuration > System and in the System Settings group,click Change System Settings.

To modify system settings1. On the Configuration tab, in the navigation pane, click System.

2. In the System pane, under System Settings, click Change System Settings.

3. In the Modify System Settings dialog box, select https from the list.

4. Optionally, to restrict secure-only access to the Management Service, select SecureAccess only.

5. Click OK.

402

Upgrading the Resources

The upgrade process upgrades the CloudBridge and NetScaler resources of your CloudBridgeappliance.

To upgrade the resources, perform the following steps:

1. In the CloudBridge configuration utility, navigate to Configuration > System.

2. On the right pane under Setup Appliance, click Upgrade Resources.

Note: When you click on Upgrade Resources, the following message appears:

This operation may shut down NetScaler and CloudBridge Instances. Do you want toupgrade the resources?

3. Click Yes.

403

Monitoring the Appliance

After your appliance is up and running, you can perform various tasks to monitor theappliance from the Management Service user interface.

404

Monitoring the Appliance by using theHome Page

The Management Service Home page provides you with a high-level view of theperformance of the appliance and the NetScaler instances provisioned on your appliance.,CloudBridge Accelerator and NetScaler instance information is displayed in gadgets that youcan add and remove depending on your requirement.

The following gadgets are available on the Home page by default.

System Resources

Displays the total number of CPU cores, total number of SSL cores, number of free SSLcores, total memory, and free memory on the appliance.

System CPU | Memory Usage (%)

Displays the percentage of CPU and memory utilization of the appliance in graphicalformat.

System WAN/LAN Throughput (Mbps)

Displays the total throughput of the appliance for incoming and outgoing traffic in agraph that is plotted in real time and updated at regular intervals.

CloudBridge Accelerators

Displays the aggregate properties of the CloudBridge Accelerators, summarized as ifthere were only one instance. The properties displayed are Name, VM State, CloudBridgeState, IP address, and CPU and memory usage.

NetScaler Instances

Displays the properties of the NetScaler instances. The properties displayed are Name,VM State, Instance State, IP Address, Rx (Mbps), Tx (Mbps), HTTP Req/s, and CPU Usage(%) and Memory Usage (%).

Note: On first log on, the Home page does not display any data related to theCloudBridge NetScaler or CloudBridge instances because you have not provisioned anyinstances on your appliance.

You can do the following on the Home page:

View and hide NetScaler instance details

You can view and hide the details of a particular instance by clicking the name of theinstance in the Name column. You can also click Expand All to expand all the instancenodes and Collapse All to collapse all the instance nodes.

Add and remove gadgets

You can also add gadgets to view additional system information.

To add these gadgets, click the arrow (<<) button at the top right corner of the Homepage, enter keywords in the search box, and then click Go. The allowed characters are:a-z, A-Z, 0-9, ^, $, *, and _. Click Go without typing any characters in the search box todisplay all the gadgets that are available. After the gadget is displayed, click Add todashboard.

Currently, you can add the following gadgets to the Home page:

Hypervisor Details

The Hypervisor Details gadget displays details about XenServer uptime, edition,version, iSCSI Qualified Name (IQN), product code, serial number, build date, andbuild number.

Licenses

The Licenses gadget displays details about the hardware platform, the maximumnumber of NetScaler instances supported on the platform, the maximum supportedthroughput in Mbps, and the available throughput in Mbps.

If you remove a gadget that is available on the Home page by default, you can add itback to the Home page by performing a search for the gadget, as described earlier.

Monitoring the Appliance by using the Home Page

405

406

Monitoring the Appliance

After your appliance is up and running, you can perform various tasks to monitor theappliance from the Management Service user interface.

407

Load Statistics

Citrix CloudBridge includes load statistics functionality that collates all parametersaffecting the load on the appliance and displays the results in a graphical format.

The load statistics are based on input queue latency rather than the CPU load, because aCloudBridge appliance makes use of all system resources, wherever possible. The inputqueue latency indicates the extent to which processing the queue has overloaded theappliance is to process the queue built up on the appliance. The queue latency measuresthe duration for which a packet waits before the appliance selects it for processing. Thelonger the wait time, the busier the appliance. If the value of the input queue latency risesand remains high for quite some time, the request queue builds up on the appliance andmight result in connections with diminished acceleration.

To display the appliance’s load statistics, navigate to the Monitoring > AppliancePerformance > Load Statistics page.

The Appliance Load Statistics page consists of three tabs: Connections, Traffic, andAdvanced. By default, load statistics are displayed for the last one day. You can change theperiod to any of the following:

• Last Day—Displays statistics for last 24 hours. Statistics in the graphs are automaticallyrefreshed every 5 minutes.

• Last Minute—Displays statistics for last 60 seconds. Statistics in the graphs areautomatically refreshed every 30 seconds.

• Last Hour—Displays statistics for last 60 minutes. Statistics in the graphs areautomatically refreshed every 60 seconds.

• Last Week—Displays statistics for last seven days. Statistics in the graphs areautomatically refreshed every hour.

• Last Month—Displays statistics for last 30 days. Statistics in the graphs are automaticallyrefreshed every 2 hours.

Graphs with multiple data series are stacked. This facilitates representing the combinedstatus of all data series in the graph. Additionally, the page contains a utility to create PDFfiles for all load statistics available across tabs.

408

Connections

The connections tab displays statistics about existing connections to the appliance.

In addition to the graphical statistics, the graphs display average number of connectionsand maximum number of connections (as Peak) for the duration depicted in the graphs. Youcan also hover the cursor over a data series to check a value for a specific time. This tabconsists of the following graphs:

• Accelerated Connections—Displays the number of connections that the appliance isaccelerating.

• Total Connections—Displays the number of connections, accelerated as well asunaccelerated, on the appliance.

• ICA Sessions—Displays ICA sessions established with the appliance. The graph includesdata for ICA single-stream and multi stream sessions, respectively.

Connections

409

410

Traffic

The Traffic tab displays statistics about the network traffic flowing through the appliance.This includes traffic from the WAN side as well as the LAN side.

In addition to the graphical statistics, each graph displays the average traffic rate and themaximum traffic rate (as Peak) for the duration depicted in the graph. You can also hoverthe cursor over a data service to check a value for a specific time. This tab consists of thefollowing graphs:

• WAN Data Send Rate —Displays data, in bits per second, sent from the WAN side of theappliance. The graph includes a data series for each of the protocols being served bythe appliance. In the following screen shot, a sample graph of a server-side applianceshows five series of data depicting FTP, HTTP, HTTPS, and Other. Clear text data isdepicted as an individual series and shown as FTP data (clear). The rest of the FTP datais depicted as the Other TCP data series. Any traffic other than FTP, HTTP, and HTTPSis depicted as Others.

• WAN Data Receive Rate—Displays data, in bits per second, received from the WAN sideof the appliance. The graph includes a data series for each of the protocols beingserved by the appliance. In the following screen shot, a sample graph of a server-sideappliance shows five series of data depicting FTP, HTTP, HTTPS, and Other. Clear textdata is depicted as an individual series and shown as FTP data (clear). The rest of theFTP data is depicted as the Other TCP data series. Any traffic other than FTP, HTTP,and HTTPS is depicted as Others.

• LAN Data Send Rate—Displays data, in bits per second, sent from the LAN side of theappliance. The graph includes a data series for each of the protocols being served bythe appliance. In the following screen shot, a sample graph of a server-side applianceshows five series of data depicting FTP, HTTP, HTTPS, and Other. Clear text data isdepicted as an individual series and shown as FTP data (clear). The rest of the FTP datais depicted as the Other TCP data series. Any traffic other than FTP, HTTP, and HTTPSis depicted as Others.

Note: When you enable compression on the appliance, the amount of data received from the WAN side is always less than amount sent to the LAN side. However, if you have not enabled compression on the appliance, the amount of data is almost the

Traffic

411

same on both sides of the appliance.

• LAN Data Receive Rate—Displays data, in bits per second, received from the LAN sideof the appliance. The graph includes a data series for each of the protocols beingserved by the appliance. In the following screen shot, a sample graph of a server-sideappliance shows five series of data depicting FTP, HTTP, HTTPS, and Other. Clear textdata is depicted as an individual series and shown as FTP data (clear). The rest of theFTP data is depicted as the Other TCP data series. Any traffic other than FTP, HTTP,and HTTPS is depicted as Others.

Note: When you enable compression on the appliance, the amount of data sent fromthe WAN side is always less than amount received from the LAN side. However, if youhave not enabled compression on the appliance, the amount of data is almost thesame on both sides of the appliance.

• WAN Packet Send Rate—Displays data, in packets per second, sent from the WAN sideof the appliance. The graph includes a data series for each of the protocols beingserved by the appliance. In the following screen shot, a sample graph of a server-sideappliance shows five series of data depicting FTP, HTTP, HTTPS, and Other. Clear textdata is depicted as an individual series and shown as FTP data (clear). The rest of theFTP data is depicted as the Other TCP data series. Any traffic other than FTP, HTTP,and HTTPS is depicted as Others.

Traffic

412

• WAN Packet Receive Rate—Displays data, in packets per second, received from theWAN side of the appliance. The graph includes a data series for each of the protocolsbeing served by the appliance. In the following screen shot, a sample graph of aserver-side appliance shows five series of data depicting FTP, HTTP, HTTPS, and Other.Clear text data is depicted as an individual series and shown as FTP data (clear). Therest of the FTP data is depicted as the Other TCP data series. Any traffic other thanFTP, HTTP, and HTTPS is depicted as Others.

• LAN Packet Send Rate—Displays data, in packets per second, sent from the LAN side of the appliance. The graph includes a data series for each of the protocols being served by the appliance. In the following screen shot, a sample graph of a server-side appliance shows five series of data depicting FTP, HTTP, HTTPS, and Other. Clear text

Traffic

413

data is depicted as an individual series and shown as FTP data (clear). The rest of theFTP data is depicted as the Other TCP data series. Any traffic other than FTP, HTTP,and HTTPS is depicted as Others.

Note: When you enable compression on the appliance, the number of packetsreceived from the WAN side is always less than the number of packets sent to theLAN-side. However, if you have not enabled compression on the appliance, theamount data is almost the same on both sides of the appliance.

• LAN Packet Receive Rate—Displays data, in packets per second, received from the LANside of the appliance. The graph includes a data series for each of the protocols beingserved by the appliance. In the following screen shot, a sample graph of a server-sideappliance shows five series of data depicting FTP, HTTP, HTTPS, and Other. Clear textdata is depicted as an individual series and shown as FTP data (clear). The rest of theFTP data is depicted as the Other TCP data series. Any traffic other than FTP, HTTP,and HTTPS is depicted as Others.

Traffic

414

Note: When you enable compression on the appliance, the number of packets sent tothe WAN-side are always lesser than the number of packets received from theLAN-side. However, if you have not enabled compression on the appliance, thenumber of packets is almost the same on both sides of the appliance.

• Total Traffic—Displays overall traffic, in bits per second, flowing through the appliance.The graph consists of four series of data depicting LAN send rate, LAN receive rate,WAN send rate, and WAN receive rate. Unlike preceding graphs, this one does notdisplay status of the current and maximum traffic flowing for the duration depicted inthe graph.

• Accelerated WAN Send Rate—Displays rate at which accelerated data is sent, in bitsper second, from the WAN side of the appliance. The graph also depicts the licensedbandwidth of the appliance. Similar to the Total Traffic graph, this graph does notdisplay the status of the current and maximum data send rate for the duration depictedin the graph.

Traffic

415

Traffic

416

417

Advanced

The Advanced tab displays statistics about the load that the appliance is handling. The tabconsists of the Inbound Queue Service Time graph that depicts the time taken to process anincoming packet. The higher the time taken to process a packet, the higher the load theappliance is handling. The graph is automatically refreshed every 10 seconds. In addition tothe graphical statistics, the graph also displays time taken to process the recent packets,average time taken to process packets during the time slot for which the graph is plotted,and the maximum time taken to process a packet in the duration depicted in the graphs.You can also hover the cursor over a data service to check a value for a specific time.

418

Monitoring with AppFlow

CloudBridge AppFlow support allows flexible, customized monitoring of your CloudBridgedatacenter appliances.

The AppFlow interface works with any AppFlow collector. The collector receives detailedinformation from the appliance, using the AppFlow open standard(http://www.appflow.org). You can use the AppFlow collector to create customizedanalysis, monitoring, and reports. The AppFlow interface is easy to configure, requiringlittle more than the IP address of the AppFlow collector .

The CloudBridge AppFlow feature includes support for the NetScaler Insight Center andsplunk, which are based on AppFlow.

This feature is available on CloudBridge datacenter appliances (CloudBridge 3000, 4000,and 5000).

AppFlow monitoring includes support for the IPFIX architecture, as defined in RFC5470.CloudBridge IPFIX support adds the following features:

• Templates for L4 (application) data records, WAN optimization data records, and HDX(XenApp/XenDesktop) data records, allowing expanded monitoring and analysis.

• Compatibility with NetScaler IPFIX templates.

• General IPFIX infrastructure, including collector and exporter processes andsampling/filtering options.

• The above features enable or enhance the following activities:

• Providing historical and persistent reports

• Providing reports beyond what is available in the appliances

• Collecting information at user/client level

• Monitoring per-application compression

• Showing data per branch

• Monitoring unclassified TCP connections

• Providing network latency information

These enhancements are focused on TCP connections (accelerated and unaccelerated).

Because the CloudBridge appliance participates in XenApp/XenDesktop security, it canprovide more specific statistics about the encrypted XenApp/XenDesktop data streams,including latency and application information that would not otherwise be available.

Monitoring with AppFlow

419

420

Prerequisites

Make sure that the following prerequisites are met:

• XenApp/XenDesktop version 7.5

• ICA Client: Windows Citrix Receiver version 14.x

• NTP server configured on both the CloudBridge and the Insight Center appliance

• MSI disabled on CloudBridge

421

Enabling AppFlow Monitoring

AppFlow monitoring is managed on the Configuration > Appliance Settings > AppFlow page.

WAN optimization monitoring is enabled by default. HDX (ICA) monitoring is optional.

You must specify up to 4 systems running AppFlow “collectors.” AppFlow data is sent to theIP addresses and ports that you specify.

Caution: The volume of data sent to the collector is large, and might exceed your WANbandwidth. Use AppFlow monitoring for local appliances only.

Figure 1. The Configuration > Appliance Settings > AppFlow Page

The AppFlow page configures AppFlow monitoring. The parameters are:

• Data Set: Two data sets are available: WANOpt (general acceleration statistics) and HDX(Citrix XenApp/XenDesktop). WANOpt is always enabled . HDX monitoring is optional.

• Data Update Interval: How often the data collectors receive an update, in minutes.

• Collectors: An AppFlow collector receives the AppFlow data stream from the appliance.Each collector is configured with a name, an IP address, and a port. Up to fourcollectors can be defined, and they can be enabled or disabled independently. They canalso be edited or deleted. (Once defined, the IP address of a collector cannot bechanged. To change the address of a collector, delete the collector definition andcreate a new one with the new IP address.)

422

Using AppFlow with Splunk

CloudBridge AppFlow support works with any AppFlow collector. One such collector isSplunk, a monitoring program that can be used as an AppFlow collector. Download theSplunk application from splunk.com and import the splunk definitions provided with yourCloudBridge software release.

To add these definitions (called an “application” in Splunk), log on to Splunk and go to theApps > Upload App page. Browse to the CloudBridge Splunk file and upload it. Once the fileis installed and Splunk restarts, Splunk collects data from your appliances. You can monitoryour appliances by launching the “Splunk App for Citrix CloudBridge” application from theSpunk Apps page. The following figure shows the CloudBridge Overview page.

423

Viewing the SSL Certificate on theManagement Service

The Management Service uses an SSL certificate for secure client connections. You can viewthe details of this certificate, such as validity status, issuer, subject, days to expire, validfrom and to dates, version, and serial number.

To view the SSL certificate, click System and in the Set Up Appliance group, click View SSLCertificate.

To view the SSL certificate on the ManagementService

1. In the navigation pane, click System.

2. In the System pane, click View SSL Certificate. The certificate details are displayed.

424

Viewing the Properties of the Appliance

You can view system properties such as the number of CPU cores , total available memoryand free memory, and various product details on the Configuration tab.

To view the properties of the appliance, click the Monitoring tab.

You can view the following information about system resources, Hypervisor, License, andSystem:

System Resources

Total CPU Cores

The number of cores in all system CPUs.

Total Memory (GB)

Total appliance memory in gigabytes.

Free Memory (GB)

Free appliance memory in gigabytes.

Maximum # NetScaler Instances.

Maximum # Repeater Instances.

Hypervisor Information

Uptime

Time since the appliance was last restarted, in number of days, hours, and minutes.

Edition

The edition of XenServer that is installed on the SDX appliance.

Version

The version of XenServer that is installed on the SDX appliance.

iSCSI IQN

The iSCSI Qualified Name.

Product Code

Product code of XenServer.

Serial Number

Serial number of XenServer.

Build Date

Build date of XenServer.

Build Number

Build number of XenServer.

Supplemental Pack

Version of the supplemental pack installed on the SDX appliance.

License Information

Platform

Model number of the hardware platform, based on the installed license.

System Information

Platform

Model number of the hardware platform.

Product

Type of NetScaler product.

Build

NetScaler release and build running on the SDX appliance.

IP Address

IP address of the Management Service.

Host ID

XenServer host ID.

System ID

XenServer system ID.

Serial Number

XenServer serial number.

System Time

System time displayed in Day Month Date Hours:Min:Sec Timezone Year format.

Uptime


425

Time since the Management Service was last restarted, in number of days, hours, andminutes.

BIOS version

BIOS version.


426

427

Viewing Real-Time Appliance Throughput

The total throughput of the appliance for incoming and outgoing traffic is plotted in realtime in a graph that is updated at regular intervals. By default, throughputs for bothincoming and outgoing traffic are plotted together on the graph.

To view the throughput of the appliance, on the Monitoring tab, in the navigation pane,expand Monitoring, and then click Throughput.

428

Viewing Real-Time CPU and MemoryUsage

You can view a graph of CPU and memory usage of the appliance. The graph is plotted inreal time and updated at regular intervals.

To view the CPU and memory usage of the appliance, on the Monitoring tab, in thenavigation pane, expand Monitoring, and then click CPU / Memory Usage.

429

Viewing CPU Usage for All Cores

You can view the usage of each CPU core on the appliance.

The CPU Core Usage pane displays the following details:

Core Number

The CPU core number on the appliance.

Physical CPU

The physical CPU number of that core.

Hyper Threads

The hyper threads associated with that CPU core.

Instances

The instances that are using that CPU core.

Average Core Usage

The average core usage, expressed as a percentage.

To view the CPU usage for all the cores on the appliance, on the Monitoring tab, in thenavigation pane, expand Monitoring, and then click CPU Core Usage.

430

Monitoring the NetScaler Instance

A high-level view of the performance of the appliance and the NetScaler VPX instanceprovisioned on the appliance are displayed on the Monitoring page of the ManagementService user interface. After provisioning and configuring the NetScaler instance, you canperform various tasks to monitor the NetScaler instance.

431

Viewing the Properties of the NetScalerInstance

The Management Service user interface displays the list and description of the NetScalerVPX instance provisioned on the appliance. Use the NetScaler Instances pane to viewdetails, such as the instance name and IP address, CPU and memory utilization, number ofpackets received and transmitted on the instance, and the throughput and total memoryassigned to the instance.

Clicking the IP address of the NetScaler VPX instance opens the configuration utility (GUI) ofthat instance in a new tab or browser.

To view the properties of the NetScaler Instance1. On the Configuration tab, in the left pane, expand NetScalerNetScaler Configuration,

and then click Instances.

Note: You can also view the properties of a NetScaler VPX instance from the Hometab.

2. In the InstancesNetScaler Instance pane, you can view the details for the NetScalerinstance

3. Click the arrow next to the name of a NetScaler instance to view the properties of thatinstance, or click Expand All to view the properties of all the NetScaler instancesitsproperties.

432

Viewing the Running and SavedConfiguration of a NetScaler Instance

By using the Management Service you can view the currently running configuration of theNetScaler instance. You can also view the saved configuration of a NetScaler instance andthe time when the configuration was saved.

To view the running and saved configuration of theNetScaler instance

1. On the Configuration tab, in the left pane, expand NetScaler NetScaler Configuration,and then click Instances.

2. In the NetScaler Instances pane, click the NetScaler instance for which you want toview the running or saved configuration.

3. To view the running configuration, click Running Configuration, and to view the savedconfiguration, click Saved Configuration.

4. In the NetScaler Running Config window or the NetScaler Saved Config window, you canview the running or saved configuration of the NetScaler instance.

433

Pinging a NetScaler Instance

You can ping a NetScaler instance from the Management Service to check whether thedevice is reachable.

To ping a NetScaler instance1. On the Configuration tab, in the left pane, expand NetScalerNetScaler Configuration,


2. In the NetScaler Instances pane, click the NetScaler instance you want to ping, and thenclick Ping. In the Ping message box, you can view whether the ping is successful.

434

Tracing the Route of a NetScaler Instance

You can trace the route of a packet from the Management Service to a NetScaler instanceby determining the number of hops used to reach the instance.

To trace the route of a NetScaler instance1. On the Configuration tab, in the left pane, expand NetScalerNetScaler Configuration,


2. In the NetScaler Instances pane, click the NetScaler instance you want to trace, andthen click TraceRoute. In the Traceroute message box, you can view the route to theNetScaler.

435

Rediscovering a NetScaler Instance

You can rediscover a NetScaler instance when you need to view the latest state andconfiguration of a NetScaler instance.

During rediscovery, the Management Service fetches the configuration. By default, theManagement Service schedules devices for rediscovery once every 30 minutes.

To rediscover a NetScaler instance1. On the Configuration tab, in the left pane, expand NetScalerNetScaler Configuration,


2. In the NetScaler Instances pane, click the NetScaler instance you want to rediscover,and then click Rediscover.


436

Monitoring the CloudBridge Instance

After provisioning and configuring the CloudBridge instances, you can perform simplemonitoring through the service VM, which will reveal whether the CloudBridge instance isrunning or not, and give some statistics about it.

More detailed monitoring is done through the browser-based UI of the individualCloudBridge instances, using their Management IP addresses. See the Branch CloudBridgeFamily User’s Guide, rel. 6.05.5-5.7, for complete information on the CloudBridge instancesand user interface.

• Viewing the Properties of the CloudBridge Instances.

• Viewing the Running and Saved Configuration of CloudBridge Instances.

• Pinging CloudBridge Instances.

• Tracing the Route of CloudBridge Instances.

• Rediscovering CloudBridge Instances.

437

Viewing the Properties of the CloudBridgeInstances

The service VM user interface displays the list and description the CloudBridge Instancesinstance provisioned on the appliance. Use the CloudBridge Instances Instance pane to viewdetails, such as the instance name and IP address, CPU and memory utilization, number ofpackets received and transmitted on the instance, and the throughput and total memoryassigned to the instance.

Clicking the IP address of the CloudBridge instance opens the configuration utility (GUI) ofthat instance in a new tab or browser.

To view the properties of the CloudBridge Instances1. On the Configuration tab, in the left pane, expand CloudBridge, and then click

Instances.

Note: You can also view the properties of CloudBridge instances from the Home tab.

2. In the CloudBridge Instances pane, you can view the following details for theCloudBridge instances:

• Name - The host name assigned to the CloudBridge instance while provisioning.

• VM State - The state of the virtual machine.

• Instance State - The state of the CloudBridge instance.

• IP Address - The IP address of the instance. Clicking the IP address opens the GUI ofthis instance in a new tab or browser.

• CPU Usage (%) - The percentage of CPU utilization on the CloudBridge.

• Memory Usage (%) - The percentage of memory utilization on the CloudBridge.

• System Load (%) - The percentage of CPU utilization on the instance.

• Active connections- The percentage of memory utilization on the instance.

• WAN Out (Mbps) - Current WAN bandwidth usage in the sending direction.

• WAN In (Mbps) - Current WAN bandwidth usage in the receiving direction.

• LAN Out (Mbps) - Current LAN bandwidth usage in the sending direction.

• LAN In (Mbps) - Current LAN bandwidth usage in the receiving direction.3. Click the arrow next to the name of a CloudBridge instance to view the properties of

that instance, or click Expand All to view the properties of all the CloudBridgeinstances. You can view the following properties:

• apA IP Address - The address of the accelerated bridge.

• apA Gateway - The gateway used by the accelerated bridge.

• Total Memory (MB) - The memory allocated to the virtual machine.

• Total Memory - RAM allocated to the instance.

• Version - CloudBridge version, build number, and build date.

• Uptime. Time since the last reboot.

• Operating Status. Status of the virtual machine.

• Accelerated Connections. The current number of accelerated connections.

• Unaccelerated Connections. The current number of unaccelerated connections.

Viewing the Properties of the CloudBridge Instances

438

• Connected Plugins - The number of CloudBridge Plug-ins that currently have anopen signaling connection. (Not supported on this release.)

• Max. Plugins - The maximum number of Plug-ins supported by the license andarchitecture of the instance. (Not supported on this release.)

• Bandwidth Limit (kbps) - The current send bandwidth limit of the CloudBridgeinstance.

• Bandwidth Mode - Shows the state of the hardboost/softboost and fullbandwidth/partial bandwidth modes.

• Host Name - The host name of the instance.

• Total Memory (GB) - The total memory being assigned to the instance.

• Status - The status of the operations being performed on an instance, such as statusof whether inventory from the instance is completed or whether reboot is inprogress.

Viewing the Properties of the CloudBridge Instances

439

440

Viewing the Running and SavedConfiguration of a CloudBridge Instance

By using the service VM you can view the current configuration of a CloudBridge instance.

By using the service VM you can view the currently running configuration of the NetScalerinstance. You can also view the saved configuration of the NetScaler instance and the timewhen the configuration was saved.

To view the running and saved configuration of aCloudBridge Instance

1. On the Configuration tab, in the left pane, expand CloudBridge, and then clickInstances.

2. In the CloudBridge Intances pane, click the NetScaler instance for which you want toview the running or saved configuration.

3. Click Current Configuration.To view the running configuration, click RunningConfiguration, and to view the saved configuration, click Saved Configuration.

4. In the CloudBridge Running Config window or the CloudBridge Saved Config window, youcan view the running or saved configuration of the CloudBridge instance.

441

Pinging a CloudBridge Instance

You can ping a CloudBridge instance from the service VM to check whether the device isreachable.

To ping a CloudBridge instance1. On the Configuration tab, in the left pane, expand CloudBridge Configuration, and then

click Instances.

2. In the CloudBridge Configuration pane, click the CloudBridge instance you want to ping,and then click Ping. In the Ping message box, you can view whether the ping issuccessful.

442

Tracing the Route of a CloudBridgeInstance

You can trace the route of a packet from the service VM to a CloudBridge Instances instanceby determining the number of hops used to reach the instance.

To trace the route of a CloudBridge instance1. On the Configuration tab, in the left pane, expand CloudBridge Configuration, and then

click Instances.

2. In the CloudBridge Instances pane, click the CloudBridge instance you want to trace,and then click TraceRoute. In the Traceroute message box, you can view the route tothe instance.

443

Rediscovering Instance

You can rediscover a CloudBridge instance when you need to view the latest state andconfiguration of a instance.

During rediscovery, the service VM fetches the configuration. By default, the service VMschedules devices for rediscovery once every 30 minutes.

You can rediscover a CloudBridge instance when you need to view the latest state andconfiguration of a CloudBridge instance.

During rediscovery, the service VM fetches the configuration. By default, the service VMschedules devices for rediscovery once every 30 minutes.

To rediscover a CloudBridge instance1. On the Configuration tab, in the left pane, expand CloudBridge, and then click

Instances.

2. In the CloudBridge Instances pane, click the instance, and then click Rediscover.


444

Monitoring Operations and Events byUsing Logs

Use audit and task logs to monitor the operations performed on the Management Serviceand on the NetScaler instance. You can also use the events log to track all events for tasksperformed on the Management Service and the XenServer.

445

Viewing Audit Logs

All operations performed by using the Management Service are logged in the appliancedatabase. Use audit logs to view the operations that a Management Service user hasperformed, the date and time of each operation, and the success or failure status of theoperation. You can also sort the details by user, operation, audit time, status, and so on byclicking the appropriate column heading.

Pagination is supported in the Audit Log pane. Select the number of records to display on apage. By default, 25 records are displayed on a page.

To view audit logs1. In the navigation pane, expand System, and then click Audit.

2. In the Audit Log pane, you can view the following details.

User Name

The Management Service user who has performed the operation.

IP Address

The IP address of the system on which the operation was performed.

Port

The port at which the system was running when the operation was performed.

Resource Type

The type of resource used to perform the operation, such as xen_vpx_image andlogin.

Resource Name

The name of the resource used to perform the operation, such as vpx_image_nameand the user name used to log in.

Audit Time

The time when the audit log was generated.

Operation

The task that was performed, such as add, delete, and log out.

Status

The status of the audit, such as Successful or Failed.

Message

A message describing the cause of failure if the operation has failed and the status ofthe task, such as Done, if the operation was successful.

3. To sort the logs by a particular field, click the heading of the column.

Viewing Audit Logs

446

447

Viewing Task Logs

Use task logs to view and track tasks, such as upgrading instances and installing SSLcertificates, that are executed by the Management Service on the NetScaler instances. Thetask log lets you view whether a task is in progress or has failed or has succeeded.

Pagination is supported in the Task Log pane. Select the number of records to display on apage. By default, 25 records are displayed on a page.

To view the task log1. In the navigation pane, expand Diagnostics, and then click Task Log.

2. In the Task Log pane, you can view the following details.

ID

The auto-generated ID assigned to a task. For a task performed on multipleinstances, such as installing SSL certificate or upgrading instances, a single unique IDis generated in the task log.

Name

The name of the task that is being executed or has already been executed.

Status

The status of the task, such as In progress, Completed, or Failed.

Executed By

The Management Service user who has performed the operation.

Start Time

The time at which the task started.

End Time

The time at which the task ended.

3. To sort the logs by a particular field, click the heading of the column.

Viewing Task Device LogsUse task device logs to view and track tasks being performed on each NetScaler instance.The task device log lets you view whether a task is in progress or has failed or hassucceeded. It also displays the IP address of the instance on which the task is performed.

To view the task device log1. In the navigation pane, expand Diagnostics, and then click Task Log.

2. In the Task Log pane, double-click the task to view the task device details.

3. In the Task Device Log pane, to sort the logs by a particular field, click the heading ofthe column.

Viewing Task Command LogsUse task command logs to view the status of each command of a task executed on aNetScaler instance. The task command log lets you view whether a command has beensuccessfully executed or has failed. It also displays the command that is executed and thereason why a command has failed.

To view the task command log1. In the navigation pane, expand Diagnostics, and then click Task Log.

2. In the Task Log pane, double-click the task to view the task device details.

3. In the Task Device Log pane, double-click the task to view the task command details.

4. In the Task Command Log pane, to sort the logs by a particular field, click the headingof the column.

Viewing Task Logs

448

449

Viewing Events

Use the Events pane in the Management Service user interface to monitor the eventsgenerated by the Management Service for tasks performed on the Management Service.

To view the events1. On the Monitoring tab, in the left pane, expand Monitoring, and then click Events.

2. In the Events pane, you can view the following details.

Severity

The severity of an event, which could be critical, major, minor, clear, orinformation.

Source

The IP address on which the event is generated.

Date

The date when the event is generated.

Category

The category of event, such as PolicyFailed and DeviceConfigChange.

Message

The message describing the event.

3. To sort the events by a particular field, click the heading of the column.

450

CloudBridge VPX

Citrix CloudBridge VPX is a virtual Citrix CloudBridge appliance that can be hosted on CitrixXenServer, VMware ESX or ESXi, Microsoft Hyper-V, and Amazon AWS- virtualizationplatforms. A CloudBridge VPX appliance supports most of the features of a physicalRepeater 8500 series appliance.

Because CloudBridge VPX is a virtual machine, you can deploy on your choice of hardware,exactly where you need it, and in combination it with other virtual machines -- servers, VPNunits, or other appliances -- to create a unit that precisely suits your needs.

CloudBridge VPX software is available as:

• A Xen virtual machine running under XenServer 5.5 and later.

• A VMware vSphere virtual machine running under ESX/ESXi 4.1.

• A Hyper-V virtual machine under 64-bit Windows 2008 R2 SP1.

• An Amazon EC2 instance.

Note: XenServer and VMware vSphere support VLAN trunking, but Hyper-V does not.

When a newly installed CloudBridge VPX virtual machine is up and running, you configure asyou would configure a physical CloudBridge appliance, using the same configurationscreens.

Differences between VPX and Physical CloudBridgeAppliances

A CloudBridge VPX virtual appliance is similar to a Repeater 8500 series appliance, includingsupport for the CloudBridge Plug-in and links of up to 45 mbps. Following are the keydifferences:

• Except for Amazon EC2 instances, licensing via remote license servers is mandatory forretail licenses. Local licensing is available for non-retail licenses, such as evaluation andVPX Express licenses. For Amazon EC2 instances, you can use either Citrix licensing orselect a product with built-in licensing for the bandwidth limit you desire (2, 10, 20, or45 Mbps).

• CloudBridge VPX obtains its CloudBridge Plug-in licenses from the remote license server(except for CloudBridge VPX for Amazon AWS, which does not support Plug-ins). Plug-insconnecting to multiple virtual appliances consume only a single Plug-in license, not onelicense per appliance, provided that all virtual appliances use the same license server.

• The CloudBridge LCD front-panel display is not supported.

• The RS-232 serial command interface is not supported.

• Multiple accelerated bridges are not supported.

• Ethernet bypass cards are not supported.

• Group mode is not supported.

• CloudBridge High-availability mode is not supported. (XenServer HA and vSphere HA aresupported.)

• Three ports are supported (apA.1, apA.2, and Primary), except for Amazon AWSinstances, which support only a single port.

CloudBridge VPX

451

452

CloudBridge VPX Usage Scenarios

You can deploy CloudBridge VPX to accelerate the traffic to or from a branch office, to andfrom a particular server, or in the cloud. In the data center, you can create a flexible andpowerful configuration by assigning a separate VPX instance to each server. Or, at anylocation, you can assign multiple VPX instances to one server, for different types or levelsof acceleration services within the same server.

For employees connecting through VPNs, CloudBridge VPX can accelerate their connections.

As with a physical appliance, inline mode is the most common type of configuration, butWCCP and virtual inline modes can provide an effective deployment.

CloudBridge VPX Usage ScenariosYou can deploy CloudBridge VPX to accelerate the traffic to or from a branch office, or toand from a particular server. In the data center, you can create a flexible and powerfulconfiguration by assigning a separate VPX instance to each server. Or, at any location, youcan assign multiple VPX instances to one server, for different types or levels of accelerationservices within the same server.

For employees connecting through VPNs, CloudBridge VPX can accelerate their connections.

As with a physical appliance, inline mode is the most common type of configuration, butWCCP mode can provide an effective failover mechanism.

Branch-office accelerator

A CloudBridge VPX image can be installed on the server of your choice and deployed justlike a CloudBridge appliance. CloudBridge VPX has all the functionality of a CloudBridgeappliance, and in addition has advantages provided by virtualization. Group mode andhigh-availability modes are not supported.

Figure 1. VPX use case #1: Branch-office accelerator

Accelerated branch-office server

If you add a virtual server to the simple branch-office accelerator configuration, youhave an accelerated branch-office server, as shown in the figure below. If you assign thevirtual networks within the appliance hosting the virtual machines so that the path to theWAN passes through the virtual CloudBridge, all WAN traffic is acceleratedautomatically. For example, all web traffic, backups, remote applications, databasequeries, and operations that require network-file-system access are accelerated.

The virtual environment allows you to add the desired functionality to the server unit,including the operating system and features of your choice. This configurationaccelerates all the WAN traffic from every system in the branch office. You can evendeploy multiple virtual servers on the same machine, consolidating your branch-officerack down to a single unit running multiple virtual machines.

Figure 2. VPX use case #2: Accelerated branch-office server

Accelerated datacenter servers

Installing CloudBridge VPX VMs on every server in the data center creates a solution thatscales perfectly as you add server capacity, while minimizing the number of servers byadding acceleration to the servers themselves. Once you have more than a fewaccelerated servers, the aggregate acceleration provided by multiple CloudBridge VPXVMs exceeds anything that can be provided with a single appliance.

CloudBridge VPX accelerates all types of network applications, including XenApp,XenDesktop, Citrix Merchandising Server, network file systems, databases, web servers,and more.


453

Figure 3. VPX use case #3: Accelerated Datacenter Servers

VPN accelerator

By installing the VPN of your choice with CloudBridge VPX, you have an accelerated VPN.

Note: Unlike other configurations, the VPN virtual machine is on the WAN side and theCloudBridge VPX virtual appliance is on the LAN side, because the VPN traffic must bedecrypted for compression and application acceleration.

Figure 4. VPX use case #4: VPN accelerator

Multiple CloudBridge VPX Instances on the Same Server

Multiple CloudBridge VPX Instances on the Same Server

By putting multiple CloudBridge VPX VMs on the same server, you can create differenttypes or levels of acceleration services within the same unit. One VPX instance might bededicated to a critical application, or each instance dedicated to an individual remotesite or customer. Use VLAN switches to direct traffic to the appropriate VPX instance.


454

Figure 5. VPX use case #5: Multiple Instances for Dedicated Acceleration Resources

WCCP and virtual inline deployment

WCCP and virtual inline modes are suitable for one-arm deployments, which use only oneCloudBridge port. The Amazon AWS version of CloudBridge VPX uses only a single port,and is thus always deployed in a one-armed mode.

Figure 6. VPX use case #6: WCCP or virtual inline deployment

In cases where an Ethernet bypass card would be desirable, using WCCP instead of inlinemode provides effective fault-tolerance, because WCCP has built-in health-checking.Instead of forwarding traffic through an unresponsive WCCP device, the routers send thetraffic directly to the end point.

Branch-office accelerator

CloudBridge VPX can be installed on the server of your choice and deployed just like anyother CloudBridge appliance. CloudBridge VPX has the same functionality as theCloudBridge appliance along with the additional features provided by virtualization. Thegroup mode and high-availability mode are not supported.

CloudBridge VPX FeaturesCloudBridge VPX supports Citrix Command Center release 4.0 or later. CloudBridge alsosupports CloudBridge VPX Express licenses, which support a maximum accelerated sendingrate of 512 kbps, 10 accelerated connections, and 5 CloudBridge Plug-ins.

• VPX for XenServer special features include:


455

• XenServer Essentials Support

• XenMotion Live Migration

• XenServer High Availability

• Workload Balancing

• Performance Monitoring and Alerts

• VPX for VMware vSphere special features include:

• VMware vCenter Server (remote management).

• VMware vSphere HA (high availability).

• VMware vSphere vMotion (migrate CloudBridge VPX to a different server withidentical processors).

• VMware Guest Customization (replicate VPX with different per-instanceparameters).


456

457

System Requirements and Provisioning

CloudBridge VPX runs on XenServer 5.5 or later, VMware vSphere ESX/ESXi 4.1 or later,Hyper-V under 64-bit Windows Server 2008 R2 SP1, and Amazon AWS. CloudBridge VPXsupports four configurations, from 2 to 8 GB of RAM and 100 to 500 GB of disk space. Theintermediate, 4 GB RAM/250 GB disk configuration is similar to the Repeater 8500 seriesappliance.

Supported Configurations

The following tables list all supported CloudBridge VM configurations. (Amazon AWSconfigurations are preselected and are somewhat different.)

Type vCPUs RAM Disk MaximumWAN Speed

MaximumAcceleratedConnections

MaximumCloudBridgePlug-ins

2 GBproductionconfig.

2 2 GB 100 GB 2 mbps 1,000 50


2 4 GB 250 GB 10 mbps 10,000 250

4 GBproductionconfig.*

2 4 GB 250 GB 45 mbps 15,000 400


4 8 GB 500 GB 45 mbps 25,000 500

* With 45mbps licenseOther configurations (not for production networks)

Type vCPUs RAM Disk MaximumWAN Speed

MaximumAcceleratedConnections

MaximumCloudBridgePlug-ins

VPX Express 2 1 GB 60 GB 512 kbps 10 5

Min.evaluationconfig.

2 1 GB 60 GB 2 mbps 1,000 5

Minimum Resource Requirements

A CloudBridge VPX virtual machine has the following minimum hardware requirementsfor a production environment

• 2 GB RAM

• 100 GB disk (local disks provide the best performance)

• 2 virtual NICs (Ethernet ports), except for Amazon AWS, which requires only onevirtual NIC

• 2 virtual CPUs

• A modern CPU (Intel Nehalem or newer or AMD Family 10h or newer, both of whichwere introduced in 2008). Older CPUs may run at reduced performance due to theuse of emulated x86 TSC (timestamp counter) functionality. If clock states higherthan C1 are not used and SpeedStep/PowerNow modes are disabled in the BIOS ofolder processors, TSC emulation will not be used and the system will run at normalspeed.

The server hosting CloudBridge VPX must have RAM and disk resources greater than thoserequired by the VPX VM. (VPX does not support VMware hardware over-commit.)However, having as many physical Ethernet ports as virtual ones is not mandatory if oneof a CloudBridge VPX VM's Ethernet ports is connected to another virtual machine on thesame server. Possible Ethernet options include:

• Mapping the CloudBridge VPX VM's two virtual ports to two physical ports, renderingits operation equivalent to that of a stand-alone CloudBridge.

• Mapping one of CloudBridge VPX VM's virtual ports to a physical port, and the otherto a virtual network containing one or more virtual machines on the same server,thus creating an accelerated server.

• Mapping each of CloudBridge VPX VM's virtual ports to a virtual network, thuschaining the CloudBridge VPX VM between two sets of VMs on the same server.

The following figure shows a CloudBridge VPX VM in a one-arm deployment for trafficthat terminates on another virtual machine on the same server. Only one physical port isrequired in this case, but both virtual ports are used.

Figure 1. Ethernet (Network) Port Assignments, One-Arm Operation

Maximum Usable Resources

Following are the maximum amount of resources that a single CloudBridge VPX virtualmachine can use effectively

• 4 virtual CPUs

• 8 GB RAM

• 500 GB disk


458

• 4 virtual NICs

Server resources not allocated to CloudBridge VPX VMs are available to other VMs on thesame server, but be careful to avoid overcommitting resources.

Disk and RAM

As the amounts of RAM and disk space are increased, the additional resources areallocated primarily to the compression subsystem. Increased memory also allows moreconnections and acceleration partners to be supported.

The CloudBridge compression system makes heavy demands on the disk subsystem. Ingeneral, local disk storage outperforms network disk storage and reduces resourcecontention on both the LAN and the network disk.

The relationship between disk or memory resources and link speed is indirect. Memoryand disk sizes have no effect on the speed at which packets are sent over the link (bps).Providing more memory and disk space improves compression performance by increasingthe amount of compression history that can be used for pattern matching.

Virtual NICs

Except for Amazon AWS, two virtual network interfaces are required. They are bridgedand used for both acceleration and the browser based user interface. These interfacesmust be attached to different virtual networks. Note that, for one-arm operation, thesecond interface can be a stub, attached only to a CloudBridge VPX VM.

A third virtual network interface provides an independent interface to the CloudBridgeVPX VM, which is the equivalent to the Primary port on a physical appliance. It can beused for the browser based interface, but not for acceleration.

Other Virtual Machines

• Server resources beyond those allocated to CloudBridge VPX are available for othervirtual machines on the same server.

• Resource usage by other VMs affects CloudBridge VPX performance, and vice versa.Acceleration makes intensive use of CPU, memory, disk, and network.

Virtual network routing can be used to connect other VMs on the server to CloudBridgeVPX VMs, but the simplest method of connecting such VMs is to attach them to theserver's LAN-side Ethernet port. WAN-bound packets then pass through the CloudBridgeVPX VM's bridge and are accelerated automatically, whether they originate inside oroutside the server hosting VPX.


459

Figure 2. An Inline Deployment that Accelerates External Traffic and Traffic from LocalVMs


460

461

Installing CloudBridge Virtual Applianceson XenServer

To install Citrix CloudBridge virtual appliances on Citrix XenServer, you must first installXenServer on a machine with adequate system resources. To perform the CloudBridge VPXinstallation, you use Citrix XenCenter, which must be installed on a remote machine thatcan connect to the XenServer host through the network.

Before you begin installing a virtual appliance, do the following:

• Install XenServer® version 5.6 or later on hardware that meets the minimumrequirements.

• Install XenCenter® on a management workstation that meets the minimum systemrequirements.

• Obtain VPX license files.

With the prerequisites met, you are ready to import the virtual appliances and configurethem.

To import a CloudBridge virtual appliance toXenServer by using XenCenter

1. Start XenCenter on your workstation.

2. On the Server menu, click Add.

3. In the Add New Server dialog box, in the Hostname text box, type the IP address or DNSname of the XenServer server that you want to connect to.

4. In the User Name and Password text boxes, type the administrator credentials, andthen click Connect. The XenServer name appears in the navigation pane with a greencircle, which indicates that the XenServer is connected.

5. In the navigation pane, click the name of the XenServer server on which you want toinstall CloudBridge VPX.

6. On the VM menu, click Import.

7. In the Import dialog box, in Import file, browse to the location at which you saved theCloudBridge VPX .xva image file. Make sure that the Exported VM option is selected,and then click Next.

8. Select the XenServer server on which you want to install the virtual appliance, and thenclick Next.

9. Select the local storage repository in which to store the virtual appliance, and thenclick Import to begin the import process.

10. Add, modify, or delete virtual network interfaces as required. Attach virtual networkinterfaces, interface 0 and interface 1 to the two different virtual adapters (calledNetworks on this screen). These two interfaces are used as the accelerated bridge ofthe virtual appliance. If virtual network interface interface 2 exists, it can be assignedas well, and used as a management interface (equivalent to the Primary port).

Installing CloudBridge Virtual Appliances on XenServer

462

Important: Do not attach both virtual adapters to the same network . Doing socreates forwarding loops, which can cause network outages. Also, do not attach thetwo physical Ethernet ports associated with CloudBridge VPX to the same Ethernetswitch.

When finished, click Next.

11. Clear the Start the VM after Import check box

12. Click Finish to complete the import process. To view the status of the import process,click the Log tab. The newly created virtual machine appears under the server list in


463

the XenCenter interface.


464

To configure the virtual CloudBridge appliance1. In XenCenter, select the icon for the CloudBridge VPX virtual machine. Then, on the

Storage tab, select Properties and, in the Properties dialog box , adjust the diskallocation to the desired level.

Note:

• Changing the disk allocation on the CloudBridge VPX virtual machine resizes andreinitializes the compression history. Any accumulated history is lost.

• Do not attempt to change resource allocation while CloudBridge VPX is running.

• Do not use the Force Shutdown or Force Reboot commands. They might not workand can cause problems. Use the Shutdown and Reboot commands instead.

Figure 1. Setting the disk allocation2. Right-click the Branch Repeater VPX icon and select the Properties option. Under CPU

and Memory, select the number of VCPUs and the amount of VM memory correspondingto a supported configuration. See Supported Configurations for more details.


465

Figure 2. Setting the virtual CPU and memory allocations

3. In the Branch Repeater VPX Properties dialog box, click Startup Options, and thenselect the Auto-start on server boot check box. (The OS Boot Parameters are not used).


466

Figure 3. Setting the start-on-server-boot option

4. Set the basic network parameters. Depending on which release you are running, do oneof the following:

a. For Release 6.0, after the virtual machine starts, go to the virtual machine console,log into the command-line interpreter, and set the IP parameters for theaccelerated bridge, using the following example as a guide:

Login: admin Password: passwordadmin> set adapter apa -ip 172.16.0.213 -netmask 255.255.255.0-gateway 172.16.0.1 admin> restart

Figure 4. Setting the IP parameters for the accelerated bridge

b. For Release 6.1 or later, when a Repeater VPX virtual machine is started for thefirst time, it automatically runs the Deployment Wizard. Follow the wizard to setthe IP parameters.

5. After the CloudBridge VPX has restarted, log on to the browser-based UI (Defaultcredentials: admin and password ) at the IP address that you assigned to apA

6. From the Command menu, select Quick Installation.

7. On the Quick Installation page, perform a quick installation as you would for a physicalCloudBridge appliance.

8. Enable bridging by clicking the Enable Bridging link.

9. Check the network assignments in XenCenter to make sure that the two acceleratedbridge ports are connected to different networks, and then click OK.

Important: Connecting the two accelerated bridge ports to the same virtual or physical Ethernet segment creates network loops, which can bring down your entire


467

network. In such a case, shut down the CloudBridge VPX virtual machine and fix thenetwork assignments before proceeding.

10. Complete the configuration.


468

469

Installing CloudBridge Virtual Applianceson VMware ESX

Before installing Citrix Branch Repeater virtual appliances on VMware ESX, make sure thatVMware ESX server is installed on a machine with adequate system resources. To installvirtual appliances on VMware ESX version 4.1 or VMware ESXi version 4.0, or later, you usethe VMware vSphere client. The client must be installed on a remote machine that canconnect to VMware ESX through the network. After the installation, you can use thevSphere client to manage virtual appliances on either VMware ESX or VMware ESXi.


• Install VMware ESX version 4.1 or ESXi 4, or later, on hardware that meets the minimumrequirements.

• Install the VMware vSphere client on a management workstation that meets theminimum system requirements.

• Download the CloudBridge VPX setup files.

• Obtain CloudBridge VPX license files.

Also, before installing a CloudBridge VPX virtual appliance, label all the interfaces that youplan to assign to VPX virtual appliances, in a unique format. In large deployments, labelingthese interfaces in a unique format helps in quickly identifying them among otherinterfaces used by other virtual machines, such as Windows and Linux virtual machines.Such labeling is especially important when different types of virtual machines share thesame interfaces.

CloudBridge VPX requires non-default networking options. Among other things, you willcreate two new virtual switches (vswitch0 and vswitch1) for the accelerated bridge, whichmust be assigned to two different virtual switches.

To label the physical network ports of the VMware ESX server

1. Log on to the VMware ESX server by using the vSphere client.

2. In the vSphere client, select the Configuration tab, and then click Networking.

3. At the top-right corner of the screen that appears, click Add Networking.

4. In the Add Network Wizard, for Connection Type, select Virtual Machine, and thenclick Next.

5. Scroll through the list of vSwitch physical adapters, and choose the physical port tomap to interface 1/1 on the virtual appliance.

6. Enter NS_NIC_1_1 as the name of the vSwitch to associate with interface 1/1 of thevirtual appliances.

7. Click Next to finish the vSwitch creation. Repeat the procedure, beginning with step2, to add at least one more interface to be used by your virtual appliances. Label theinterfaces sequentially, in the correct format (for example, NS_NIC_1_2).

To install CloudBridge virtual appliances on VMware ESX 4.1/ESXi 4

Note: This procedure assumes a basic familiarity with VMware vSphere. Details of thevSphere client’s operation might change with new releases of the vSphere software.The VMware documentation should be considered definitive. This procedure shows thedesired results and one example of achieving them.

1. Install VMware ESX 4.1 1 (or later) on the selected server and the vSphere client on asystem from which you can manage the server. You can download the software fromhttp://downloads.VMware.com.

2. Configure the setting for the first virtual switch (vSwitch0)

• Log on to the VMware ESX server by using the vSphere client.

• On the vSphere client, select the Configuration tab, and then click Networking.

• On virtual switch vswitch0, click Properties.

Figure 1. Configuring vSwitch0, continued

• On the Properties page, select the VM Network and click Edit.

Installing CloudBridge Virtual Appliances on VMware ESX

470

http://downloads.VMware.com


• On the Security tab, enable Promiscuous Mode. Click OK.


471

Figure 3. Configuring vSwitch0: setting promiscuous mode

• In the Properties dialog box, verify the changes, and then click Close.


472


3. Create the second virtual switch, label it, and configure settings for the new virtualswitch (vswitch1).

• Log on to the VMware ESX server by using the vSphere client.

• In the vSphere client, on the Configuration tab, click Networking.

• At the top-right corner, of the screen that appears, click Add Networking.

• In the Add Network Wizard, for Connection Type, select Virtual Machine, andthen click Next.

• Select the Create a virtual switch check box .

• Scroll through the list of vSwitch physical adapters, and choose the physical portthat will map to interface 1/1 on the virtual appliance.

Important: Do not select Use vSwitch0, or you will cause routing loops.

• Click Next.


473

Figure 5. Creating vSwitch1, continued

Figure 6. Creating vSwitch1, continued

• Verify that all new and modified virtual switches are configured appropriately.

• Label the new virtual switch as apA-1 by clicking on the connection settings andtyping apA-1 in Network Label text box.

• Click Next, and click Finish.


474

Figure 7. Naming vSwitch1

• Enable promiscuous mode on vSwitch1, following the same steps as for vSwitch0in Step 2.

Figure 8. Enabling promiscuous mode on vSwitch1

4. Create the third virtual switch, vSwitch2, following the procedure in step 3, butattaching it to the port on the WAN side of your network and naming it apA-2.Enable the promiscuous mode on vSwitch2, as you did on the other ports.

5. Change the name of the virtual machine, if desired, and then click Next. Install thevirtual machine.

• Start the VMware vSphere client on your workstation.

• In the IP address / Name text box, type the IP address of the VMware ESX serverthat you want to connect to.


475

• In the User Name and Password text boxes, type the administrator credentials,and then click Login.

• On the File menu, click Deploy OVF Template.

• In the Deploy OVF Template dialog box, in Deploy from file, browse to thelocation at which you saved the CloudBridge VPX setup files, select the .ovf file,and click Next.

• Change the name of the virtual machine, if desired, and then click Next.

• Map the networks shown in the CPX OVF template to the networks that youconfigured on ESX host : LAN-apA1 to apA-1, and WAN-apA2 to apA-2.

Note:

Always assign the two CloudBridge bridge ports (accelerated pair ports) todifferent virtual and physical Ethernet segments.

If you assign both CloudBridge bridge (accelerated pair) ports to the same virtualor physical Ethernet port or switch, you will cause network loops. These networkloops can make managing CloudBridge impossible and can bring down the entireEthernet segment. For example, you will cause network loops if you assign bothCloudBridge ports to vmnic0. The same thing happens if you assign theCloudBridge ports to different physical Ethernet interfaces, but plug bothEthernet interfaces into the same physical switch.

Figure 9. Mapping network interfaces to CloudBridge VPX

• Click Next to start installing VPX on VMware ESX. When installation is complete,a pop-up window informs you of the successful installation.


476

6. You are now ready to start the CloudBridge VPX instance. In the navigation pane,right-click the instance that you have just installed, and select Power On. Click theConsole tab to emulate a console port.

7. Optionally, add a Primary Ethernet port.

• In the navigation pane, right-click the CloudBridge VPX instance that you havejust installed, and select the Edit Settings option. On the Virtual MachineProperties page click Add.

• In Add Hardware window, select Ethernet Adapter as the device type to add, andthen click Next.

Figure 10. Installing the Primary interface

• Select VMXNET 3 as the adapter type, and select VM Network as the networklabel.

• Click Finish, and then click OK.

• If desired, change the memory and hard disk parameters assigned to theCloudBridge VPX virtual machine to match one of the supported, nondefaultconfigurations listed in REF RTF39313235393a204669677572 \h \* MERGEFORMAT<Section xref> .


477

Figure 11. Adjusting memory and disk allocation

8. If you are running Branch Repeater VPX release 6.0, deploy the virtual appliance asfollows:

• At the logon prompt (in the console window), log on with default credentials:admin as the user name and password as the password.

• Use the set adapter apa command to set the accelerated bridge (apA) IPparameters. For example: set adapter apa -ip 172.16.0.213-gateway 172.16.0.1 -netmask 255.255.255.0

• If you want a Primary port, use the set adapter primary command to set its IPparameters This IP address must be different from the one assigned to apA. . Forexample: set adapter primary -ip 172.16.1.222 -gateway172.16.1.1 -netmask 255.255.255.0

Note: In systems with a Primary port, do not specify -gateway on both thePrimary and apA ports. Choose one or the other.

• Restart the virtual machine to put the parameters into effect. Type: restart.9. If you are running CloudBridge VPX release 6.1 or later, the CloudBridge VPX virtual

machine automatically runs the Deployment Wizard when started for the first time.Follow the instructions and prompts that appear on the screen.

10. Continue configuration from the web UI, using the URL of either apA or the Primaryport. For example (your address may vary): https://172.16.0.213


478

11. On the Quick Installation page, perform a quick installation, as you would for aphysical CloudBridge appliance.

12. Enable bridging by clicking the Enable Bridging link.

13. Check the network assignments in XenCenter to make sure that the two networkdevices are connected to different Networks, and then click OK.

Important: Connecting two accelerated bridge ports to the same virtual orphysical Ethernet segment creates network loops, which can bring down yourentire network. In such a case, shut down the CloudBridge VPX virtual machine andfix the network assignments before proceeding.

14. Complete the configuration as you would with any CloudBridge installation.

Configuring Advanced VMware FeaturesYou can configure advanced VMware features to enhance CloudBridge capabilities. Most ofthe procedures for configuring advanced features use the vSphere Client, and details of itsoperation can vary with new releases of the vSphere software. The VMware documentationshould be considered definitive. The procedures here show the desired results and oneexample of achieving them.

VLAN Support

CloudBridge VPX accelerates VLAN traffic automatically, without special configuration,and is thus compatible with VLAN trunking. To use VLAN trunking in a VPX deployment,the VMware server must have VLAN trunking enabled on the two apA bridge ports (apA.1and apA.2), whose VLAN IDs must be set to "All(4095)."

To Enable VLAN Trunking


2. On the vSphere client, select the Configuration tab, and then click Networking.

3. On bridge port apA-1, click Properties.

4. On the Properties page, select the VM Network and click Edit .


479

Figure 12. Enabling VLAN trunking, continued

5. On the General tab, select VLAN ID ALL (4095). Click Ok.


480

Larger Disks

To support the 500 GB CloudBridge VPX configurations, the datastore must be configuredto support a maximum file size of 512 GB or more. This requires that the datastore havea block size of 2 MB or greater.

To Configure the datastore in VMware ESXi 4.1


2. Delete any existing virtual machines on the server.

3. Delete the existing datastore and create a new datastore with a block size of 2 MBor greater:


481

• In the vSphere client, select the Configuration tab, and then click Storage.

• In the datastores view, right click the datastore and select Delete.

Figure 13. Deleting the default datastore

• Click Add Storage…link.

Figure 14. Adding a new datastore

• In the Add Storage window, select the 512 GB, Block size: 2MB as theMaximum File size. Click Next.

Figure 15. Setting the datastore block size


482

4. Create a 500 GB virtual disk.

• In the Virtual Machine Properties, on the Hardware tab, click Hard disk 1.

• Set the Provisioned Size value to 500 GB. Click OK.

Figure 16. Creating a 500 GB virtual disk

To Configure the Datastore in VMware ESX 4.1

1. Boot the ESX 4.1 installation DVD.

2. Select the ESX installation as Install ESX in graphical mode.

3. After the ESX Installer welcome screen appears, switch to the shell prompt bypressing the Ctrl+Alt+F2 keys on your keyboard.

4. Type:

ps | grep Xorg

5. Kill the Xorg process. For example, if the PID of Xorg is 582, type:

kill 582

6. After you kill the Xorg process, the message Press <return> to reboot appears. Donot reboot, instead, press Ctrl+Alt+F3 to go to another console and continueworking without rebooting.


483

7. Type:

cd /usr/lib/vmware/weasel

8. Edit fsset.py (these instructions assume familiarity with vi). Type:

vi fsset.py

9. Search for class vmfs3FileSystem(FileSystemType):

10. Edit the blockSizeMB parameter to 2 (default value is 1)

11. Save the file and exit vi.

12. Go to the root directory and run weasel. Type:

cd /

/bin/weasel

13. Proceed with the normal installation process.

14. Create a 500 GB virtual disk.

• In the Virtual Machine Properties, on the Hardware tab, click Hard disk 1.

• Set the Provisioned Size value as 500 GB, and then click OK.VMware Guest Customization

VMware guest customization is supported for some CloudBridge parameters, but notall.

The parameters for which VMware guest customization is supported are:

• Hostname

• Primary adapter network settings

• Primary DNS configurationVMware guest customization is not supported for the following parameters:

• Accelerated bridge (apA) networks settings

• Domain name, Area, Location, Secondary DNS, Tertiary DNS, and DNS search path

• Parameters specific to CloudBridge, such as bandwidth limits.To configure VMware Guest Customization

1. Start with a CloudBridge VPX virtual machine that has been configured toinclude the Primary port as well as apA.

2. Verify that the Ethernet port configuration matches that shown in the followingfigure.


484

Figure 17. Verify Ethernet port assignments

3. Convert the VPX virtual machine into a template.

• In the vSphere Client, right-click Branch Repeater VPX and expand theTemplate option.

• Select Convert to Template.

Figure 18. Convert to template

4. Deploy a new virtual machine from the template.

• In the vSphere Client, right-click the Branch Repeater VPX instance andselect Deploy Virtual Machine from this Template.


485

Figure 19. Deploying the new virtual machine

• On the Deploy Template screens, name the new VPX virtual machine, selectThick Format for virtual disks, and select Customize using theCustomization Wizard .

• In the Customization Wizard, enter a host name and a dummy domain namefor the new VPX virtual machine.

Figure 20. Customization wizard

• The value on the Time Zone screen is ignored by CloudBridge. Accept thedefault and go on to the next screen.

• On the Network screen, select Custom Settings if you need to change thePrimary port IP address from the one in the template. You then assign thisaddress (plus a subnet mask and default gateway) to NIC3. Do not change


486

NIC1 or NIC2.

• On the DNS and Domain Settings screen, enter the DNS address used byCloudBridge VPX in the Primary DNS field. Leave the Secondary DNS andTertiary DNS paths blank. Add a dummy domain such as test.com as theDNS Search Path.

Figure 21. Setting the DNS server

• Click Next, and then click Finish to exit the Guest Customization Wizard.

• In the Deploy Template Wizard, clear the Power on the virtual machineafter creation check box.

• Double check network assignments before powering up the virtual machine.

Note: Attaching both apA ports to the same virtual or real switch causesnetwork loops.

5. Start the virtual machine and continue CloudBridge configuration.


487

488

Installing CloudBridge Appliances on theMicrosoft Hyper-V Platform

To install Citrix CloudBridge virtual appliances on Microsoft Windows Server, you must firstinstall Windows Server, with the Hyper-V role enabled, on a machine with adequate systemresources. While installing the Hyper-V role, be sure to specify the network interface cards(NICs) on the server that Hyper-V will use to create the virtual networks. You can reservesome NICs for the host. Use Hyper-V Manager to perform the CloudBridge VPX installation.

CloudBridge VPX for Hyper-V is delivered in virtual hard disk (VHD) format. It includes thedefault configuration for elements such as CPU, network interfaces, and hard-disk size andformat. After you install a CloudBridge VPX instance, you can configure its networkadapters, add virtual NICs, assign the CloudBridge IP address, subnet mask, and gateway,and complete the basic configuration of the virtual appliance.

None

Microsoft Server Hardware Requirements• The server’s processor must support Intel Virtualization Technology.

• The server must run 64-bit Windows 2008 R2 SP1 (Standard, Enterprise, or DataCenterEditions), or 2012 (Standard or DataCenter Editions) with a full installation (not a Coreinstallation), and the Hyper-V component enabled.

• Minimum system configuration is 4 GB RAM, 200 GB hard drive, and 2 physical CPU.

• Two physical Ethernet NICs are required; three are recommended.

Note: The procedure below uses three NICs.

For more information about Windows Server 2008 R2 system requirements, seehttp://www.microsoft.com/windowsserver2008/en/us/system-requirements.aspx(theexact location is subject to change by Microsoft at any time).

For information about installing Microsoft Server 2008 R2, seehttp://technet.microsoft.com/en-us/library/dd379511(WS.10).aspx(the exact locationis subject to change by Microsoft at any time).

Prerequisites for Installing CloudBridge VirtualAppliances on the Microsoft Hyper-V platform


• Enable the Hyper-V role on Windows Server 2008 R2 or 2012. For more information, see http://technet.microsoft.com/en-us/library/ee344837(WS.10).aspx(the exact location

http://www.microsoft.com/windowsserver2008/en/us/system-requirements.aspx

http://technet.microsoft.com/en-us/library/dd379511(WS.10).aspx

http://technet.microsoft.com/en-us/library/ee344837(WS.10).aspx

is subject to change by Microsoft at any time).

• Download the VPX setup files. If you do not have a My Citrix account, access the homepage at http://www.mycitrix.com, click the New Users link, and follow the instructionsto create a new My Citrix account.

To download the CloudBridge VPX setup files

1. In a Web browser, go to http://www.citrix.com/ and click My Citrix.

2. Type your user name and password.

3. Click Downloads.

4. In Search Downloads by Product, select NetScaler Branch Repeater.

5. Under Virtual Appliances, select and download the required CloudBridge VPXdistribution.

6. Copy the compressed file to your server.To configure virtual NICs on the CloudBridge VPX

1. Log on to the Windows Server as an Administrator, either at a keyboard or VGAconsole, or through a NIC that you plan to use for managing the virtual appliance(not at one of the ports that you will use for the accelerated bridge).

2. To start Hyper-V Manager, click Start, point to Administrative Tools, and then clickHyper-V Manager

3. In the navigation pane, under Hyper-V Manager, select the server on which you wantto install CloudBridge VPX.

4. On the Actions menu, click Virtual Network Manager…

5. In the Virtual Network Manager window, in the navigation pane, under VirtualNetworks, click New virtual network.

6. Choose External as type of virtual network, and then click Add.

7. Name the new virtual network as apA Network 1 and select the physical NIC to map itto.

8. Click OK to apply the changes.

9. The Apply Networking Changes popup displays a caution indicating that pendingchanges might disrupt network connectivity. Click Yes.

10. Repeat steps 5 to 9 for the second accelerated bridge port, but name it as apANetwork 2 and connect it to a different physical port.

11. Click Apply to apply the networking changes.

Installing CloudBridgeAppliances on the Microsoft Hyper-V Platform

489

http://www.mycitrix.com

http://www.citrix.com/

Installing CloudBridge VPX on Microsoft Server byusing Hyper-V Manager

After you have enabled the Hyper-V role on Microsoft Server and extracted the VPX files,you can use Hyper-V Manager to install CloudBridge VPX. After you import the virtualmachine, you must configure the virtual NICs by associating them with the virtual networkscreated by Hyper-V. Based on the Microsoft server you are using, follow the procedure tocomplete the installation.

• Microsoft Server 2008 R2

• Microsoft Server 2012

See also

None

Installing CloudBridgeAppliances on the Microsoft Hyper-V Platform

490

491

Installing CloudBridge VPX on MicrosoftServer 2008 R2

Performing the Installation ProceduresAfter you have enabled the Hyper-V role on Microsoft Server 2008 R2 and extracted the VPXfiles, you can use Hyper-V Manager to install CloudBridge VPX. After you import the virtualmachine, you must configure the virtual NICs by associating them with the virtual networkscreated by Hyper-V.

Note: You cannot change any settings while the virtual appliance is running. Shut downthe virtual appliance and then make changes.

To install CloudBridge VPX on Microsoft Server 2008 R2 by using Hyper-V Manager

1. Unzip the CloudBridge distribution that you downloaded from My Citrix.

2. Start Hyper-V Manager.


4. On the Actions menu, click Virtual Switch Manager

5. In the Import Virtual Machine dialog box, in Location, specify the path to the folderthat contains the Branch VPX CloudBridge files.

Note: If you received a compressed file, make sure that you extract the files into afolder before you specify the path to the folder.

6. Click Import.

7. Verify that the virtual appliance that you imported is listed under Virtual Machines.

8. Right-click the imported virtual machine, and then click Settings.

9. In the Settings window’s navigation pane, under Hardware, select the first networkadapter in the list.

Figure 1. Configuring Ethernet ports using Hyper-V Manager

10. In the Network drop down menu, select apA Network 1 . This is the LAN interface forapA1.

11. Make sure the Enable spoofing of the MAC addresses box is selected. If it is not,select it and apply the changes.

12. In the Settings window's navigation pane, under Hardware, select the second networkadapter in the list. Repeat the step 10 and step 11, and assign the adapter to apANetwork 2. This is the WAN interface for apA2.

Important: Do not configure the same Network for both the network adapters.Incorrect configuration creates packet loops, which can bring down the network.

13. Optionally, change the virtual hard disk size:

• In the Settings window navigation pane, under IDE Controller 0, select HardDrive.

• Click Edit.

Installing CloudBridge VPX on Microsoft Server 2008 R2

492

• Follow the steps in the Edit Virtual Hard Disk Wizard to increase the allocation toone of the supported sizes, using the Expand option in the wizard.

Figure 2. Configuring disk and RAM allocation

14. Optionally, change the memory size.

• In the Settings window's navigation pane, under Hardware, select Memory.

• Allocate the RAM space by adjusting the memory to one of the supported sizes.

• Click OK.15. Optionally, define the management port.

• Right-click the virtual machine, and then click Settings.

• In the Settings window navigation pane, under Hardware, select Add Hardware.

• Select Network Adapter from the list of devices, and then click Add.

• Name the new virtual network as Primary Network 3.

• Make sure the Enable spoofing of MAC addresses check box is selected.

• Click OK to apply the changes.16. Right-click the Branch Repeater VPX virtual machine and select Connect.


493

17. In the file menu, click Action, and then click Start to start the virtual machine.

Figure 3. Starting the VPX virtual machine

18. When a CloudBridge VPX virtual machine is started for the first time, it automaticallystarts the Deployment Wizard. This wizard asks questions about the deploymentmode: Inline, WCCP, or PBR (virtual inline), or Setup Using Web UI. Select SetupUsing Web UI. On the next screen, enter the IP, netmask, and gateway for the apAinterface, and click Finish.

19. After CloudBridge VPX has restarted, log on to the browser based UI ((user name:admin, password: password) at the IP address that you assigned to apA, for example:

https://172.16.0.213

Additional Configuration

For additional configuration instructions, see the documentation for physical CloudBridgeappliances.

Upgrading to a Previous ReleaseThe software upgrade mechanism built into physical CloudBridge appliances is alsosupported by CloudBridge VPX. Alternatively, you can install a new virtual machine runningthe desired release.


494

495

Installing CloudBridge VPX on theMicrosoft Server 2012

Performing the Installation ProceduresAfter you have enabled the Hyper-V role on Microsoft Server and extracted the VPX files,you can use Hyper-V Manager to install CloudBridge VPX. After you import the virtualmachine, you must configure the virtual NICs by associating them with the virtual networkscreated by Hyper-V.


None

To install CloudBridge VPX on Microsoft Server 2012 by using Hyper-V Manager

1. Unzip the CloudBridge distribution that you downloaded from My Citrix.

2. Start Hyper-V Manager.


4. On the Actions menu, click Import Virtual Machine .

5. In the Import Virtual Machine dialog box, in Location box, specify the path to thefolder that contains the CloudBridge VPX files.


6. Click Import.


8. Right-click the imported virtual machine, and then click Settings.

9. In the Settings window’s navigation pane, under Hardware, select the first networkadapter in the list.

10. In the Network drop down menu, select apA1 Network. This is the LAN interface forapA1.

11. Make sure the Enable MAC address spoofing box is selected. If it is not, select it andapply the changes.

12. In the Settings window's navigation pane, under Hardware, select the second networkadapter in the list. Repeat the step 10 and step 11, and assign the adapter to apA2

Network. This is the WAN interface for apA2.

Important: Do not configure the same Network for both the network adapters.Incorrect configuration creates packet loops, which can bring down the network.

13. Optionally, change the virtual hard disk size:

• In the Settings window navigation pane, under IDE Controller 0, select HardDrive.

• Click Edit.

• Follow the steps in the Edit Virtual Hard Disk Wizard to increase the allocation toone of the supported sizes, using the Expand option in the wizard.

14. Optionally, change the memory size.

• In the Settings window's navigation pane, under Hardware, select Memory.

• Allocate the RAM space by adjusting the memory to one of the supported sizes.

• Click OK.15. Optionally, define the management port.

• Right-click the virtual machine, and then click Settings.

• In the Settings window navigation pane, under Hardware, select Add Hardware.

• Select Network Adapter from the list of devices, and then click Add.

• Name the new virtual network as Primary Network 3.

• Make sure the Enable spoofing of MAC addresses check box is selected.

• Click OK to apply the changes.16. Right-click the CloudBridge VPX virtual machine and select Connect.

17. In the file menu, click Action, and then click Start to start the virtual machine.

18. When a CloudBridge VPX virtual machine is started for the first time, it automaticallystarts the Deployment Wizard. This wizard asks questions about the deploymentmode. Select Setup Using Web UI. On the next screen, enter the IP address, netmask,and gateway for the apA interface, and click Finish.

19. After CloudBridge VPX has restarted, log on to the browser based UI ((user name:admin, password: password) at the IP address that you assigned to apA, for example:

https://172.16.0.213

Additional Configuration

For additional configuration instructions, see the documentation for physical CloudBridgeappliances.

Installing CloudBridge VPX on the Microsoft Server 2012

496

Downgrading to a Previous ReleaseThe software upgrade mechanism built into physical CloudBridge appliances is alsosupported by CloudBridge VPX. Alternatively, you can install a new virtual machine runningthe desired release.

Installing CloudBridge VPX on the Microsoft Server 2012

497

498

Installing the CloudBridge VirtualAppliances on Amazon AWS

The CloudBridge VPX for Amazon AWS brings acceleration to the Amazon cloud.

Five variations are supported, four of which have hardwired licensing, and one of whichuses ordinary CloudBridge licensing:

• 2 Mbps

• 10 Mbps

• 20 Mbps

• 45 Mbps

• “Bring your own license,” which uses a standard Citrix license to determined thelicensed bandwidth.

Besides the hardwired licensing, the major difference between CloudBridge VPX for AmazonAWS is that it supports only a single port for both management and acceleration. Thismeans that the appliance cannot be used in inline mode.

To create a CloudBridge VPX on Amazon AWS, you go through the same process as withcreating any other instance, setting a few instance parameters to non-default settings.

Instantiating a CloudBridge Virtual Appliance (AMI) on AWS

To install a CloudBridge virtual appliance in an AWS VPC, you need an AWS account. Youcan create an AWS account at http://aws.amazon.com/. CloudBridge is available as anAmazon Machine Image (AMI) in AWS Marketplace.

Note: Amazon makes frequent minor changes to its AWS pages, so the followinginstructions may not be exact.

To instantiate a CloudBridge virtual appliance (AMI) on AWS

1. In a web browser, type http://aws.amazon.com/.

2. Click My Account/Console, and then click My Account to open the Amazon WebServices Sign in page.

3. Use your Amazon AWS account credentials to sign in. This will take you to theAmazon Web Services page.

http://aws.amazon.com/


4. Click EC2 in the Compute & Networking section, then click Launch Instance.

5. In the Create a New Instance dialog box, select AWS Marketplace, and then clickContinue to open the Request Instance Wizard.

6. In the Request Instance Wizard dialog box, click AWS Marketplace tab.

7. In the Search text field, type CloudBridge to search for the CloudBridge AMI, andclick Search.

Installing the CloudBridge Virtual Appliances on Amazon AWS

499

On the search result page, select one of the Citrix CloudBridge offeringsOn theCitrix CloudBridge page, click Continue.

8. On the Launch with EC2 Console tab, click the Accept Terms button, if present,then click Launch with EC2 Console for the region where you want to launch CitrixCloudBridge AMI.


500

9. On the Request Instance Wizard page, type 1 in the Number of Instances text box,and from the Instance Type drop-down list, select Large (m1.large, 7.5GIB).

10. From the Subnet drop-down list, select the private network subnet, and then clickContinue.

11. On the next page, in the Advanced Instance Options section, you can changevalues from their defaults if you choose, and then click Continue.

Note: CloudBridge AMI is not supported with more than one network interface.Therefore, the value of Number of Network Interfaces field is set to 1.


501

12. On the Request Instances Wizard page, enter a name for the EC2 instance in theValue text box, and then click Continue.

On the Request Instances Wizard page, select one of the three Kay Pair optionsand then click Continue.

13. Verify the EC2 instance configuration details, and then click Launch to launch theEC2 instance.


502

14. Click Close to close the Launch Instance Wizard dialog box. The new EC2 instanceis launched successfully.


503

504

Disabling the Source/Destination CheckFeature

You must disable the Source/Destination check feature of CloudBridge AMI instance for it towork properly on AWS.

To disable the Source/Destination check feature

1. On the Amazon EC2 Console Dashboard page, in the navigation pane, click instances.The new EC2 instance should appear in the My Instances list.

2. Select the new EC2 instance. The instance details appear in the EC2 Instances pane.

3. Right-click the new EC2 instance and then select Change Source/Dest Check from thepopup menu.

4. In the Change Source / Dest. Check dialog box, click Yes, Disable to disable thefeature.

505

Configuring SNMP Monitoring on theCloudBridge AMI on AWS

You must enable SNMP monitoring on the CloudBridge AMI on AWS. Also, you must grantSNMP monitoring access to the paired NetScaler VPX or CloudBridge Connector on AWS byadding its NSIP on the CloudBridge AMI instance.

To configure SNMP monitoring on the CloudBridgeConnector AMI by using the CloudBridge graphicaluser interface

1. In the navigation pane, expand Configuration, and then click Logging/Monitoring.

2. In the details pane, click the SNMP tab.

3. In the System Information section, in the SNMP Status row, click Enable. This actionenables SNMP monitoring on the CloudBridge AMI instance.

4. In the Access Configuration section, add SNMP monitoring access to CloudBridge VPXappliance by setting the following parameters:

• Community String (set to the string public)

• Management Station IP (set to the NSIP of the CloudBridge VPX on AWS)

5. Click Add.

Configuring SNMP Monitoring on the CloudBridge AMI on AWS

506

507

Limitations and Usage Guidelines forCloudBridge AMI Instances on AWS

• High Availability setup for CloudBridge AMI instances is not supported.

• CloudBridge AMI instance in Group Mode is not supported.

• CloudBridge plug-ins are not supported.

• Tagged VLAN is not supported because of the inherent limitation of AWS.

• Traffic shaping is not supported.

• You may create only an m1.large CloudBridge AMI instance on AWS.

• IP address/gateway/subnet assignment using the CloudBridge management userinterface is not supported.

• Console access is not available for CloudBridge AMI instance on AWS.

• While configuring the CloudBridge instance, you may not change the disk size, whichhas a default value of 250 GB. A higher capacity disk does not increase the availableDisk Based Compression (DBC) cache size.

508

Supported Modes

Table 1. Features Table for Citrix CloudBridge VPX, and Citrix CloudBridge VPX for Amazon

Citrix CloudBridge VPX Citrix CloudBridge VPX forAmazon

AutoConfiguration N N

CloudBridge Plug-In Y N

Compression Y Y

RPC over HTTP Y Y

SSL Compression Y Y

TCP Acceleration Y Y

Traffic Shaping Y N

Video Caching N N

Windows File SystemAcceleration

Y Y


Y Y


Y Y

Group Mode Mode N N

High Availability N N

Inline Mode Y Y**

Virtual Inline Mode Y N

WCCP Mode Y N

VLANs Y/Y/N*** N*Depends on configuration of user-provided hardware.

**See WAN Optimization for CloudBridge.

***The three values are for is for XenServer, VMware, and Hyper-V, respectively. In columnsshowing only one value, the value applies to all three hypervisors.

http://support.citrix.com/proddocs/topic/cloudbridge-73/br-repeater-plugin-wrapper-con.html

http://support.citrix.com/proddocs/topic/cloudbridge-73/br-adv-compression-con.html

http://support.citrix.com/proddocs/topic/cloudbridge-73/cb-rcp-http-wrapper-con.html

http://support.citrix.com/proddocs/topic/cloudbridge-73/br-adv-ssl-compression-con.html

http://support.citrix.com/proddocs/topic/cloudbridge-73/br-adv-tcp-flow-control-acc-con.html

http://support.citrix.com/proddocs/topic/cloudbridge-73/br-adv-traffic-shaping-con.html

http://support.citrix.com/proddocs/topic/cloudbridge-73/cb-video-caching-wrapper-con.html

http://support.citrix.com/proddocs/topic/cloudbridge-73/br-adv-cifs-accel-con.html

http://support.citrix.com/proddocs/topic/cloudbridge-73/br-adv-cifs-accel-con.html

http://support.citrix.com/proddocs/topic/cloudbridge-73/br-adv-microsoft-outlook-accel-con.html

http://support.citrix.com/proddocs/topic/cloudbridge-73/br-adv-microsoft-outlook-accel-con.html

http://support.citrix.com/proddocs/topic/cloudbridge-73/br-adv-xenapp-xendesk-accel-con.html

http://support.citrix.com/proddocs/topic/cloudbridge-73/br-adv-xenapp-xendesk-accel-con.html


509

Features

Many administrators can configure CloudBridge by simply setting the parameters on theQuick Installation page, thus performing a complete basic configuration for accelerationand traffic shaping. This is especially true of branch-office installations. However,understanding the theory of operation of your appliance enables you to put it to optimaluse, and some users need to look more deeply into how the appliance operates. Forexample, a simple inline configuration might not be the best fit for your network, or youmight want to use features that are not enabled with the Quick Installation alone.

The appliance's fundamental purpose is to accelerate TCP traffic and to eliminatecongestion by applying traffic shaping to all WAN traffic. In addition to these functions, theappliance supports several forwarding modes to move network data into and out of theappliance. One of these modes, inline mode, can be configured from the Quick Installationpage. The others require configuration of the appliance, your router, or both.

Similarly, the Quick Installation page performs a basic configuration of traffic shapingfunctions, suitable for installations with a single WAN link. Additional configuration isnecessary for multiple links, or if the default definitions for applications, service classes, ortraffic shaping policies do not match your needs, in which case you can edit the definitions.

Many acceleration functions operate automatically, without configuration. These includeTCP flow control acceleration, compression, Windows filesystem (CIFS) acceleration, CitrixXenApp/XenDesktop acceleration, and Outlook/Exchange (MAPI) acceleration. Otheracceleration features require configuration before use, including secure peering, SSLacceleration, and advanced Windows file-system and Outlook/Exchange acceleration thatdepends on being a member of the Windows domain.

510

Compression

CloudBridge compression uses breakthrough technology to provide transparent multilevelcompression. It is true compression that acts on arbitrary byte streams. It is notapplication-aware, is indifferent to connection boundaries, and can compress a stringoptimally the second time it appears in the data. CloudBridge compression works at any linkspeed.

The compression engine is very fast, allowing the speedup factor for compression toapproach the compression ratio. For example, a bulk transfer monopolizing a 1.5 Mbps T1link and achieving a 100:1 compression ration can deliver a speedup ratio of almost 100x, or150 Mbps, provided that the WAN bandwidth is the only bottleneck in the transfer. If theserver hardware, the client hardware, the LAN, or the application are also bottlenecks,throughput is reduced to the speed of the slowest element in the chain. Protocols thatspend time waiting for application-level handshaking also have speedup factors lower thanthe compression ratio, because the compressor can reduce the size of data but cannot doanything about the pauses between data.

Unlike with most compression methods, CloudBridge compression history is shared betweenconnections. Data sent earlier by connection A can be referred to later by connection B inlieu of retransmitting the data. The resulting performance is much higher than can beachieved by conventional methods.

Large-history, multisession compression technology erases the distinction between"compressible" and "uncompressible" data. For example, a JPEG image is normallyconsidered uncompressible, but if it is sent twice by two different connections, the secondoccurrence can be compressed by more than a 200:1 ratio. The entire image is replaced bya pointer referring to the data in the receiving appliance's compression history.

Only payload data is compressed. However, headers are compressed indirectly. Forexample, if a connection achieves 4:1 compression, only one full-sized output packet is sentfor every four full-sized input packets. Thus, the amount of header data is also reduced by4:1.

Compression makes good use of lossless flow control. A run of compressible data mightreduce 200 input packets to one output packet. This packet might be followed by data thatis not compressed successfully, and is sent as literal data. With flow control, the TCPsender (the origin host) can be told to speed up or slow down by 200:1 almost instantly,allowing the link to be kept full at all compression ratios. Ordinary TCP speeds up and slowsdown far too slowly to take full advantage of the speedup opportunity presented by theintermittently reduced bandwidth load created by compression.

Like most acceleration features, compression requires virtually no configuration. It can beenabled or disabled (on a global, per-port, or per-address basis), but there are no actualcompression parameters to configure. Compression self-adjusts to the current traffic load.

Compression can use the appliance's disk as well as memory, providing up to 600 GB ofcompression history.

511

How Compression Works

CloudBridge appliances use multiple compression engines, including memory basedcompression for more interactive data, and disk based compression for bulk data. WithCloudBridge compression, almost all data is compressible.

Memory Based CompressionAn appliance can transparently compress all of the accelerated sessions passing betweentwo compression-enabled appliances. A very large compression history kept in RAM provideshigh compression ratios at high link rates.

This persistence of data also blurs the distinction between "compressible" and"uncompressible" data. The only data that is technically uncompressible is data that neverrecurs over the lifetime of the compression history. Such data includes one-time encryptedtraffic such as SSH data streams, but not pre-compressed files such as JPEG images and ZIPfiles. As long as a bit stream is sent more than once over the lifetime of the compressionhistory (which is more than a gigabyte on most appliances), the second and subsequentoccurrences are compressed.

Other than enabling and disabling disk or memory compression on the Configuration:Service Classes page, there are no parameters to be set. Additional parameters would besuperfluous, because much better results are obtained through dynamic self-adjustmentthan could be attained through static configuration.

Some benefit can be obtained by disabling compression on ports that are known to carryencrypted data streams, such as HTTPS and SSH. The default service-class definitions do so.

Compression involves pointers to previously encountered data segments, interspersed withnew segments. The latter are sent as literal data. The pointers to previously encountereddata are small, no more than a few bytes. Reducing long runs of data to a few bytes is whatallows compression to reduce the amount of data on the WAN.

The link generally runs at full capacity with compression enabled, provided that theendpoint senders and receivers can keep up. For compressible data, compression ratios of200:1 are not unusual. This ratio gives a T1 link an effective speed of 300 Mbps for theduration of the compression "hit," which can be megabytes in length. This rate is higherthan the sustainable I/O rate of many endpoint systems.

A compression-enabled appliance can communicate with any number of other appliancessimultaneously. Any of those appliances can support or not support compression.

Disk Based CompressionDisk based compression can recognize a redundant data string of virtually any length andreduce it to a handful of bytes. Compression history varies by appliance model, from aminimum of 128 GB on a CloudBridge appliance and to a maximum of 600 GB on a Repeater8800 appliance.

For example, if a user were to download a set of Linux distribution disks over anaccelerated T1 link, and another user downloaded them days, weeks, or even months later,the second copy would still be in the appliance's compression history and would downloadat several hundred megabits per second.

Disk based compression is not caching, which can serve stale, out-of-date data, but is truecompression, fetched on demand from the endpoint server.

Disk based compression saves selected data streams to disk on both the sending andreceiving appliances. Fingerprints of this data (based on a hashing function) are retained inmemory. These fingerprints also identify potential matches with data already on the disk.The sending appliance receives data from the endpoint sender, fetches the potentiallymatching data from the disk, and verifies it by matching each byte against the incomingdata stream. Identical strings are reduced to tokens containing the disk identifier, offset,and length of the match. The receiving appliance retrieves this data from the matchingcopy on its own disk.

(Some compression schemes assume that identical fingerprints indicate identical data,which is not always true. The appliance always verifies every byte of a potential match.)

Almost Everything is CompressibleConsider an example of CloudBridge compression in which a 100 GB database is copied fromone office to another at weekly intervals, and the average week shows a 1% change in thedata. Disk based compression can easily reduce this 100 GB transfer to 1 GB (transferringonly the differences), and probably to less than 1 GB if the differences are not completelyrandom. Practically everything is compressible. The only exception is data that isessentially random and never recurs. Encrypted data streams and live, compressed videostreams are the only common examples of such data.

The combination of automatic optimization and "everything is compressible" results inalmost no user-accessible compression options. You can select between no compression,memory compression only, and disk+memory compression in the Service Class rules, but youcan leave disk+memory compression enabled for all streams that are not encrypted.

How Compression Works

512

513

Enabling or Disabling Compression

Compression is enabled, on a per-service-class basis, on the Configuration: Service Classespage. This page has a pull-down menu for each service class, with the following options:

• Disk, meaning that both disk based and memory based compression are enabled. Thisoption should be selected unless you have a specific reason for disabling it.

• Memory, meaning that memory based compression is enabled but disk basedcompression is not. This setting is rarely used, because the appliance automaticallyselects memory or disk if both types of compression are enabled.

• Flow-Control Only, which disables compression but enables flow-control acceleration.Select this option for services that are always encrypted, and for the FTP controlchannel.

• None, meaning that compression and flow-control are both disabled.

514

Measuring Disk Based CompressionPerformance

The Compression Status tab of the Reports: Compression page reports the systemcompression performance since the system was started or since the Clear button was usedto reset the statistics. Compression for individual connections is reported in the connectionclosure messages in the system log. For example:

Compression performance varies with a number of factors, including the amount ofredundancy in the data stream and, to a lesser extent, the structure of the data protocol.

Some applications, such as FTP, send pure data streams; the TCP connection payload isalways byte-for-byte identical to the original data file. Others, such as CIFS or NFS, do notsend pure data streams, but mix commands, metadata, and data in the same stream. Thecompression engine distinguishes the file data by parsing the connection payload in realtime. Such data streams can easily produce compression ratios between 100:1 and 10,000:1on the second pass.

Average compression ratios for the link depend on the relative prevalence of long matches,short matches, and no matches. This ratio is dependent on the traffic and is difficult topredict in practice.

Test results show the effect of multi-level compression as a whole, with memory based anddisk based compression each making its contribution.

Maximum compression performance is not achieved until the storage space available fordisk based compression is filled, providing a maximum amount of previous data to matchwith new data. In a perfect world, testing would not conclude until the appliance's diskshad not only been filled, but filled and overwritten at least once, to ensure thatsteady-state operation has been reached. However, few administrators have that muchrepresentative data at their disposal.

Another difficulty in performance testing is that acceleration often exposes weak links inthe network, typically in the performance of the client, the server, or the LAN, and theseare sometimes misdiagnosed as disappointing acceleration performance.

You can use Iperf or FTP for preliminary and initial testing. Iperf is useful for preliminarytesting. It is extremely compressible (even on the first pass) and uses relatively little CPUand no disk resources on the two endpoint systems. Compressed performance with Iperfshould send more than 200 Mbps over a T1 link if the LANs on both sides use GigabitEthernet, or slightly less than 100 Mbps if there is any Fast Ethernet equipment in the LANpaths between endpoints and appliances.

Iperf is preinstalled on the appliances (under the Diagnostics menu) and is available fromhttp://iperf.sourceforge.net/. Ideally, it should be installed and run from the endpoint systems, so that the network is tested from end to end, not just from appliance to

http://iperf.sourceforge.net/

appliance.

FTP is useful for more realistic testing than is possible with Iperf. FTP is simple andfamiliar, and its results are easy to interpret. Second-pass performance should be roughlythe same as with Iperf. If not, the limiting factor is probably the disk subsystem on one ofthe endpoint systems.

To test the disk based compression system

1. Transfer a multiple-gigabyte data stream between two appliances with disk basedcompression enabled. Note the compression achieved during this transfer. Dependingon the nature of the data, considerable compression may be seen on the first pass.

2. Transfer the same data stream a second time and note the effect on compression.

Measuring Disk Based Compression Performance

515

516

CloudBridge Connector

The CloudBridge Connector feature of the Citrix appliance connects enterprise datacentersto external clouds and hosting environments, making the cloud a secure extension of yourenterprise network. Cloud-hosted applications appear as though they are running on onecontiguous enterprise network. With Citrix CloudBridge Connector, you can augment yourdatacenters with the capacity and efficiency available from cloud providers.

The CloudBridge Connector enables you to move your applications to the cloud to reducecosts and increase reliability.

In addition to using CloudBridge Connector between a datacenter and a cloud, you can useit to connect two datacenters for a high-capacity secure and accelerated link.

None

517

Understanding CloudBridge Connector

To implement the Citrix CloudBridge Connector solution, you connect a datacenter toanother datacenter or an external cloud by setting up a tunnel called the CloudBridgeConnector tunnel.

To connect a datacenter to another datacenter, you set up a CloudBridge Connector tunnelbetween two appliances, one in each datacenter.

To connect a datacenter to an external cloud (for example, Amazon AWS cloud), you set upa CloudBridge Connector tunnel between a appliance in the datacenter and a virtualappliance (VPX) that resides in the Cloud. The remote end point can be a CloudBridgeConnector or a NetScaler VPX with platinum license.

The following illustration shows a CloudBridge Connector tunnel set up between adatacenter and an external cloud.

The appliances between which a CloudBridge Connector tunnel is set up are called the endpoints or peers of the CloudBridge Connector tunnel.

A CloudBridge Connector tunnel uses the following protocols:

• Generic Routing Encapsulation (GRE) protocol

• Open-standard IPSec Protocol suite, in transport mode

The GRE protocol provides a mechanism for encapsulating packets, from a wide variety ofnetwork protocols, to be forwarded over another protocol. GRE is used to:

• Connect networks running non-IP and non-routable protocols.

• Bridge across a wide area network (WAN).

• Create a transport tunnel for any type of traffic that needs to be sent unchanged acrossa different network.

The GRE protocol encapsulates packets by adding a GRE header and a GRE IP header to thepackets.

The Internet Protocol security (IPSec) protocol suite secures communication between peersin the CloudBridge Connector tunnel.

In a CloudBridge Connector tunnel, IPSec ensures:

• Data integrity

• Data origin authentication

• Data confidentiality (encryption)

• Protection against replay attacks

IPSec uses the transport mode in which the GRE encapsulated packet is encrypted. Theencryption is done by the Encapsulating Security Payload (ESP) protocol. The ESP protocolensures the integrity of the packet by using a HMAC hash function, and ensuresconfidentiality by using an encryption algorithm. After the packet is encrypted and theHMAC is calculated, an ESP header is generated. The ESP header is inserted after the GRE IPheader and, an ESP trailer is inserted at the end of the encrypted payload.

Peers in the CloudBridge Connector tunnel use the Internet Key Exchange version (IKE)protocol (part of the IPSec protocol suite) to negotiate secure communication, as follows:

• The two peers mutually authenticate with each other, using one of the followingauthentication methods:

• Pre-shared key authentication. A text string called a pre-shared key is manuallyconfigured on each peer. The pre-shared keys of the peers are matched againsteach other for authentication. Therefore, for the authentication to be successful,you must configure the same pre-shared key on each of the peers.

• Digital certificates authentication. The initiator (sender) peer signs messageinterchange data by using its private key, and the other receiver peer uses thesender's public key to verify the signature. Typically, the public key is exchanged inmessages containing an X.509v3 certificate. This certificate provides a level ofassurance that a peer's identity as represented in the certificate is associated witha particular public key.

• The peers then negotiate to reach agreement on:

• An encryption algorithm.

• Cryptographic keys for encrypting data in one peer and decrypting the data in theother.

This agreement upon the security protocol, encryption algorithm and cryptographic keys iscalled a Security Association (SA). SAs are one-way (simplex). For example, when twopeers, CB1 and CB2, are communicating through a Connector tunnel, CB1 has two SecurityAssociations. One SA is used for processing out-bound packets, and the other SA is used forprocessing inbound packets.

SAs expire after a specified length of time, which is called the lifetime. The two peers usethe Internet Key Exchange (IKE) protocol (part of the IPSec protocol suite) to negotiate newcryptographic keys and establish new SAs. The purpose of the limited lifetime is to preventattackers from cracking a key.

Understanding CloudBridge Connector

518

519

Configuring CloudBridge ConnectorTunnel between two Datacenters

You can configure a CloudBridge Connector tunnel between two different datacenters toextend your network without reconfiguring it, and leverage the capabilities of the twodatacenters. Having a CloudBridge Connector tunnel configured between the twogeographically separated datacenters enables you to implement redundancy and safeguardyour setup from failure. The CloudBridge Connector tunnel helps achieve optimal utilizationof infrastructure and resources across two datacenters. The applications available acrossthe two datacenters appear as local to the user.

To connect a datacenter to another datacenter, you set up a CloudBridge Connector tunnelbetween a NetScaler appliance that reside in one datacenter and another NetScalerappliance that reside in the other datacenter.

As an illustration of CloudBridge Connector tunnel between two different datacenters,consider an example in which a CloudBridge Connector tunnel is set up between NetScalerappliance NS_Appliance-1 in datacenter DC1 and NetScaler appliance NS_Appliance-2 indatacenter DC2.

Both NS_Appliance-1 and NS_Appliance-2 function in L2 and L3 mode. They enablecommunication between private networks in datacenters DC1 and DC2. In L3 mode,NS_Appliance-1 and NS_Appliance-2 enable communication between client CL1 in thedatacenter DC1 and server S1 in the datacenter DC2 through the CloudBridge Connectortunnel. Client CL1 and server S1 are on different private networks.

Because client CL1 and server S1 are on different private networks, L3 mode is enabled onNS_Appliance-1 and NS_Appliance-2 and routes are updated as the following:

• CL1 have a route to NS_Appliance-1 for reaching S1

• NS_Appliance-1 have a route to NS_Appliance-2 for reaching S1

• S1 should have a route to NS_Appliance-2 for reaching CL1

• NS_Appliance-2 have a route to NS_Appliance-1 for reaching CL1

The following table lists the settings on NetScaler appliance NS_Appliance-1 in datacenterDC1.

Entity Name Details

The NSIP address 66.165.176.12

SNIP address 66.165.176.15

CloudBridge Connectortunnel

Cloud_Connector_DC1-DC2 • Local endpoint IPaddress of theCloudBridge Connectortunnel =66.165.176.15

• Remote endpoint IPaddress of theCloudBridge Connectortunnel =168.63.252.133

GRE Tunnel Details

• Name= Cloud_Connector_DC1-DC2

IPSec Profile Details


• Encryption algorithm =AES

• Hash algorithm = HMACSHA1

The following table lists the settings on NetScaler appliance NS_Appliance-2 in datacenterDC2.

Entity Name Details



Configuring CloudBridge Connector Tunnel between two Datacenters

520


Cloud_Connector_DC1-DC2 • Local endpoint IPaddress of theCloudBridge Connectortunnel =168.63.252.133


GRE Tunnel Details




• Encryption algorithm =AES

• Hash algorithm = HMACSHA1

Following is the traffic flow in the CloudBridge Connector tunnel:

1. Client CL1 sends a request to server S1.

2. The request reaches NetScaler appliance NS-Appliance-1.

3. NS_Appliance-1, checks its routing table and finds that the destination IP address of therequest packet belongs to a subnet in datacenter DC2. The appliance decides toforward the packet to be sent across the CC-DC1-DC2 tunnel.

4. NS_Appliance-1 uses the GRE protocol to encapsulate each of the request packets byadding a GRE header and a GRE IP header to the packet. The GRE IP header has thedestination IP address set to the IP address of the CloudBridge tunnel ( CC-DC1-DC2 )end point in DC2 side. This IP Address is a public SNIP address configured on theNetScaler instance running on the NetScaler appliance NS_Appliance-2 .

5. For CloudBridge Connector tunnel CC-DC1-DC2, NS_Appliance-1 checks the stored IPSecsecurity association (SA) parameters for processing outbound packets, as agreedbetween NS_Appliance-1 and NS_Appliance-2 . The IPSec Encapsulating Security Payload(ESP) protocol in NS_Appliance-1 uses these SA parameters for outbound packets, toencrypt the payload of the GRE encapsulated packet.

6. The ESP protocol ensures the packet's integrity and confidentiality by using the HMAChash function and the encryption algorithm specified for the CloudBridge Connectortunnel CC-DC1-DC2 . The ESP protocol, after encrypting the GRE payload andcalculating the HMAC, generates an ESP header and an ESP trailer and inserts thembefore and at the end of the encrypted GRE payload, respectively.

7. The resulting packet is sent to NS_Appliance-2 .


521

8. NS_Appliance-2 checks the stored IPSec security association (SA) parameters forprocessing inbound packets, as agreed between NS_Appliance-1 and NS_Appliance-2 forthe CloudBridge Connector tunnel CC-DC1-DC2 . The IPSec ESP protocol onNS_Appliance-2 uses these SA parameters for inbound packets, and the ESP header ofthe request packet, to decrypt the packet.

9. NS_Appliance-2 then decapsulates the packet by removing the GRE header.

10. The resulting packet is the same packet as the one received by NS_Appliance-1 in step2. This packet has the destination IP address set to the IP address of server S1.NS_Appliance-2 forwards this packet to server S1.

11. S1 processes the request packet and sends out a response packet. The destination IPaddress in the response packet is the IP address of client CL1, and the source IP addressis the IP address of server S1.

12. The response packet reaches NS_Appliance-2.

13. NS_Appliance-2 encapsulates and encrypts the response packet in the same way thatNS_Appliance-1 did with the request packet in steps 3-6.

14. NS_Appliance-2 sends the resulting packet to NS_Appliance-1.

15. NS_Appliance-1, upon receiving the packet from NS_Appliance-2, decrypts anddecapsulates the packet in the same way that NS_Appliance-2 did with the requestpacket in steps 9-11.


522

523

Configuring CloudBridge Connectorbetween Datacenter and AWS Cloud

You can configure a CloudBridge Connector tunnel between a datacenter and AWS cloud toleverage the infrastructure and computing capabilities of the data center and the AWScloud. With AWS, you can extend your network without initial capital investment or thecost of maintaining the extended network infrastructure. You can scale your infrastructureup or down, as required. For example, you can lease more server capabilities when thedemand increases.

To connect a datacenter to AWS cloud, you set up a CloudBridge Connector tunnel betweena NetScaler appliance that resides in the datacenter and a NetScaler virtual appliance (VPX)that resides in AWS cloud.

As an illustration of a CloudBridge Connector tunnel between a datacenter and Amazon AWScloud, consider an example in which a CloudBridge Connector tunnel is set up betweenNetScaler appliance NS_Appliance-DC, in datacenter DC, and NetScaler virtual appliance(VPX) NS_VPX_Appliance-AWS.

Both NS_Appliance-DC and NS_VPX_Appliance-AWS function in L3 mode. They enablecommunication between private networks in datacenter DC and the AWS cloud.NS_Appliance-DC and NS_VPX_Appliance-AWS enable communication between client CL1 indatacenter DC and server S1 in the AWS cloud through the CloudBridge Connector tunnel.Client CL1 and server S1 are on different private networks.

Note: AWS does not support L2 mode, hence it is necessary to have only L3 mode enabledon both the endpoints.

For proper communication between CL1 and S1, L3 mode is enabled on NS_Appliance-DCand NS_VPX_Appliance-AWS and routes are updated as such:

• CL1 have a route to NS_Appliance-DC for reaching S1

• NS_Appliance-DC have a route to NS_VPX_Appliance-AWS for reaching S1

• S1 should have a route to NS_VPX_Appliance-AWS for reaching CL1

• NS_VPX_Appliance-AWS have a route to NS_Appliance-DC for reaching CL1

The following table lists the settings on NetScaler appliance NS_Appliance-DC in datacenterDC.

Entity Name Details



CloudBridge Connector tunnel CC_Tunnel_DC-AWS • Local endpoint IPaddress of theCloudBridge Connectortunnel =66.165.176.15


GRE Tunnel Details

• Name=CC_Tunnel_DC-AWS



• Encryption algorithm=AES

• Hash algorithm= HMACSHA1

The following table lists the settings on NetScaler VPX NS_VPX_Appliance-AWS on AWScloud.

Entity Name Details

NSIP address 10.102.25.30

Public EIP address mappedto the NSIP address

168.63.252.131


Public EIP address mappedto the SNIP address

168.63.252.133

Configuring CloudBridge Connector between Datacenter and AWS Cloud

524


CC_Tunnel_DC-AWS • Local endpoint IPaddress of theCloudBridge Connectortunnel =168.63.252.133

• Remote endpoint IPaddress of theCloudBridge Connectortunnel = 66.165.176.15

GRE Tunnel Details




• Encryption algorithm=AES

• Hash algorithm= HMACSHA1

Configuring CloudBridge Connector between Datacenter and AWS Cloud

525

526

Prerequisites

Before setting up a CloudBridge Connector tunnel, verify that the following tasks have beencompleted:

1. Install, configure, and launch an instance of NetScaler Virtual appliance (VPX) on AWScloud.

2. Deploy and configure a NetScaler physical appliance, or provisioning and configuring aNetScaler virtual appliance (VPX) on a virtualization platform in the datacenter.

3. Make sure that the CloudBridge Connector tunnel end-point IP addresses are accessibleto each other.

527

NetScalerCloudBridge VPX License

After the initial instance launch, NetScalerCloudBridge VPX for AWS requires a license. Ifyou are bringing your own license (BYOL), see the VPX Licensing Guide at:http://support.citrix.com/article/CTX122426.

You have to:

1. Use the licensing portal within MyCitrix to generate a valid license.

2. Upload the license to the instance.

If this is a paid marketplace instance, then you do not need to install a license. The correctfeature set and performance will activate automatically.


528

Installing NetScaler VPX on AWS

You can now launch an instance of Citrix® NetScaler VPX within Amazon Web Services(AWS). NetScaler VPX is available as an Amazon Machine Image (AMI) in AWS marketplace.NetScaler VPX on AWS enables customers to leverage AWS Cloud computing capabilities anduse NetScaler load balancing and traffic management features for their business needs.NetScaler on AWS supports all the traffic management features of a physical NetScalerappliance. NetScaler instances running in AWS can be deployed as standalone instances orin HA pairs.

None

529

How NetScaler VPX on AWS Works

AWS offers different types of web services, such as Amazon Simple Storage Services (S3),Amazon Elastic Cloud Compute (EC2), and Amazon Virtual Private Cloud (VPC). Amazon VPCallows you to run AWS resources (for example, EC2 instances) in a private, virtual network.Amazon EC2 instances are available as instance types that map to hardware archetypes onthe basis of factors such as number of EC2 Compute Units (ECU), number of virtual cores,and memory size.

The NetScaler VPX AMI is packaged as an EC2 instance that is launched within an AWS VPC.The VPX AMI instance requires a minimum of 2 virtual CPUs and 2 GB of memory. An EC2instance launched within an AWS VPC can also provide the multiple interfaces, multiple IPaddresses per interface, and public and private IP addresses needed for VPX configuration.Currently, on Amazon AWS, VPX can be launched only within a VPC, because each VPXinstance requires at least three IP addresses. (Although VPX on AWS can be implementedwith one or two elastic network interfaces, Citrix recommends three network interfaces fora standard VPX on AWS installation.) AWS currently makes multi-IP functionality availableonly to instances running within an AWS VPC. A VPX instance in a VPC can be used to loadbalance servers running in EC2 instances.

An Amazon VPC allows you to create and control a virtual networking environment,including your own IP address range, subnets, route tables, and network gateways.

Note: By default, you can create up to 5 VPC instances per AWS region for each AWSaccount. You can request higher VPC limits by submitting Amazon's request form(http://aws.amazon.com/contact-us/vpc-request/).

VPX on AWS Architecture

An EC2 instance of NetScaler VPX (AMI image) is launched within the AWS VPC. Thefollowing figure shows a typical VPX on AWS deployment.Figure 1. VPX on AWS Architecture

The figure shows a simple topology of an AWS VPC with a NetScalerVPX deployment. TheAWS VPC has:

1. A single Internet gateway to route traffic in and out of the VPC.

2. Network connectivity between the Internet gateway and the Internet.

3. Three subnets, one each for management, client, and server.

4. Network connectivity between the Internet gateway and the two subnets (managementand client).

5. A single NetScaler VPX deployed within the VPC. The VPX instance has three ElasticNetwork Interfaces (ENIs), one attached to each subnet.

Supported EC2 instancesThe NetScaler AMI can be launched on any of the following EC2 instance types:

• m1.large


530

• m1.xlarge

• m3.large

• m3.xlarge

• m3.2xlarge

For more information about Amazon EC2 instances, see:http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/instance-types.html


531

http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/instance-types.html

532

ENI Support

The following table lists the EC2 instance types and corresponding number of supportedENIs and number of private IP addresses per ENI.

Table 1. EC2 Support for ENIs and IP Addresses

Instance Name Number of ENIs Private IP Addresses per ENI

m1.large 3 10

m1.xlarge 4 15

Instance Name Number of ENIs Private IP Addresses per ENI

m3.large 3 10

m3.xlarge 4 15

m3.2xlarge 4 30

533

Limitations and Usage Guidelines

• The clustering feature is not supported for VPX.

• For HA to work as expected, associate EIP to NSIP.

• Data traffic and management traffic should be segregated by using ENIs belonging totwo different subnets.

• Only the NSIP address should be present on the management ENI.

• To send traffic to VIPs, you must configure either Policy Based Routes (PBR) or MACBased Forwarding (MBF) on VPX.

• A VPX instance can be moved from one EC2 instance type to another (for example, fromm1.large to an m1.xlarge)(for example, from m3.large to an m3.xlarge).

• For storage options for VPX on AWS, Citrix recommends EBS, because it is durable andthe data is available even after it is detached from instance.

• Dynamic addition of ENIs to VPX is not supported. You have to restart the VPX instanceto apply the update. Citrix recommends you to stop the standalone or HA instance,attach the new ENI, and then restart the instance.

• You can assign multiple IP addresses to an ENI. The maximum number of IP addressesper ENI is determined by the EC2 instance type, see EC2 Support for ENIs and IPAddresses.

• Citrix recommends that you avoid using the enable and disable interface commands onNetScaler VPX interfaces.

• Due to Amazon AWS limitations, these features are not supported:

• IPV6

• Gratuitous ARP(GARP)

• L2 mode

• Tagged VLAN

• Dynamic Routing

• Virtual MAC (VMAC)

534

Launching the NetScaler VPX for AWSAMI

You can launch a Citrix NetScaler VPX AMI within an Amazon Web Services (AWS) VirtualPrivate Cloud (VPC) in one of two ways:

1. Using the Amazon GUI and CLI toolkit.

2. Using a Citrix authored CloudFormation template.

3. Using the Amazon 1-Click launch.

Note: The following are the default administrator credentials to access a NetScaler VPXinstance:

• Username—nsroot

• Password—The default password for the nsroot account is set to the AWS instance-ID ofthe NetScaler VPX instance. For a high availability configuration between two NetScalerVPX instances, the nsroot password of the secondary node is set to that of the primarynode after the HA configuration synchronization.

None

535

Launching NetScaler VPX for AWS byUsing the Amazon GUI and CLI toolkit

To launch a NetScaler VPX AMI within an Amazon Web Services (AWS) Virtual Private Cloud(VPC) by using the Amazon GUI and CLI toolkit, you need:

• An AWS account

• An AWS Virtual Private cloud (VPC)

• The AWS API toolkit (if creating a VPX instance with three or more ENIs).

• An IAM account

Creating an AWS AccountTo launch a NetScaler VPX AMI in an Amazon Web Services (AWS) Virtual Private Cloud(VPC), you need an AWS account. You can create an AWS account for free atwww.aws.amazon.com.

Creating an AWS Virtual Private Cloud (VPC)Citrix recommends at least three IP addresses for a NetScaler instance. Currently, the onlysupport that AWS provides for instances with multiple IP addresses is for instances within anAWS VPC.

To create an AWS VPC, first launch the AWS GUI console. For instructions for using the AWSGUI console, see http://docs.amazonwebservices.com/AmazonVPC/latest/GettingStartedGuide/GetStarted.html?r=2900.

To create an AWS VPC

1. Use the VPC with a Single Public Subnet Only option to create a new AWS VPC in anAWS availability zone.

2. Create additional subnets within the AWS VPC. Citrix recommends that you create atleast three subnets, of the following types:

• One subnet for NetScaler management traffic. You place the NetScalermanagement IP(NSIP) on this subnet.

• One or more subnets for client-access (user-to-NetScaler) traffic, through whichclients connect to one or more virtual IP (VIP) addresses assigned to NetScalerload balancing virtual servers.

http://www.aws.amazon.com/

http://docs.amazonwebservices.com/AmazonVPC/latest/GettingStartedGuide/GetStarted.html?r=2900

http://docs.amazonwebservices.com/AmazonVPC/latest/GettingStartedGuide/GetStarted.html?r=2900

• One or more subnets for the server-access (NetScaler-to-server) traffic, throughwhich your servers connect to NetScaler-owned mapped IP (MIP) or subnet IP(SNIP) addresses.

For more information about NetScaler load balancing and virtual servers, virtualIP addresses (VIPs), mapped IP addresses (MIPs) and subnet IP addresses (SNIPs),see: http://support.citrix.com/proddocs/topic/netscaler-10/ns-gen-getting-started-wrapper-10-con.html.

Note:

• All subnets should be in the same availability zone.

• You can launch a NetScaler AMI in an AWS VPC with a single subnet. In thisconfiguration, the management traffic, client-side traffic, and server-side trafficall use the same subnet, and high availability (HA) cannot be configured.

• You can launch the NetScaler AMI into an AWS VPC with two subnets. In thisconfiguration, one subnet is used for management traffic, and the other subnetis used for both client-side and server-side traffic. This topology supportsNetScaler HA.

3. Create an Internet gateway and attach it to the VPC instance.

4. Create routing tables for all traffic flowing into or out of the VPC. You need routesfor access to the NSIP and to any client-facing VIP addresses. Traffic leaving the VPCmust be routed through the Internet Gateway of the AWS VPC.

Note:

• Make sure that you associate management and client subnets with the routingtable.

• Add a default route to the routing table for the traffic flowing out of the VPC.Set the Destination to 0.0.0.0/0, and the Target as the Internet gateway address.

5. Create a security group and open the required ports.

Setting-up the AWS API ToolkitThe AWS GUI console does not allow you to launch instances with more than two ENIs. For astandard deployment, you have to create at least three ENIs for a VPC instance (though it ispossible to launch a NetScaler AMI with one or two ENIs). To create three or more ENIs for aNetScaler instance, you must use the AWS CLI. To use the AWS CLI, you must install theAWS API toolkit.

The AWS API toolkit is available for download athttp://aws.amazon.com/developertools/351/. To install the AWS API toolkit, complete thefollowing tasks on a Windows or Linux machine:

1. Download the AWS API Toolkit.

2. Download X.509 certificate files and X.509 private key file.

3. Download the private key.

Launching NetScaler VPX for AWS by Using the Amazon GUI and CLI toolkit

536

http://support.citrix.com/proddocs/topic/netscaler-10/ns-gen-getting-started-wrapper-10-con.html

http://support.citrix.com/proddocs/topic/netscaler-10/ns-gen-getting-started-wrapper-10-con.html

http://aws.amazon.com/developertools/351/

4. Convert the downloaded private key (.pem file) for SSH connectivity.

5. Configure the AWS API Toolkit environment on your Windows or Linux computer.

To download the AWS API toolkit

1. In a web browser, open the following website:http://aws.amazon.com/developertools/351/.

2. On the Amazon EC2 API Tools page, in the Download section, click Download theAmazon EC2 API Tools.

3. Save the file, ec2-api-tools.zip, to a local disk and use a file compression utility (forexample, WinZip) to extract the files.

To download the X.509 certificate file and X.509 private key file

1. In your browser, open the following website: http://aws.amazon.com/.

2. Click My Account/Console, and then click Security Credentials.

3. On the Amazon Web Services Sign in page, use your Amazon account credentials tosign in.

4. On the Security Credentials page, in the Access Credentials section, on the X.509Certificates tab, click Create a New Certificate.

5. In the X509 Certificate Created dialog box, Click Download Private Key File and savethe private key file to a secure folder on your local drive.

6. Click Download X.509 Certificate and save the certificate to a secure folder on yourlocal drive.

7. Click Close.

Note: The Private Key File can be downloaded only at the time of creating acertificate. However, you can download the certificate at any time after creating it.

To download private key for SSH connectivity

1. In your browser, open the following website:http://aws.amazon.com/ .

2. Click My Account/Console.

3. On the Amazon Web Services Sign in page, use your Amazon account credentials tosign in.

4. In the Service pane, in Amazon Web Services, click EC2.

5. In the Navigation section, in Network and Security, click Key Pairs.

6. In the Key Pairs pane, click Create Key Pair.

7. In the Create Key Pair dialog box, type the name for key pair and click Create.

8. Download the Key Pair to the local disk and click Close.To convert the downloaded private key for SSH connectivity


537

http://aws.amazon.com/developertools/351/



For SSH connections from a management machine using Putty, you must convert the.pem file (Private Key) into .ppk file. The .ppk file is the private key for SSH connectionsto the NetScaler VPX instance hosted in the AWS environment. To convert the .pem fileto a .ppk file, use the Putty application's PuttyGen utility. Make sure that the key pairsand certificate files are stored in an unshared and secured directory. After theconversion, you can use SSH to securely connect to the management address of the VPXon AWS instance.

To configure the AWS API Toolkit environment on a Windows machine

1. Move the certificate files to an unshared folder (for example, aws-ec2-api-tools).

2. Move the extracted AWS API toolkit folder to the unshared folder (for example, theaws-ec2-api-tools folder created in example in Step 1).

3. Create a batch file to configure the specific AWS environment in the unshared folder(aws-ec2-api-tools if you used the example in the preceding two steps). Following isan example of the batch file. The file location used in this example isC:\aws-vpc-config\ and the file name is set-aws-environment.bat.

rem Setup Amazon EC2 Command-Line Tools

set JAVA_HOME="C:\Program Files\Java\jre7\"

set EC2_HOME="C:\aws-ec2-api-tools\"

set PATH=%PATH%;%EC2_HOME%\bin

set EC2_PRIVATE_KEY=C:\aws-ec2-security-files\pk-3T6ACCLBEDGD3O3SMAM7YDI76VP5HXSU.pem

set EC2_CERT=C:\aws-ec2-security-files\cert-3T6ACCLBEDGD3O3SMAM7YDI76VP5HXSU.pem

set EC2_URL=https://<aws-region>.ec2.amazonaws.com

4. Open the command prompt and run the batch file. For the file in the above example,type:

C:\aws-vpc-config> set-aws-environment.bat

5. Run the ec2ver command to verify that the AWS toolkit is installed properly. Forexample:

C:\aws-vpc-config>ec2ver 1.5.6.1 2012-06-15To configure the AWS API Toolkit on a Linux machine

1. Move the certificate files to an unshared folder (for example, aws-ec2-api-tools).

2. Move the extracted AWS API toolkit folder to the unshared folder (for example, theaws-ec2-api-tools folder created in example in Step 1).

3. Create a shell script to configure the specific AWS environment in the unsharedfolder (aws-ec2-api-tools if you used the example in the preceding two steps).Following is an example of the batch file. In this example, the file location used isC:\aws-vpc-config\ and the file name used is set-aws-environment.bat.


538

# Setup Amazon EC2 Command-Line Tools

export EC2_HOME=~/ec2-api-tools-1.5.6.0

export EC2_URL= https://us-east-1.ec2.amazonaws.com

exportPATH=$EC2_HOME/bin:/usr/bin:$/usr/sbin:/usr/local/sbin:/sbin

export EC2_PRIVATE_KEY=~/pk-XOX3NS2UPZL6BGLFO7PM5OGLYBDPBUCB.pem

export EC2_CERT=~/cert-XOX3NS2UPZL6BGLFO7PM5OGLYBDPBUCB.pem

export JAVA_HOME=/usr

export PS1="AWS PROMPT >"

4. Run the ec2ver command to verify that the AWS toolkit is installed properly. Forexample:

AWS PROMPT >ec2ver

1.5.6.1 2012-06-15

Creating an IAM AccountBefore you launch the VPX AMI instance, you have to create a new IAM user account withthe Access and Secret keys. The Access and Secret key credentials from the new IAM userare required for launching the NetScaler AMI instance. To create a new IAM user forNetScaler, complete the following steps.

1.

In a web browser, open the website at www.aws.amazon.com and log on with AWScredentials.

2. Click My Account/Console, and then click AWS Management Console.


539

http://www.aws.amazon.com

3. On the Amazon Web Services page, click IAM.

4.

In the Navigation pane, click Users, and then click Create New Users.


540

5. In the Create User dialog box, in one of the Enter User Names text boxes, type a username (for example, cns_ha). Also select the Generate an access key for each Usercheck box, and then click Create.

6. After a new IAM user is created, click Download Credentials to download the Access andSecret Keys to a safe location. These keys are required for launching NetScaler AMI.Click Close.

Note: The Access Key ID and Secret Access Key values are used to create the key-pairfile and to launch an instance.

7. In the Users pane, select the newly created IAM user and click the Permissions tab.Then, click Attach User Policy to set policies for the user.


541

8. In the Manage User Permissions dialog box, next to Effect, select the Allow option. ForAWS Service, select Amazon EC2. From the Actions drop-down list, select the followingfour actions:

• AttachNetworkInterface

• DescribeInstances

• DescribeNetworkInterfaces

• DetachNetworkInterface

9. Click Add Statement.


542

10. Click Continue.

11. Click Apply Policy to set the new permissions for the selected user.


543

Launching the NetScaler AMIUse the AWS CLI to launch the NetScaler AMI in an AWS VPC. Use the ec2-run-instancescommand. For information about the ec2-run-instances command, see http://docs.amazonwebservices.com/AWSEC2/latest/CommandLineReference/ApiReference-cmd-RunInstances.html.

Following are Windows and Linux examples of running the command to launch a singleNetScaler instance. The EC2 instance type is m1.largem3.large. It is configured with thefollowing entities:

• NetScaler AMI named ami-bd2986d4.

• Three ENIs (named NSIP, CLIENT-SIDE, and SERVER-SIDE) associated with the threesubnets (15fa057e, 1547ba7e, and 1547ba7e) within the VPC.

• A single IP address for the NSIP ENI.

• Multiple private IP addresses (for multiple VIPs) on the CLIENT-SIDE ENI.

• Multiple private IPs (for multiple SNIPs) on the SERVER-SIDE ENI.

On a Windows platform:

C:\aws-vpc-config>ec2-run-instances ami-bd2986d4 -n 1 -t m1.large -k keyPairName -fkeyPairFileaccess-secret-key-file -a :0:subnet-15fa057e:"NSIP":10.20.15.21 -a :1:subnet-1


544

http://docs.amazonwebservices.com/AWSEC2/latest/CommandLineReference/ApiReference-cmd-RunInstances.html



547ba7e:"CLIENT-SIDE":10.20.10.21::::"10.20.10.22,10.20.10.23,10.20.10.24,10.20.10.25,10.20.10.26,10.20.10.27,10.20.10.28,10.20.10.29,10.20.10.30" -a :2:subnet-cc47baa7:"SERVER-SIDE":10.20.1.21::::"10.20.1.22,10.20.1.23,10.20.1.24,10.20.1.25,10.20.1.26,10.20.1.27,10.20.1.28,10.20.1.29,10.20.1.30"

Note: The keyPairFileaccess-secret-key-file file contains the access and secret keys.

On a Linux platform:

AWS PROMPT > ec2-run-instances ami-bd2986d4 -n 1 -t m1.large -k keyPairName -fkeyPairFileaccess-secret-key-file -a :0:subnet-15fa057e:"NSIP":10.20.15.21 -a :1:subnet-1547ba7e:"CLIENT-SIDE":10.20.10.21::::10.20.10.22,10.20.10.23,10.20.10.24,10.20.10.25,10.20.10.26,10.20.10.27,10.20.10.28,10.20.10.29,10.20.10.30 -a :2:subnet-cc47baa7:"SERVER-SIDE":10.20.1.21::::10.20.1.22,10.20.1.23,10.20.1.24,10.20.1.25,10.20.1.26,10.20.1.27,10.20.1.28,10.20.1.29,10.20.1.30

Note: The keyPairFileaccess-secret-key-file file contains the access and secret keys.

The command returns the instance ID and the associated information. You can see theinstance running within your AWS GUI Console.

Note: Make sure that the environment variable EC2_URL points to the region where youwant to launch the VPX instance.

To access the EC2 instance

1. In a web browser, open the website at www.aws.amazon.com and log on with AWScredentials.



545


3. On the Amazon Web Services page, click EC2.

4. On the Amazon EC2 Console Dashboard page, in the Navigation pane, click Instancesand verify that all of the NetScaler VPX instances are configured with the IPaddresses that you specified when you used the ec2-run-instances command.

Note: The VPX instance or instances can take from five to ten minutes to startrunning.


546

The ec2-run-instances command does not allow associating AWS elastic IP with an ENI. Toassociate one or more EIPs with an ENI in the Navigation pane, in the NETWORK &SECURITY area, click Elastic IPs and associate EIPs with Private IP addresses for any ofthe VIPs that need to be externally routable.

You must also associate the instance ENIs with appropriate security groups. Go to theNetwork Interfaces section, right-click on the individual ENI, and select the ChangeSecurity Groups option. You can then associate a proper VPC security group.


547

548

Using the Citrix CloudFormation Templateto launch CloudBridge VPX for AWS

Using the Citrix Cloud Formation Template to launch NetScaler VPX for AWS

Citrix also provides a CloudFormation template that can be used to automate NetScalerinstance launch. The tool requires an existing VPC environment. It launches a NetScalerinstance with three ENIs. Therefore, to use the CloudFormation template, make sure thatyou have the following:

1. AWS account

2. AWS VPC

3. Three subnets within the VPC

4. A security group to use for the NetScaler instances ENIs

Refer to Creating an AWS Virtual Private Cloud (VPC) for information about how toconfigure subnets and security groups within a VPC. After configuring the required subnetsand security groups, you can launch the NetScaler VPX AMI in AWS VPC. The CloudFormationtool provides functionality to launch a single NetScaler VPX instance or, to create a highavailability environment, a pair of NetScaler VPX instances.

Launching a single NetScaler VPX instance in AWS

1. In a web browser, open the website at www.aws.amazon.comand log on with AWScredentials.



3. On the Amazon Web Services page, click Cloud Formation in the Deployment &Management section.

4. On the CloudFormation Stacks page, select the Region in which you plan to deploythe NetScaler VPX instance, and then click Create New Stack.

Using the Citrix CloudFormation Template to launch CloudBridge VPX for AWS

549

5. In the Create Stack dialog box, specify a value for Stack Name, select the Upload aTemplate File option, and then click Browse. Select the template for a standaloneNetScaler VPX from the local drive, and then click Continue.

Note:6. In the next pane, specify values for:

• VpcID : An identifier to assign to the Virtual Private Cloud (VPC).

• NsipSubnet : Subnet in which the NSIP is configured in the VPC

• ServerSubnet: Subnet in which the server farm is configured in the VPC

• ClientSubnet: SubnetId in which the client side is configured in the VPC

• SecurityGroup: VPC Security group ID

• VPXPrimary: Name of the primary VPX instance type

• AccessKey: Access Key for IAM user account

• SecretKey: Secret Key for IAM user account

• TenancyType: Instance tenancy type, can be default or dedicated

• NsIP: Private IP assigned to the NSIP ENI. The last octet of NSIP should bebetween 5 and 254.


550

• ServerIP: Private IP assigned to the Server ENI. The last octet should be between5 and 254.

• ClientIP: Private IP assigned to the Client ENI. The last octet should be between5 and 254.

• KeyName: Name of an existing EC2 KeyPair to enable SSH access to theinstances.

Note: Make sure that the VPC, subnets, security groups, routes and gatewayassociations are already configured.

7. Click Continue.

8. Review the values in the Create Stack dialog box.


551

9. Click Continue to create a Stack.

10. Click Close to close the Create Stack dialog box.


552

11. The new stack that you created appears on the CloudFormation Stacks page.

Note:

• Currently, the CloudFormation utility does not provide the functionality to addsecondary IP addresses. Use the AWS console, after deploying a NetScaler VPXinstance, to add the secondary IP addresses to the ENIs.

• The CloudFormation scripts for the standalone and HA pair VPX instances havethe latest AMIs for the five supported regions. You have to update the scripts tosynchronize with the latest AMIs.

• The script automatically selects the correct AMI for the region in which the VPXinstance is being deployed.

• By default, all the ENIs are attached to one security group, use the AWS consoleto attach an ENI to a different security group.

• EIPs are automatically allocated and assigned to an instance. If the EIP limitexceeds the threshold for the region, the CloudFormation script fails and displaysan error message.


553

554

Launching NetScaler VPX by using theAWS 1-Click

1-Click helps you to launch an instance of NetScaler VPX on AWS, quickly as compared toother launching methods, with the default options. After the instance is launched on AWS,you can modify these options by using either the AWS CLI or the AWS GUI.

The default options include the following elastic network interfaces (ENIs) for the NetScalerinstance:

• Management Interface—Associates a subnet for management related traffic. You addthe NetScaler management IP (NSIP) address to this subnet.

• Public Interface—Associates a subnet for the client-access (user-to-NetScaler) traffic.You add one or more virtual IP (VIP) addresses on this subnet.

• Private Interface—Associates a subnet for server-access (NetScaler-to-server) traffic.You add mapped IP (MIP) or subnet IP (SNIP) addresses on this subnet.

Before you begin launching an instance of NetScaler VPX on AWS, consider the followingpoints :

• For security reasons, none of the elastic IP addresses are attached to the ENIs of theNetScaler VPX instance launched by using 1-Click. This means that the NetScaler VPXinstance (including the management IP address) is not reachable from outside the AWSVirtual Private Cloud (VPC). If your VPC uses a Virtual Gateway or other method toprovide a VPN access to the VPC, you can administer the instance by using the IPaddress of the network interface in the management subnet. If you do not have VPNaccess to your VPC, Citrix recommends that you set up a jump box instance within theVPC, and then use this as the source for accessing or managing other instances withinthe VPC. For instructions to create an SSH jump box, seehttps://s3.amazonaws.com/awsmp-usageinstructions/Creating_and_using_VPC.txt.

• Three default security policies are created. A policy each is attached to themanagement, public and private interfaces, respectively.

• The security policy for the management interface allows traffic from a set of ports.

• The security policies for the public and private interfaces block all the traffic to orfrom these interfaces. You can later modify these security groups to filter thedesired traffic.

• High Availability configuration is not supported for a NetScaler VPX instance launchedby using AWS 1-click.

Before you begin launching an instance of NetScaler VPX on AWS, make sure that you havethe following:

• An AWS account

• An AWS Virtual Private Cloud (VPC)

https://s3.amazonaws.com/awsmp-usageinstructions/Creating_and_using_VPC.txt

• Three subnets within the AWS VPC (one each for management interface, publicinterface, and private interface of the NetScaler instance)

• An IAM key pair

For information about creating an AWS account, a VPC, subnets in a VPC, and an IAM keypair, see Launching NetScaler VPX for AWS by Using the Amazon GUI and CLI toolkit.

To launch an instance of NetScaler VPX on AWS by using 1-Click

1. Log on to the AWS marketplace (https://aws.amazon.com/marketplace) by using yourAmazon AWS credentials.

2. In the search field, type NetScaler VPX to search for the NetScaler AMI, and click Go.

3.

On the search result page, click the desired Citrix NetScaler VPX offering.

Launching NetScaler VPX by using the AWS 1-Click

555

http://support.citrix.com/proddocs/topic/netscaler-vpx-10-1/nsvpx-launch-aws-ami-gui-cli-con.html

https://aws.amazon.com/marketplace

4.

On the Citrix NetScaler VPX page, click Continue.5. Click the 1-Click Launch tab. On the 1-Click Launch tab, specify values for the following

fields:

• Version

• Region

• EC2 Instance type

• Key Pair


556

6. On the VPC Settings pane, click Setup.


557

7. On the VPC Settings page, specify values for the following fields, and then click Done:

• VPC

• Network Interface (Management subnet)

• Network Interface (Private subnet)

• Network Interface (Public subnet)

Note: You need to make sure that the subnets attached to these ENIs are differentfrom each other. Attaching the same subnet to more than one ENI might causerouting issues.


558


559

8.

Click Accept Terms & Launch with 1-Click.

After few minutes, the NetScaler instance is launched with three ENIs. You can nowconnect to the NSIP address (the IP address on the management ENI) of the instance byusing the NetScaler CLI or NetScaler GUI and start configuring the NetScaler features,for example, load balancing.


560

561

Verifying the NetScaler VPX on AWSInstallation

When the NetScaler instance is running, you can access the instance through the NetScalerGUI or the NetScaler CLI by connecting to the EIP associated with the management ENI(NSIP). For example, use the following addressing notation in a web browser:

http://<Elastic_IP> (unsecured access)

or

https://<Elastic_IP> (secured access)

Note:

• To access a NetScaler instance through SSH, provide the .pem file.

• You can use the AWS GUI console to manually add the private IP addresses for MIPs onserver subnets and VIPs on client subnets.

• If you want to access the NSIP from the Internet, you must assign an EIP to the NSIPaddress of each NetScaler instance. Also, make sure that the NSIP subnet is associatedwith a routing table that has a default route set to the Internet gateway.

• If you want VIP addresses to be accessible through the Internet, you must associate anEIP with each VIP address that is defined in the configuration.

• The following are the default login credentials to access a NetScaler instance:


• Password—nsroot• The following are the default administrator credentials to access a NetScaler VPX

instance:


• Password—The default password for the nsroot account is set to the AWSinstance-ID of the NetScaler VPX instance. For a high availability configurationbetween two NetScaler VPX instances, the nsroot password of the secondary node isset to that of the primary node after the HA configuration synchronization.

• You can find the private key file from the AWS console. To view the private key file:

1. Log on to the AWS marketplace (https://aws.amazon.com/marketplace) by usingyour Amazon AWS credentials.

2. Click Amazon Web Services Home.

3. Click My Account/Console, and then click Security Credentials.

https://aws.amazon.com/marketplace

562

Attaching Additional IP Addresses to anInstance

You can attach additional IP addresses to an instance as follows:

1. Add a secondary IP address to an ENI.

2. Associate an EIP with the secondary IP address that you created.

To add a secondary IP address to the ENI



3. On the Amazon Web Services page, click EC2.

4. On the Amazon EC2 Console's Dashboard page, in the Navigation pane, in NETWORK &SECURITY, click Network Interfaces.

5. In the Network Interfaces pane, right-click the ENI attached to the subnet, and thenselect the Manage Private IP Addresses option from the pop-up menu.

6. In the Manage Private IP Addresses dialog box, click Assign a secondary private IPaddress and either let AWS automatically assign an IP address or type an IP address inthe auto-assign text-field. Click Yes, Update.


Associating an EIP with the secondary IP

Complete the following steps to associate an EIP with a secondary IP address:

1. On the Amazon EC2 Console Dashboard page, in the Navigation pane, in NETWORK &SECURITY, click Elastic IPs.

2. In the Addresses pane, click Allocate New Address.

3. In the Allocate New Address dialog box, select VPC from the EIP used in drop-downlist and click Yes, Allocate.

4. Select the newly allocated EIP, and click Associate Address.

5. In the Associate Address dialog box, select, from the Instance and the Private IPaddress drop-down lists, the instance and private address that you want to associatewith the EIP. Then, click Yes, Associate.

Attaching Additional IP Addresses to an Instance

563

564

Downloading a NetScaler VPX License

After the initial instance launch, NetScaler VPX for AWS requires a license. If you arebringing your own license (BYOL), see the VPX Licensing Guide athttp://support.citrix.com/article/CTX122426

You have to:

1. Use the licensing portal within MyCitrix to generate a valid license.

2. Upload the license to the instance.

If this is a paid marketplace instance, then you do not need to install a license. The correctfeature set and performance will activate automatically.


565

Load Balancing Servers in differentAvailability Zones

A NetScaler instance can be used to load balance servers running in the same availabilityzone, or in:

• A different availability zone (AZ) in the same AWS VPC

• A different AWS region

• AWS EC2 in a VPC

To enable NetScaler to load balance servers running outside the AWS VPC that theNetScaler instance is in, configure the NetScaler to use EIPs to route traffic through theInternet gateway, as follows:

1. Configure a MIP or SNIP on the NetScaler by using the NetScaler CLI or the NetScalerGUI

2. Enable traffic to be routed out of the AZ, by creating a public facing subnet for theserver-side traffic.

3. Add to the NetScaler configuration a PBR policy that enables sending data traffic todestinations outside the VPC. The management traffic to and from the NSIP addressalways uses interface 1/1 and the default static route acquired from the AWS DHCPserver.

Following is an example of adding a PBR policy to a NetScaler appliance:

add pbr pbr_VIPs allow -srcip 10.20.10.21-10.20.10.30 -nexthop 10.20.10.1 -stateenabled

apply pbrs

4. Add an Internet gateway route to the routing table, using the AWS GUI console.

5. Associate the routing table you just updated with the server-side subnet.

6. Associate an EIP with the server-side private IP address that is mapped to a NetScalerMIP address.

566

High Availability

Two Citrix® NetScaler® VPX™ instances in AWS can be configured as a high availability (HA)pair. With one instance configured as the primary node and the other as the secondarynode, the primary node accepts connections and manages servers while the secondary nodemonitors the primary. If, for any reason, the primary node is unable to accept connections,the secondary node takes over.

The following figure shows an example of the HA deployment architecture for NetScalerVPX on AWS.Figure 1. NetScaler VPX on AWS - HA Deployment

To deploy HA for VPX on AWS, you must configure at least two ENIs on the primary instanceand a single ENI on the secondary instance. On each instance, configure the NetScaler IP(NSIP) address (the management address) on the default ENI. On the primary instance, usethe additional ENIs for client and server connections.

Note: For HA failover to work:

1. The NSIP addresses for each NetScaler instance in an HA pair must be configured on thedefault ENI of the instance.

2. Both the primary and secondary instances must have EIPs associated with the NSIP andshould have access to the AWS API servers.

3. Client and server traffic (data-plane traffic) must not be configured on the default ENI.

HA deployment also requires access and secret keys associated with the user's AWS Identityand Access Management (IAM) account. If the correct key information is not used whencreating VPX instances, the HA deployment will fail. The access and secret keys arerequired for sending Query APIs to the AWS server.

Notes on HA:

• Because Amazon does not allow any broadcast/multicast packets in AWS, HA isimplemented by migrating data-plane ENIs from the primary to the secondary (newprimary) VPX instance when the primary VPX instance fails.

• To deploy HA for VPX on AWS, you must configure at least two ENIs on the primaryinstance and a single ENI on the secondary instance.

• Because the default ENI cannot be moved to another VPX instance, you should not usethe default ENI for data.

• The AWS debug messages are available in the log file, /var/log/ns.log, on the VPXinstance.

• The message AWSCONFIG IOCTL NSAPI_HOTPLUG_INTF success output 0 indicates thatthe two data ENI's have successfully attached to the secondary instance (the newprimary).

• Failover might take up to 20 seconds due to the AWS detach/attach ENI mechanism.

• Upon failover, the failed instance always restarts.

• The secondary node always has one ENI interface (for management) and the primarynode can have up to eight ENIs.

• The heartbeat packets are received only on the management interface.

• The configuration file of the primary and secondary NetScaler appliances issynchronized, including the nsroot password. The nsroot password of the secondarynode is set to that of the primary node after the HA configuration synchronization.

Configuring High Availability for VPX on AWSTo deploy HA for two VPX instances on AWS, you must create the primary NetScaler VPXinstances with three ENIs and the secondary NetScaler VPX with a single ENI.

Following is an example of launching a primary VPX instance with three ENIs:

C:\aws-vpc-config>ec2-run-instances ami-bd2986d4 -n 1 -t m1.large -k keyPairName -f./keyPairFile./access-secret-key-file -a :0:subnet-15fa057e:"NSIP":10.20.15.21 -a :1:subnet-1547ba7e:"CLIENT-SIDE":10.20.10.21::::"10.20.10.22,10.20.10.23,10.20.10.24,10.20.10.25,10.20.10.26,10.20.10.27,10.20.10.28,10.20.10.29,10.20.10.30" -a :2:subnet-cc47baa7:"SERVER-SIDE":10.20.1.21::::"10.20.1.22,10.20.1.23,10.20.1.24,10.20.1.25,10.20.1.26,10.20.1.27,10.20.1.28,10.20.1.29,10.20.1.30"

Following is an example of launching a secondary VPX instance with a single ENI:

High Availability

567

C:\aws-vpc-config>ec2-run-instances ami-bd2986d4 -n 1 -t m1.large -k keyPairName -fkeyPairFileaccess-secret-key-file -a :0:subnet-15fa057e:"NSIP":10.20.15.31

Note: The keyPairFileaccess-secret-key-file argument contains the access and secret key.(You cannot change the keyPairFileaccess-secret-key-file associated with a VPC instanceafter it is created.)

After the two NetScaler instances are UP, configure the HA pairing on both the instances.You have to configure the instance with two or more ENIs before configuring HA on theinstance with one ENI. Use the add HA node command, from within the NetScaler CLI, orfrom the NetScaler GUI. For example:

On the VPX instance with two or more ENIs:

add HA node 1 10.0.1.9

On the VPX instance with one ENI:

add HA node 1 10.0.1.10

After you enter add HA node commands, the two nodes form an HA pair, and configurationinformation is synchronized between the two VPX instances.

To remove HA from NetScaler VPX pair

You can remove HA configuration from the NetScaler VPX pair by using the remove hanode command. You have to remove the HA configuration from the secondary NetScalerVPX before removing the HA configuration from the primary NetScaler VPX.

For example, on the Secondary NetScaler VPX instance, at the NetScaler command line,type:

remove ha node

save config

On the Primary NetScaler VPX instance, at the NetScaler command line, type:

remove ha node

save config

High Availability

568

Launching NetScaler VPX pairs for HA by using CitrixCloudFormation



3. On the Amazon Web Services page, in the Deployment & Management section, clickCloud Formation.

High Availability

569


4. On the CloudFormation Stacks page, select the Region in which you plan to deploy theNetScaler VPX instance, and then click Create New Stack.

5. In the Create Stack dialog box, specify value for Stack Name, select the Upload aTemplate File option, and then click Browse. Select the template for HA NetScaler VPXfrom the local drive, and then click Continue.

High Availability

570

6. In the next pane, specify values for:

• VpcID: An identifier to assign to the Virtual Private Cloud (VPC).

• NsipSubnet: Subnet in which the NSIP is configured in VPC.

• ServerSubnet: Subnet in which the server farm is configured in VPC.

• ClientSubnet: SubnetId in which the client side is configured in VPC.

• SecurityGroup: VPC Security group id.

• VPXPrimary: Name of Primary VPX instance type.

• AccessKey: Access Key for IAM user account.

• SecretKey: Secret Key for IAM user account.

• TenancyType: Instance tenancy type, can be default or dedicated.

• NsIP: Private IP assigned to the NSIP ENI. The last octet of NSIP should be between5 and 254.

• NsIPSec: Private IP assigned to the NSIP ENI of Secondary. last octet has to bebetween 5 and 254.

• ServerIP: Private IP assigned to the Server ENI. The last octet should be between 5and 254.

High Availability

571

• ClientIP: Private IP assigned to the Client ENI. The last octet should be between 5and 254.

• KeyName: Name of an existing EC2 KeyPair to enable SSH access to the instances.

Note: Make sure that the VPC, subnets, security groups, routes associations, gatewayassociations are already configured.

7. Click Continue.

8. Review the specified values in the Create Stack dialog box.

High Availability

572

9. Click Continue to create a Stack.

High Availability

573

10. Click Close to close the Create Stack dialog box.

11. The new stack that you created appears on the CloudFormation Stacks page.

High Availability

574

575

Upgrading a NetScaler VPX instance onAWS

You can upgrade the EC2 instance type, throughput, software edition, and the systemsoftware of a NetScaler VPX running on AWS. For certain types of upgrades, Citrixrecommends using the High Availability Configuration method to minimize downtime.

Note:

• NetScaler software release 10.1.e-124.1308.e or later for a NetScaler VPX AMI(including both utility license and customer license) does not support the M1 and M2instance families.

• Because of changes in NetScaler instance support, downgrading from 10.1.e-124 or alater release to 10.1.123.x or an earlier release is not supported.

• Most of the upgrades do not require launch a new AMI, and the upgrade can be done onthe current NetScaler AMI instance. If you do want to upgrade to a new NetScaler AMIinstance, use the high availability configuration method.

576

Changing the EC2 Instance Type of aNetScaler VPX Instance on AWS

If your NetScaler VPX instances are running release 10.1.e-124.1308.eor later, you canchange the EC2 instance type from the AWS console as follows:

1. Stop the VPX instance.

2. Change the EC2 instance type from the AWS console.

3. Start the instance.

You can also use the above procedure to change the EC2 instance type for a relese, earlierthan 10.1.e-124.1308.e, unless you want to change the instance type to M3. In that case,you must first follow the standard NetScaler upgrade procedure, at Upgrading orDowngrading the System Software , to upgrade the NetScaler software to 10.1.e-124 or alater release, and then follow the above steps.

http://support.citrix.com/proddocs/topic/netscaler-migration-10-1/ns-instpk-upgrd-dwngrd-sys-sw-wrapper-con.html


577

Upgrading the Throughput or SoftwareEdition for a NetScaler VPX Instance onAWS

To upgrade the software edition (for example, to upgrade from standard to platinumedition) or throughput (for example, to upgrade from 200 mbps to 1000mbps), the methoddepends on the instance’s license.

Using a customer license (Bring-Your-Own-License)

If you are using a customer license, you can purchase and download the new license fromthe Citrix Licensing portal (MyCitrix), and then install the license on the VPX instance. Formore information about downloading and installing a license from the MyCitrix portal, seethe VPX Licensing Guide.

Using a utility license (Utility license with hourly fee)

AWS does not support direct upgrades for fee-based instances. To upgrade the softwareedition or throughput of a fee based NetScaler VPX instance, launch a new AMI with thedesired license and capacity and migrate the older instance configuration to the newinstance. This can be achieved by using a NetScaler high availability configurationasdescribed in “Upgrading to a New AMI by Using a NetScaler High Availability Configuration.”

578

Upgrading the System Software of aNetScaler VPX Instance on AWS

if you need to upgrade a NetScaler instance running 10.1.e-124.1308.e or a later release,follow the standard NetScaler upgrade procedure at Upgrading or Downgrading the SystemSoftware.

If you need to upgrade a NetScaler instance running a release older than 10.1.e-124.1308.eto 10.1.e-124.1308.e or a later release, first upgrade the system software, and then changethe instance type to M3 as follows:

1. Stop the VPX instance.

2. Change the EC2 instance type from the AWS console.

3. Start the instance.



579

Upgrading to a New NetScaler AMIInstance by Using a NetScaler HighAvailability Configuration

To use the high availability method of upgrading to a new NetScaler AMI instance, performthe following tasks:

• Create a new instance with the desired EC2 instance type, software edition,throughput, or software release from the AWS marketplace.

• Configure high availability between the old instance (to be upgraded) and the newinstance. After high availability is configured between the old and the new instance,configuration from the old instance is synchronized to the new instance.

• Force an HA failover from the old instance to the new instance. As a result, the newinstance becomes primary and starts receiving traffic.

• Stop, and reconfigure or remove the old instance from AWS.

Prerequisites and Points to Consider

• Make sure you understand how high availability works between two NetScaler VPXinstances on AWS. For more information about high availability configurationbetween two NetScaler VPX instances on AWS, see High Availability.

• You must create the new instance in the same availability zone as the old instance,having the exact same security group and subnet.

• High availability setup requires access and secret keys associated with the user's AWSIdentity and Access Management (IAM) account for both instances. If the correct keyinformation is not used when creating VPX instances, the HA setup fails. For moreinformation about creating an IAM account for a VPX instance, see Create an IAMAccount.

• You must use the EC2 console to create the new instance. You cannot use the AWS1-click launch, because it does not accept the access and secret keys as the input.

• The new instance should have only one ENI interface.To upgrade a NetScaler VPX Instance by using a high availability configuration

1. Configure high availability between the old and the new instance. To configure highavailability between two NetScaler VPX instances, at the NetScaler command promptof each intance, type:

• add ha node <nodeID> <IPaddress of the node to be added>

• save configExample

http://support.citrix.com/proddocs/topic/netscaler-vpx-10-1/nsvpx-aws-ha-con.html



At the NetScaler command prompt of the old instance, type: > add ha node 30 192.0.2.30DoneAt the NetScaler command prompt of the new instance, type: > add ha node 10 192.0.2.10Done

Note the following:

• In the HA setup, the old instance is the primary node and the new instance is thesecondary node.

• The NSIP IP address is not copied from the old instance to the new instance.Therefore, after the upgrade, your new instance has a different management IPaddress from the previous one.

• The nsroot account password of the new instance is set to that of the oldinstance after HA synchronization.

For more information about high availability configuration between two NetScalerVPX instances on AWS, see High Availability.

2. Force an HA failover. To force a failover in a high availability configuration, at theNetScaler command prompt of either of the instances, type:

• force HA failoverAs the result of forcing a failover, the ENIs of the old instance are migrated to thenew instance and traffic flows through the new instance (the new primary node). Theold instance (the new secondary node) restarts.

If the following warning message appears, type N to abort the operation:

WARNING]:Force Failover may cause configuration loss, peer health not optimum. Reason(s):HA version mismatchHA heartbeats not seen on some interfacesPlease confirm whether you want force-failover (Y/N)?

The warning message appears because the system software of the two VPX instancesis not HA compatible. As a result, the configuration of the old instance cannot beautomatically synced to the new instance during a forced failover.

Following is the workaround for this issue:

a. At the NetScaler shell prompt of the old instance, type the following command tocreate a backup of the configuration file (ns.conf):

• copy /nsconfig/ns.conf to /nsconfig/ns.conf.bkpb. Remove the following line from the backup configuration file (ns.conf.bkp):

• set ns config -IPAddress <IP> -netmask <MASK>

For example, set ns config -IPAddress 192.0.2.10 -netmask 255.255.255.0c. Copy the old instance’s backup configuration file (ns.conf.bkp) to the /nsconfig

directory of the the new instance.

Upgrading to a New NetScaler AMI Instance by Using a NetScaler High Availability Configuration

580


d. At the NetScaler shell prompt of the new instance, type the following commandto load the old instance’s configuration file (ns.conf.bkp) on the new instance:

• batch -f /nsconfig/ns.conf.bkpe. Save the configuration on the new instance.

• Save conifgf. At the NetScaler command prompt of either of the nodes, type the following

command to force a failover, and then type Y for the warning message toconfirm the force failover operation:

• force ha failoverExample

> force ha failover

WARNING]:Force Failover may cause configuration loss, peer health not optimum. Reason(s):HA version mismatchHA heartbeats not seen on some interfacesPlease confirm whether you want force-failover (Y/N)? Y

3. Remove the HA configuration, so that the two instances are no longer in an HAconfiguration. First remove the HA configuration from the secondary node and thenremove the HA configuration from the primary node.

To remove an HA configuration between two NetScaler VPX instances, at thecommand prompt of each instance, type:

• remove ha node <nodeID>

• save configFor more information about high availability configuration between two NetScalerinstances on AWS, see High Availability.

Example

At the NetScaler command prompt of the old instance (new secondary node), type: > remove ha node 30 Done> save config DoneAt the NetScaler command prompt of the new instance (new primary node), type:> remove ha node 10 Done> save config Done

Upgrading to a New NetScaler AMI Instance by Using a NetScaler High Availability Configuration

581


582

Troubleshooting the NetScaler VPX onAWS

Amazon does not provide console access to a NetScaler VPX virtual instance. Totroubleshoot, you have to use the AWS GUI to view the activity log. You can debug only ifthe network is connected. To view an instance’s system log, right-click the instance andselect system log.

Citrix provides support for fee based NetScaler VPX instances (utility license with hourlyfee) on AWS. To file a support case, find your AWS account number and support PIN code,and call Citrix support. You will also be asked for your name and email address. To find thesupport PIN, log on to the NetScaler configuration utility and navigate to the System page.

Here is an example of a system page showing the support PIN.

583

Installing NetScaler VPX in a Data Center

The Citrix NetScaler VPX virtual appliance can be hosted on Citrix XenServer®, VMware ESXor ESXi, and Microsoft Hyper-V virtualization platforms.

584

Installing NetScaler Virtual Appliances onXenServer

To install NetScaler virtual appliances on Citrix XenServer, you must first install XenServeron a machine with adequate system resources. To perform the NetScaler virtual applianceinstallation, you use Citrix XenCenter, which must be installed on a remote machine thatcan connect to the XenServer host through the network.

Note: After the initial configuration of the NetScaler appliance, if you want to upgradethe appliance to the latest software release, see Upgrading or Downgrading the SystemSoftwareUpgrading or Downgrading the System SoftwareUpgrading or Downgrading theSystem SoftwareUpgrading or Downgrading the System Software.



http://support.citrix.com/proddocs/topic/netscaler-migration-10/ns-instpk-upgrd-dwngrd-sys-sw-wrapper-con.html




585

Prerequisites for Installing NetScalerVirtual Appliances on XenServer


• Install XenServer® version 5.6 or later on hardware that meets the minimumrequirements.

• Install XenCenter® on a management workstation that meets the minimum systemrequirements.

• Obtain virtual appliance license files. For more information about virtual appliancelicenses, see the NetScaler VPX Licensing Guide athttp://support.citrix.com/article/ctx122426.

XenServer Hardware RequirementsThe following table describes the minimum hardware requirements for a XenServerplatform running NetScaler.

Table 1. Minimum System Requirements for XenServer Running NetScaler nCore virtualappliance

Component Requirement

CPU 2 or more 64-bit x86 CPUs with virtualizationassist (Intel-VT or AMD-V) enabled

Note: To run NetScaler virtual appliance,hardware support for virtualization must beenabled on the XenServer host. Make sure thatthe BIOS option for virtualization support is notdisabled. Consult your BIOS documentation formore details.

RAM 3 gigabytes (GB)

Disk space Locally attached storage (PATA, SATA, SCSI) with40 GB of disk space

Note: XenServer installation creates a 4 GBpartition for the XenServer host control domain;the remaining space is available for NetScalervirtual appliance and other virtual machines.

Network Interface Card (NIC) One 1-Gbps NIC

Recommended: Two 1-Gbps NICs


Table 2. Minimum System Requirements for XenServer Running NetScaler virtual appliance


CPU One or more 64-bit x86 CPUs with virtualizationassist (Intel-VT or AMD-V) enabled.

Note: To run NetScaler virtual appliance,hardware support for virtualization must beenabled on the XenServer host. Make sure thatthe BIOS option for virtualization support is notdisabled. Consult your BIOS documentation formore details.

RAM 2 gigabytes (GB)

Disk space Locally attached storage (PATA, SATA, SCSI) with40 GB of disk space.

Note: XenServer installation creates a 4 GBpartition for the XenServer host control domain;the remaining space is available for NetScalervirtual appliance and other virtual machines.

Network Interface Card (NIC) 1 one gigabits per second (Gbps) NIC

Recommended: Two 1 Gbps NICsFor information about installing XenServer, see the XenServer documentation athttp://support.citrix.com/product/xens/.

The following table lists the virtual computing resources that XenServer must provide foreach NetScaler nCore virtual appliance and classic virtual appliance.

Table 3. Minimum Virtual Computing Resources Required for Running NetScaler ncorevirtual appliance


Memory 2 GB

Virtual CPU (VCPU) 2

Virtual network interfaces 2Table 4. Minimum Virtual Computing Resources Required for Running NetScaler virtualappliance


Memory 1 GB


Virtual network interfaces 2

Note: For production use of NetScaler virtual appliance, Citrix recommends that CPUpriority (in virtual machine properties) be set to the highest level, in order to improvescheduling behavior and network latency.

Prerequisites for Installing NetScaler Virtual Appliances on XenServer

586

http://support.citrix.com/product/xens/

XenCenter System RequirementsXenCenter® is a Windows client application. It cannot run on the same machine as theXenServer® host. The following table describes the minimum system requirements.

Table 5. Minimum System Requirements for XenCenter Installation


Operating system Windows 7, Windows XP, Windows Server2003, or Windows Vista

.NET framework Version 2.0 or later

CPU 750 megahertz (MHz)

Recommended: 1 gigahertz (GHz) or faster

RAM 1 GB

Recommended: 2 GB

Network Interface Card (NIC) 100 megabits per second (Mbps) or fasterNIC

For information about installing XenCenter, see the XenServer documentation athttp://support.citrix.com/product/xens/.

Prerequisites for Installing NetScaler Virtual Appliances on XenServer

587

http://support.citrix.com/product/xens/

588

Installing NetScaler Virtual Appliances onXenServer by Using XenCenter

After you have installed and configured XenServer and XenCenter, you can use XenCenter toinstall virtual appliances on XenServer. The number of virtual appliances that you caninstall depends on the amount of memory available on the hardware that is runningXenServer.

After you have used XenCenter to install the initial NetScaler virtual appliance (.xva image)on XenServer, you have the option to use Command Center to provision NetScaler virtualappliance. For more information, see the Command Center documentation.

To install NetScaler virtual appliances on XenServer by using XenCenter

1. Start XenCenter on your workstation.

2. On the Server menu, click Add.

3. In the Add New Server dialog box, in the Hostname text box, type the IP address or DNSname of the XenServer that you want to connect to.

4. In the User Name and Password text boxes, type the administrator credentials, andthen click Connect. The XenServer name appears in the navigation pane with a greencircle, which indicates that the XenServer is connected.

5. In the navigation pane, click the name of the XenServer on which you want to installNetScaler virtual appliance.

6. On the VM menu, click Import.

7. In the Import dialog box, in Import file name, browse to the location at which you savedthe NetScaler virtual appliance .xva image file. Make sure that the Exported VM optionis selected, and then click Next.

8. Select the XenServer on which you want to install the virtual appliance, and then clickNext.

9. Select the local storage repository in which to store the virtual appliance, and thenclick Import to begin the import process.

10. You can add, modify, or delete virtual network interfaces as required. When finished,click Next.

11. Click Finish to complete the import process.

Note: To view the status of the import process, click the Log tab.

12. If you want to install another virtual appliance, repeat steps 5 through 11.

http://support.citrix.com/proddocs/topic/netscaler/cc-gen-commmand-center-wrapper-con.html

589

Installing NetScaler 1000V VirtualAppliances on VMware ESX

Important: You cannot install standard VMware Tools or upgrade the VMware Toolsversion available on a NetScaler virtual appliance. VMware Tools for a NetScaler virtualappliance are delivered as part of the NetScaler software release.

Before installing NetScaler 1000V virtual appliances on VMware ESX, make sure that VMwareESX Server is installed on a machine with adequate system resources. To install NetScalervirtual appliances1000V on VMware ESXi version 4.0 or later, 5.0 or 5.1, you use VMwarevSphere client. The client or tool must be installed on a remote machine that can connectto VMware ESX through the network.

Note: NetScaler 1000V is supported on both the VMware ESX and the VMware ESXihypervisor, and is shipped with virtual hardware version 4.

After the installation, you can use vSphere client or vSphere Web Client to manage virtualappliances on VMware ESX 4.0 or later release.

After you install NetScaler 1000V on VMware ESX version 5.0 or 5.1, set up vPath on the newVM so that it can communicate with the servers. For more information about vPATH, see"Setting Up vPath on the NetScaler 1000V."

Note:

The VMware vSphere client shows the guest operating system as "Sun Solaris 10" forNetScaler virtual machine. This is by design because VMware ESXi does not recognizeFreeBSD.

After the initial configuration of the NetScaler appliance, if you want to upgrade theappliance to the latest software release, see "Upgrading or Downgrading the SystemSoftwareUpgrading or Downgrading the System SoftwareUpgrading or Downgrading theSystem SoftwareUpgrading or Downgrading the System Software."

http://support.citrix.com/proddocs/topic/cloudbridge-70/ns-vpath-con.html







590

Prerequisites for Installing NetScalerVirtual Appliances on VMware


• Install VMware ESX version 4.1 5.0 or later on hardware that meets the minimumrequirements.

• Install VMware Client on a management workstation that meets the minimum systemrequirements.

• Download the NetScaler virtual appliance setup files.

• Label the physical network ports of VMware ESX.

• Obtain NetScaler license files. For more information about NetScaler virtual appliancelicenses, see the NetScaler VPX Licensing Guide athttp://support.citrix.com/article/ctx131110.

VMware ESX Hardware RequirementsThe following table describes the minimum system requirements for VMware ESX serversrunning NetScaler ncore virtual appliance.

Table 1. Minimum System Requirements for VMware ESX Servers Running NetScaler nCorevirtual appliance


CPU 2 or more 64-bit x86 CPUs withvirtualization assist (Intel-VT or AMD-V)enabled

Note: To run NetScaler virtualappliance, hardware support forvirtualization must be enabled on theVMware ESX host. Make sure that theBIOS option for virtualization support isnot disabled. For more information, seeyour BIOS documentation.

RAM 3 GB

Disk space 40 GB of disk space available

Network One 1-Gbps NIC; Two 1-Gbps NICsrecommended (The network interfacesmust be Intel E1000.)

For information about installing VMware ESX, see http://www.vmware.com/.


http://www.vmware.com

The following table lists the virtual computing resources that the VMware ESX server mustprovide for each NetScaler ncore virtual appliance.

Table 2. Minimum Virtual Computing Resources Required for Running NetScaler ncorevirtual appliance


Memory 2 GB


Important: Do not modify the systemresources to create a virtual CPU (VCPU)in addition to the two CPUs alreadyallotted to the virtual appliance.

Virtual network interfaces 1

Note: With ESX 4.0 or later, you caninstall a maximum of 10 virtual networkinterfaces if the VPX hardware isupgraded version to 7 or higher.

Disk space 20 GB

Note: This is in addition to any diskrequirements for the hypervisor.

Note: For production use of NetScaler virtual appliance, the full memory allocation mustbe reserved. CPU cycles (in MHz) equal to at least the speed of one CPU core of the ESXshould also be reserved.

VMware vSphere Client System RequirementsVMware vSphere is a client application that can run on Windows and Linux operatingsystems. It cannot run on the same machine as the VMware ESX server. The following tabledescribes the minimum system requirements.

Table 3. Minimum System Requirements for VMware vSphere Client Installation


Operating system For detailed requirements from VMware,search for the "vSphere CompatibilityMatrixes" PDF file athttp://kb.vmware.com/.

CPU 750 megahertz (MHz); 1 gigahertz (GHz) orfaster recommended

RAM 1 GB; 2 GB recommended

Network Interface Card (NIC) 100 Mbps or faster NIC

Prerequisites for Installing NetScaler Virtual Appliances on VMware

591

http://kb.vmware.com/

OVF Tool 1.0 System RequirementsOVF Tool is a client application that can run on Windows and Linux systems. It cannot runon the same machine as the VMware ESX server. The following table describes the minimumsystem requirements.

Table 4. Minimum System Requirements for OVF Tool Installation


Operating system For detailed requirements from VMware,search for the "OVF Tool User Guide" PDFfile at http://kb.vmware.com/.

CPU 750 MHz minimum, 1 GHz or fasterrecommended.

RAM 1 GB Minimum, 2 GB recommended.

Network Interface Card (NIC) 100 Mbps or faster NICFor information about installing OVF, search for the "OVF Tool User Guide" PDF file athttp://kb.vmware.com/.

Downloading the NetScaler virtual appliance SetupFiles

The NetScaler virtual appliance setup package for VMware ESX follows the Open VirtualMachine (OVF) format standard. You can download the files from MyCitrix.com. You need aMy Citrix account to log on. If you do not have a My Citrix account, access the home page athttp://www.mycitrix.com, click the New Users link, and follow the instructions to create anew My Citrix account.

Once logged on, navigate the following path from the My Citrix home page:

MyCitrix.com > Downloads > NetScaler > Virtual Appliances.

Copy the following files to a workstation on the same network as the ESX server. Copy allthree files into the same folder.

• NSVPX-ESX-<release number>-<build number>-disk1.vmdk (for example,NSVPX-ESX-9.39.29.1-39.8-disk1.vmdk)

• NSVPX-ESX-<release number>-<build number>.ovf (for example,NSVPX-ESX-9.39.29.1-39.8.ovf)

• NSVPX-ESX-<release number>-<build number>.mf (for example,NSVPX-ESX-9.39.29.1-39.8.mf )


592



http://www.mycitrix.com/

Labeling the Physical Network Ports of VMware ESXBefore installing a NetScaler virtual appliance, label of all the interfaces that you plan toassign to virtual appliances, in a unique format. Citrix recommends the following format:NS_NIC_1_1, NS_NIC_1_2, and so on. In large deployments, labeling in a unique formathelps in quickly identifying the interfaces that are allocated to the NetScaler virtualappliance among other interfaces used by other virtual machines, such as Windows andLinux. Such labeling is especially important when different types of virtual machines sharethe same interfaces.

To label the physical network ports of VMware ESX server


2. On the vSphere client, select the Configuration tab, and then click Networking.

3. At the top-right corner, click Add Networking.

4. In the Add Network Wizard, for Connection Type, select Virtual Machine, and thenclick Next.

5. Scroll through the list of vSwitch physical adapters, and choose the physical port thatwill map to interface 1/1 on the virtual appliances.

6. Enter NS_NIC_1_1 as the name of the vSwitch that will be associated with interface 1/1of the virtual appliances.

7. Click Next to finish the vSwitch creation. Repeat the procedure, beginning with step 2,to add any additional interfaces to be used by your virtual appliances. Label theinterfaces sequentially, in the correct format (for example, NS_NIC_1_2).


593

594

Installing NetScaler Virtual Appliances onVMware ESX 4.0 or Later and Verifyingthe Installation

After you have installed and configured VMware ESX 4.0 5.0 or 5.1, you can use the VMwarevSphere client to install virtual appliances on the VMware ESX. The number of virtualappliances that you can install depends on the amount of memory available on thehardware that is running VMware ESX.

To install NetScaler virtual appliances on VMware ESX4.0 or later 5.0 or 5.1 by using VMware vSphere Client

1. Start the VMware vSphere client on your workstation.

2. In the IP address / Name text box, type the IP address of the VMware ESX server thatyou want to connect to.

3. In the User Name and Password text boxes, type the administrator credentials, andthen click Login.

4. On the File menu, click Deploy OVF Template.

5. In the Deploy OVF Template dialog box, in Deploy from file, browse to the location atwhich you saved the NetScaler virtual appliance setup files, select the .ovf file, andclick Next.

6. Map the networks shown in the virtual appliance OVF template to the networks that youconfigured on the ESX host. Click Next to start installing a virtual appliance on VMwareESX. When installation is complete, a pop-up window informs you of the successfulinstallation.

7. You are now ready to start the NetScaler virtual appliance. In the navigation pane,select the NetScaler virtual appliance that you have just installed and, from theright-click menu, select Power On. Click the Console tab to emulate a console port.

8. If you want to install another virtual appliance, repeat steps 4 through 6.

Verifying NetScaler 1000V Installation on VMware ESXAfter installing NetScaler 1000V, type the NetScaler IP address in a web browser and log onto the 1000V virtual appliance. In addition, from the vSphere console, verify that 1000V ispowered on.

Installing the License and Verifying the ResourcesYou can use NetScaler 1000V without a license for 120 days, with throughput limited to 500Mbps. The trial usage period begins with installation. If you have purchased a license,install it after verifying that NetScaler 1000V has been correctly installed. You can installthe license by using the command line interface (CLI) or the configuration utility (GUI).

Installing NetScaler Virtual Appliances on VMware ESX 4.0 or Later and Verifying the Installation

595

To install the license and verify the resources by using the

command line interface1. Shutdown the NetScaler 1000V appliance. At the Nexus 1010/1110 console, type: switch

(config-vsb-config)# shut.

2. Allocate resources for NetScaler 1000V on Nexus 1010/1110.

The following example allocates 4 vCPUs and 12288 MB of RAM.

switch (config-vsb-config)# numcpu 4switch (config-vsb-config)# ramsize 12288

3. Restart the NetScaler 1000V appliance. At the Nexus 1010/1110 console, type: switch(config-vsb-config)# no shut.

4. Upload the license to the /nsconfig/licence directory on NetScaler 1000V.

> shellroot@ns# cd /nsconfig/licenseCopy the new license file to this directory.>

5. Restart the virtual appliance.

> rebootAre you sure you want to restart NetScaler (Y/N)? [N]:YDone>

Copyright (c) 1992-2008 The FreeBSD Project.Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994The Regents of the University of California. All rights reserved. Done>

6. Verify that the resources are allocated according to the license installed. In thefollowing example, three CPUs are allocated.

> stat cpu

CPU statisticsID Usage 3 0 2 01 0 Done>


596

To install the license and verify the resources by using the

configuration utility1. On the Configuration tab, navigate to System > Licenses.

2. In the details pane, click Manage Licenses.

3. Click Update Licenses.

4. Click Browse. Navigate to the location of the license files, select the license file, andthen click Open.

5. Click Reboot to apply the license.

6. In the Reboot dialog box, click OK to proceed with the changes, or click Close to cancelthe changes.

7. In a web browser, type the IP address of the NetScaler 1000V virtual appliance.

8. In User Name and Password, type the administrator credentials.

9. On the Dashboard tab, click the arrow next to System Overview and select CPU. Verifythat the resources are allocated according to the license installed.


597

598

Installing NetScaler Virtual Appliances onVMware ESX 3.5

To install virtual appliances on ESX 3.5, you need to use the VMware OVF tool, version 1.0.The number of virtual appliances that you can install depends on the amount of memoryavailable on the hardware that is running VMware ESX. After installation, you can use theVMware Infrastructure (VI) client 2.5 to manage the virtual appliances on VMware ESXversion 3.5.

Note: You cannot use version 4.0 of the vSphere client for installing virtual appliances onESX 3.5. If you connect the vSphere 4.0 client to ESX 3.5, the vSphere client downgradesto VI client version 2.5, which supports only the OVF 0.9 standard. The NetScaler virtualappliance installation package is based on the OVF 1.0.

To install NetScaler virtual appliances on VMware ESX3.5 by using the VMware OVF Tool

1. On your workstation, open the command-line interface and execute the followingcommand:

ovftool <path of the NetScaler VPX OVF file>vi://<Username>:<Password>@<IP address of the ESX server>

For example, in Windows command shell, type:

ovftool c:/NetScalerVPX vi://root:free@<10.217.20.14>

2. When the OVF tool has installed the virtual appliances on the ESX server, use the VIclient to log on to the VMware ESX server on which you performed the installation.

3. In the navigation pane, right-click a virtual appliance that you want to enable, and thenclick Power On. Repeat this for each virtual appliance you want to enable.

4. Click the Console tab to emulate a console port.

599

Installing Citrix NetScaler VirtualAppliances on Microsoft Hyper-V Servers

Note: This functionality is available only in release 9.3.e.

Note:

• The NetScaler virtual appliance is supported on Microsoft Hyper-V Server 2008 R2 andMicrosoft Hyper-V Server 2012.

• Intermediate System-to-Intermediate System (ISIS) protocol is not supported on theNetScaler VPX virtual appliance hosted on the HyperV-2012 platform.

To install Citrix NetScaler virtual appliances on Microsoft Windows Server, you must firstinstall Windows Server, with the Hyper-V role enabled, on a machine with adequate systemresources. While installing the Hyper-V role, be sure to specify the network interface cards(NICs) on the server that Hyper-V will use to create the virtual networks. You can reservesome NICs for the host. Use Hyper-V Manager to perform the NetScaler virtual applianceinstallation.

NetScaler virtual appliance for Hyper-V is delivered in virtual hard disk (VHD) format. Itincludes the default configuration for elements such as CPU, network interfaces, andhard-disk size and format. After you install NetScaler virtual appliance, you can configurethe network adapters on virtual appliance, add virtual NICs, and then assign the NetScalerIP address, subnet mask, and gateway, and complete the basic configuration of the virtualappliance.

Note:

After the initial configuration of the NetScaler appliance, if you want to upgrade theappliance to the latest software release, see "Upgrading or Downgrading the SystemSoftwareUpgrading or Downgrading the System SoftwareUpgrading or Downgrading theSystem SoftwareUpgrading or Downgrading the System Software."







600

Prerequisites for Installing NetScalerVirtual Appliance on Microsoft Servers


• Enable the Hyper-V role on Windows Servers . For more information, seehttp://technet.microsoft.com/en-us/library/ee344837(WS.10).aspx.

• Download the virtual appliance setup files.

• Obtain NetScaler virtual appliance license files. For more information about NetScalervirtual appliance licenses, see the NetScaler VPX Licensing Guide athttp://support.citrix.com/article/ctx131110.

Microsoft Server Hardware RequirementsThe following table describes the minimum system requirements for Microsoft Servers .

Table 1. Minimum System Requirements for Microsoft Servers


CPU 1.4 GHz 64-bit processor

RAM 3 GB

Disk Space 32 GB or greaterThe following table lists the virtual computing resources for each NetScaler virtualappliance.

Table 2. Minimum Virtual Computing Resources Required for Running NetScaler VirtualAppliance


RAM 2 GB

Virtual CPU 2

Disk Space 20 GB

Virtual Network Interfaces 1

http://technet.microsoft.com/en-us/library/ee344837(WS.10).aspx


Downloading the NetScaler Virtual Appliance SetupFiles

NetScaler virtual appliance for Hyper-V is delivered in virtual hard disk (VHD) format. Youcan download the files from MyCitrix.com. You will need a My Citrix account to log on. Ifyou do not have a My Citrix account, access the home page at http://www.mycitrix.com,click the New Users link, and follow the instructions to create a new My Citrix account.

To download the NetScaler virtual appliance setup files

1. In a Web browser, go to http://www.citrix.com/ and click My Citrix.

2. Type your user name and password.

3. Click Downloads.

4. In Search Downloads by Product, select NetScaler.

5. Under Virtual Appliances, click NetScaler VPX.

6. Copy the compressed file to your server.

Prerequisites for Installing NetScaler Virtual Appliance on Microsoft Servers

601

http://www.mycitrix.com/


602

Installing NetScaler Virtual Appliance onMicrosoft Servers

After you have enabled the Hyper-V role on Microsoft Server and extracted the virtualappliance files, you can use Hyper-V Manager to install NetScaler virtual appliance. Afteryou import the virtual machine, you need to configure the virtual NICs by associating themto the virtual networks created by Hyper-V.

You can configure a maximum of eight virtual NICs. Even if the physical NIC is DOWN, thevirtual appliance assumes that the virtual NIC is UP, because it can still communicate withthe other virtual appliances on the same host (server).


To install NetScaler Virtual Appliance on MicrosoftServer by using Hyper-V Manager

1. To start Hyper-V Manager, click Start, point to Administrative Tools, and then clickHyper-V Manager.

2. In the navigation pane, under Hyper-V Manager, select the server on which you want toinstall NetScaler virtual appliance.

3. On the Action menu, click Import Virtual Machine.

4. In the Import Virtual Machine dialog box, in Location, specify the path of the folderthat contains the NetScaler virtual appliance software files, and then select Copy thevirtual machine (create a new unique ID). This folder is the parent folder thatcontains the Snapshots, Virtual Hard Disks, and Virtual Machines folders.


5. Click Import.


7. To install another virtual appliance, repeat steps 2 through 6.

Important: Make sure that you extract the files to a different folder in step 4.

To configure virtual NICs on the NetScaler VirtualAppliance

1. Select the virtual appliance that you imported, and then on the Action menu, selectSettings.

2. In the Settings for <virtual appliance name> dialog box, click Add Hardware in the leftpane.

3. In the right pane, from the list of devices, select Network Adapter.

4. Click Add.

5. Verify that Network Adapter (not connected) appears in the left pane.

6. Select the network adapter in the left pane.

7. In the right pane, from the Network drop-down list, select the virtual network toconnect the adapter to.

8. To select the virtual network for additional network adapters that you want to use,repeat steps 6 and 7.

9. Click Apply, and then click OK.

To configure NetScaler Virtual Appliance1. Right-click the virtual appliance that you previously installed, and then select Start.

2. Access the console by double-clicking the virtual appliance.

3. Type the NetScaler IP address, subnet mask, and gateway for your virtual appliance.

You have completed the basic configuration of your virtual appliance. Type the IP addressin a Web browser to access the virtual appliance.

Installing NetScaler Virtual Appliance on Microsoft Servers

603

604

Configuration Steps

To set up a CloudBridge Connector tunnel between a NetScaler appliance that resides in adatacenter and a NetScaler virtual appliance (VPX) that resides on the AWS cloud, use theconfiguration utility of the NetScaler appliance.

When you use the configuration utility, the CloudBridge Connector tunnel configurationcreated on the NetScaler appliance, is automatically pushed to the other endpoint or peer(the NetScaler VPX on AWS) of the CloudBridge Connector tunnel. Therefore, you do nothave to access the configuration utility (GUI) of the NetScaler VPX on AWS to create thecorresponding CloudBridge Connector tunnel configuration on it.

The CloudBridge Connector tunnel configuration on both peers (the NetScaler appliancethat resides in the datacenter and the NetScaler virtual appliance (VPX) that resides on theAWS cloud) consists of the following entities:

• IPSec profile. An IPSec profile entity specifies the IPSec protocol parameters, such asIKE version, encryption algorithm, hash algorithm, and PSK, to be used by the IPSecprotocol in both the peers of the CloudBridge Connector tunnel.

• GRE tunnel. An IP tunnel specifies a local IP address (a public SNIP address configuredon the local peer), remote IP address (a public SNIP address configured on the remotepeer), protocol (GRE) used to set up the CloudBridge Connector tunnel, and an IPSecprofile entity.

• Netbridge. A logical container that holds or represents the CloudBridge Connectortunnel configuration on each of the peers. A GRE tunnel entity is associated with thenetbridge. A particular CloudBridge Connector tunnel configuration on a peer isidentified by the name of the netbridge entity.

To configure a CloudBridge Connector tunnel in a NetScaler appliance by using theconfiguration utility

1. Type the NSIP address of a NetScaler appliance in the address line of a web browser.

2.

Log on to the configuration utility of the NetScaler appliance by using your accountcredentials for the appliance.

3. Navigate to System > CloudBridge Connector.

4. In the right pane, under Getting Started, click Create/Monitor CloudBridge.

5.

Click Get Started.

Note: If you already have any CloudBridge Connector tunnel configured on theNetScaler appliance, this screen does not appear, and you are taken to theCloudBridge Connector Setup pane.

Configuration Steps

605

6.

In the CloudBridge Connector Setup pane, click amazon web services.7. In the Amazon pane, provide your AWS account credentials: AWS Access Key ID and

AWS Secret Access Key. You can obtain these access keys from the AWS GUI console.Click Continue.

8. In the NetScaler pane, select the NSIP address of the NetScaler virtual appliancerunning on AWS. Then, provide your account credentials for the NetScaler virtualappliance. Click Continue.

9. In the CloudBridge Connector Setting pane, set the following parameter:

• CloudBridge Connector Name—Name for the CloudBridge Connector configurationon the local appliance. Must begin with an ASCII alphabetic or underscore (_)character, and must contain only ASCII alphanumeric, underscore, hash (#), period(.), space, colon (:), at (@), equals (=), and hyphen (-) characters. Cannot bechanged after the CloudBridge Connector configuration is created.

10. Under Local Setting, set the following parameter:

• Subnet IP—IP address of the local endpoint of the CloudBridge Connector tunnel.Must be a public IP address of type SNIP.

11. Under Remote Setting, set the following parameter:

• Subnet IP— IP address of the CloudBridge Connector tunnel end point on the AWSside. Must be an IP address of type SNIP on the NetScaler VPX instance on AWS.

• NAT—Public IP address (EIP) in AWS that is mapped to the SNIP configured on theNetScaler VPX instance on AWS.

12. (Optional) Under Security Settings, set the following IPSec protocol parameters to beused by the IPSec protocol in the CloudBridge Connector tunnel:

• Encryption Algorithm—Encryption algorithm to be used by the IPSec protocol in theCloudBridge tunnel.

• Hash Algorithm—Hash algorithm to be used by the IPSec protocol in theCloudBridge tunnel.

Configuration Steps

606

• Key— Select one of the following IPSec authentication methods to be used by thetwo peers to mutually authenticate.

• Auto Generate Key— Authentication based on a text string, called a pre-sharedkey (PSK), generated automatically by the local appliance. The PSKs keys of thepeers are matched against each other for authentication.

• Specific Key—Authentication based on a manually entered PSK. The PSKs of thepeers are matched against each other for authentication.

• Pre Shared Security Key—The text string entered for pre-shared key basedauthentication.

• Upload Certificates—Authentication based on digital certificates.

• Public Key—A local digital certificate to be used to authenticate the localpeer to the remote peer before establishing IPSec security associations. Thesame certificate should be present and set for the Peer Public Keyparameter in the peer.

• Private Key—Private key of the local digital certificate.

• Peer Public Key—Digital certificate of the peer. Used to authenticate thepeer to the local end point before establishing IPSec security associations.The same certificate should be present and set for the Public keyparameter in the peer.

13. Click Done.

The new CloudBridge Connector tunnel configuration on the NetScaler appliance in thedatacenter appears on the Home tab of the configuration utility.

The corresponding new CloudBridge Connector tunnel configuration on the NetScaler VPXappliance in the AWS cloud appears on the configuration utility.

The current status of the CloudBridge connector tunnel is indicated in the ConfiguredCloudBridge pane. A green dot indicates that the tunnel is up. A red dot indicates that thetunnel is down.

Configuration Steps

607

608

Configuring CloudBridge ConnectorTunnel between Datacenter andSoftLayer Enterprise Cloud

The configuration utility includes a wizard that helps you to easily configure a CloudBridgeConnector tunnel between a NetScaler appliance in a datacenter and NetScaler VPXinstances on the SoftLayer enterprise cloud.

When you use the wizard of the NetScaler appliance in the datacenter, the CloudBridgeConnector tunnel configuration created on the NetScaler appliance, is automatically pushedto the other endpoint or peer (the NetScaler VPX on SoftLayer) of the CloudBridgeConnector tunnel.

Using the wizard of the NetScaler appliance in the datacenter, you perform the followingsteps to configure a CloudBridge Connector tunnel.

1. Connect to the Softlayer enterprise cloud by providing the user log on credentials.

2. Select the Citrix XenServer that is running the NetScaler VPX appliance.

3. Select the NetScaler VPX appliance.

4. Provide CloudBridge Connector tunnel parameters to:

• Configure a GRE Tunnel.

• Configure IPsec on the GRE tunnel.

• Create a netbridge, which is a logical representation of the CloudBridge connector,by specifying a name.

• Bind the GRE Tunnel to the netbridge.

To configure a CloudBridge Connector tunnel byusing the configuration utility

1. Log on to the configuration utility of the NetScaler appliance in the datacenter by usingyour account credentials for the appliance.

2. Navigate to System > CloudBridge Connector .

3. In the right pane, under Getting Started, click Create/Monitor CloudBridge Connector.

4. Click Get Started.

Note: If you already have any CloudBridge Connector tunnel configured on theNetScaler appliance, this screen does not appear, and you are taken to theCloudBridge Connector Setup pane.

5. In the CloudBridge Connector Setup pane, click Softlayer, and then follow theinstructions in the wizard.

Configuring CloudBridge Connector Tunnel between Datacenter and SoftLayer Enterprise Cloud

609

610

Customizing the Ethernet ports

A typical appliance has four Ethernet ports: two accelerated bridged ports, calledaccelerated pair A (apA.1 and apA.2), with a bypass (fail-to-wire) relay, and twounaccelerated motherboard ports, called Primary and Aux1. The bridged ports provideacceleration, while the motherboard ports are sometimes used for secondary purposes.Most installations use only the bridged ports.

Some CloudBridge units have only the motherboard ports. In this case, the two motherboardports are bridged.

The appliance’s user interface can be accessed by a VLAN or non-VLAN network. You canassign a VLAN to any of the appliance’s bridged ports or motherboard ports for managementpurposes.

Figure 1. Ethernet Ports

Port ListThe ports are named as follows:

Table 1. Ethernet Port Names

Motherboard port 1 Primary (or apA.1 if no bypass card is present)

Motherboard port 2 Auxiliary1 or Aux1 (or apA.2 if no bypass card is present)

Bridge #1 Accelerated Pair A (apA, with ports apA.1 and apA.2)

Bridge #2 Accelerated Pair B (apB, with ports apB.1 and apB.2)

Customizing the Ethernet ports

611

612

Port Parameters

Each bridge and motherboard port can be:

• Enabled or disabled

• Assigned an IP address and subnet mask

• Assigned a default gateway

• Assigned to a VLAN

• Set to 1000 Mbps, 100 Mbps, or 10 Mbps

• Set to full duplex, half-duplex, or auto (on CloudBridge 4000/5000 appliances, someports can be set to 10 Gbps)

All of these parameters except the speed/duplex setting are set on the Configuration: IPAddress page. The speed/duplex settings are set on the Configuration: Interface page.

Notes about parameters:

• Disabled ports do not respond to any traffic.

• The browser-based UI can be enabled or disabled independently on all ports.

• To secure the UI on ports with IP addresses, select HTTPS instead of HTTP on theConfiguration: Administrator Interface: Web Access page.

• Inline mode works even if a bridge has no IP address. All other modes require that an IPaddress be assigned to the port.

• Traffic is not routed between interfaces. For example, a connection on bridge apA doesnot cross over to the Primary or Aux1 ports, but remains on bridge apA. All routingissues are left to your routers.

613

Accelerated Bridges (apA and apB)

Every appliance has at least one pair of Ethernet ports that function as an acceleratedbridge, called apA (for accelerated pair A). A bridge can act in inline mode, functioning asa transparent bridge, as if it were an Ethernet switch. Packets flow in one port and out theother. Bridges can also act in one arm mode, in which packets flow in one port and back outthe same port.

An appliance that has a bypass card maintains network continuity if a bridge or appliancemalfunctions.

Some units have more than one accelerated pair, and these additional accelerated pairs arenamed apB, apC, and so on.

Bypass CardIf the appliance loses power or fails in some other way, an internal relay closes and the twobridged ports are electrically connected. This connection maintains network continuity butmakes the bridge ports inaccessible. Therefore you might want to use one of themotherboard ports for management access.

Caution: Do not enable the Primary port if it is not connected to your network.Otherwise, you cannot access the appliance, as explained in Ethernet Bypass andLink-Down Propagation

Bypass cards are standard on some models and optional on others. Citrix recommends thatyou purchase appliances with bypass cards for all inline deployments.

The bypass feature is wired as if a cross-over cable connected the two ports, which is thecorrect behavior in properly wired installations.

Important: Bypass installations must be tested - Improper cabling might work in normaloperation but not in bypass mode. The Ethernet ports are tolerant of improper cablingand often silently adjust to it. Bypass mode is hard-wired and has no such adaptability.Test inline installations with the appliance turned off to verify that the cabling is correctfor bypass mode.

Using Multiple BridgesIf the appliance is equipped with two accelerated bridges, they can be used to acceleratetwo different links. These links can either be fully independent or they can be redundantlinks connecting to the same site. Redundant links can be either load-balanced or used as amain link and a failover link.

Figure1. Usingdualbridges

When it is time for the appliance to send a packet for a given connection, the packet is sentover the same bridge from which the appliance received the most recent input packet forthat connection. Thus, the appliance honors whatever link decisions are made by therouter, and automatically tracks the prevailing load-balancing or main-link/failover-linkalgorithm in real time. For non-load-balanced links, the latter algorithm also ensures thatpackets always use the correct bridge.

WCCP and Virtual Inline ModesMultiple bridges are supported in both WCCP mode and virtual inline mode. Usage is thesame as in the single-bridge case, except that WCCP has the additional limitation that alltraffic for a given WCCP service group must arrive on the same bridge.

High Availability with Multiple BridgesTwo units with multiple bridges can be used in a high-availability pair. Simply match up thebridges so that all links pass through both appliances.

Accelerated Bridges (apA and apB)

614

615

Motherboard Ports

Although the Ethernet ports on a bypass card are inaccessible when the bypass relay isclosed, the motherboard ports remain active. You can sometimes access a failed appliancethrough the motherboard ports if the bridged ports are inaccessible.

The Primary Port

If the Primary port is enabled and has an IP address assigned to it, the appliance usesthat IP address to identify itself to other acceleration units. This address is usedinternally for a variety of purposes, and is most visible to users as the Partner Unit fieldon the Monitoring: Optimization: Connections page. If no motherboard port is enabled,the appliance uses the IP address of Accelerated Pair A.

The Primary port is used for:

• Administration through the web based UI

• A back channel for group mode

• A back channel for high-availability modeThe Aux1 Port

The Aux1 port is identical to the Primary port. If the Aux1 port is enabled and thePrimary port is not, the appliance takes its identity from the Aux1 port's IP address. Ifboth are enabled, the Primary port's IP address is the unit's identity

616

VLAN Support

A virtual local area network (VLAN) uses part of the Ethernet header to indicate whichvirtual network a given Ethernet frame belongs to. CloudBridge appliances support VLANtrunking in all forwarding modes (inline, WCCP, virtual inline, and group mode). Trafficwith any combination of VLAN tags is handled and accelerated correctly.

For example, if one traffic stream passing through the accelerated bridge is addressed to10.0.0.1, VLAN 100, and another is addressed to 10.0.0.1, VLAN 111, the appliance knowsthat these are two distinct destinations, even though the two VLANs have the same IPaddress.

You can assign a VLAN to all, some, or none of the appliance's Ethernet ports. If a VLAN isassigned to a port, the management interfaces (GUI and CLI) listen only to traffic on thatVLAN. If no VLAN is assigned, the management interfaces listen only to traffic without aVLAN. This selection is made on the Configuration: Appliance Settings: Network Adapters: IPAddresses tab.

617

HTTP Acceleration

The CloudBridge accelerator uses a variety of zero-config optimizations to speed up HTTPtraffic. This in turn accelerates Web pages and any other applications using the HTTPprotocol (file downloads, video streaming, automatic updates, and so on).

Optimizations that accelerate HTTP include compression, traffic shaping, flow control, andcaching.

CompressionHTTP is an ideal application for CloudBridge multi-level compression.

Static content, including standard HTML pages, images, video, and binary files, receivesvariable amounts of first-pass compression, typically 1:1 on pre-compressed binary content,and 2:1 or more on text-based content. Starting with the second time the object is seen,the two largest compression engines (memory-based compression and disk-baedcompression) deliver extremely high compression ratios, with larger objects receivingcompression ratios of 1,000:1 or more. With such high compression ratios, the WAN linkstops being the limiting factor, and the server, the client, or the LAN becomes thebottleneck.

The appliance switches between compressors dynamically to give maximum performance.For example, the appliance uses a smaller compressor on the HTTP header and a larger oneon the HTTP body.

Dynamic content, including HTTP headers and dynamically generated pages – pages that arenever the same twice but have similarities to each other – are compressed by the threecompression engines that deal with smaller matches. The first time a page is seen,compression is good. When a variant on a previous page is seen, compression is better.

Traffic ShapingHTTP consists of a mix of interactive and bulk traffic. Every user’s traffic is a mix of both,and sometimes the same connection contains a mix of both. The traffic shaper seamlesslyand dynamically ensures that each HTTP connection gets its fair share of the linkbandwidth, preventing bulk transfers from monopolizing the link at the expense ofinteractive users, while also ensuring that bulk transfers get any bandwidth that interactiveconnections do not use.

Flow ControlAdvanced retransmission algorithms and other TCP-level optimizations retain responsivenessand maintain transfer rates in the face of latency and loss.

Video CachingHTTP caching for video files was introduced in release 7.0 Caching involves saving HTTPobjects to local storage and serving them to local clients without reloading them from theserver.

What is the difference between caching and compression? While caching provides speedupthat is similar to compression, the two methods are different, making themcomplementary.

• Compression speeds up transfers from the remote server, and this higher data rate canplace a higher load on the server if compression were not present. Caching preventstransfers from the server, and reduces the load on the server.

• Compression works on any data stream this is similar to a previous transfer – if youchange the name of a file on the remote server and transfer it again, compression willwork perfectly. Caching works only when the object being requested by the client andthe object on the disk are known to be identical – if you change the name of a file onthe remote server and transfer it again, the cached copy is not used.

• Compressed data cannot be delivered faster than the server can send it. Cached data isdependent only on the speed of the client-side appliance.

• Compression is CPU-intensive; caching is not.

HTTP Acceleration

618

619

Link Definitions

Link definitions enable the appliance to prevent congestion and loss on your WAN links andto perform traffic shaping. A link definition specifies which traffic is associated with thedefined link, the maximum bandwidth to allow for traffic received on the link, and themaximum bandwidth for traffic sent over the link. The definition also identifies traffic asinbound or outbound and as WAN-side or LAN-side traffic. All traffic flowing through theappliance is compared to your list of link definitions, and the first matching definitionidentifies the link to which the traffic belongs.

By performing the Quick Installation procedure, you customize the appliance's default linkdefinitions. You have then defined the appliance's link to the WAN and its link to the LAN.For a simple inline deployment, no further configuration of link definitions is necessary.Other types of deployments require additional configuration of link definitions.

Every link has two bandwidth limits, representing the sending speed and the receivingspeed. Only when the link speed is known can the appliance inject traffic into the link atexactly the right speed, thus eliminating the congestion and packet loss that result fromattempting to send too much, or the loss of performance that results from sending toolittle. When placed between a fast LAN and a slower WAN and acting as a virtual gateway,the appliance has the ability to receive traffic faster than the WAN can accept it, creating abacklog of traffic. The existence of this backlog enables the appliance to choose whichpacket to send next, and this choice in turn makes traffic shaping possible. Unless there arepackets from multiple streams to choose from, there is no ability to favor one stream overthe other. Traffic shaping is therefore dependent on the existence of the virtual gatewayand correctly set bandwidth limits.

Note: Link definitions normally apply to connections to the accelerated pair of bridgeports. The two motherboard ports, Primary and Aux1, can also be defined as links, butdoing so rarely serves any purpose, because they are used for management and as aback-channel for high-availability and group modes, not for WAN traffic.

Important: For link-definition purposes, a link is a physical link, with its own bandwidthcapacity. It is typically a cable that leaves the building. Remember the following points:

• A VLAN is not a link.

• A virtual link is not a link.

• A tunnel is not a link.

620

The Default Link Definitions

The Configuration: Links page shows the currently defined links, either as a listing(collapsed) or in summary form (expanded). The following links are defined by default.However, they require additional configuration (which you have already done if youperformed the Quick Installation procedure).

1. apA.1, one of the two ports on the accelerated bridge.

2. apA.2, the other port on the accelerated bridge.

3. If the system has dual accelerated bridges, apB.1 and apB.2 also exist.

4. All Other Traffic, which is not a true link, but is a catch-all for traffic that does notmatch any actual link definitions.

You can configure the accelerated bridges on the Quick Installation page or on theConfiguration: Links page.

Figure 1. Link definition tab, collapsed (top) and expanded (bottom)

The Default Link Definitions

621

622

How the Traffic Shaper Users LinkDefinitions

To manage a link, the traffic shaper needs the following information:

• The speed of the link in both the send and receive directions.

• Whether the link is a WAN link or a LAN network.

• A way of distinguishing link traffic from other traffic.

• The direction in which traffic is flowing over the link.

Link Speed— Link speed always refers to the speed of the physical link. In the case of aWAN link, it is the speed of the WAN segment that terminates in the building with theCloudBridge appliance. The speed of the other end of the link is not considered. Forexample, the following figure shows a network of four appliances. Each appliance has itsincoming and outgoing bandwidths set to 95% of the speed of its own, local WAN segment,without regard to the speed of the remote endpoints.

Figure 1. Local bandwidth limits track local link speeds

The reason for setting the bandwidth limits to 95% of the link speed instead of 100% is toallow for link overhead (few links can carry data at 100% of their published speeds) and toensure that the appliance is slightly slower than the link, so that it becomes a slightbottleneck. Traffic shaping is not effective unless the traffic shaper is the bottleneck in theconnection.

Distinguishing Different Types of Traffic—In each link definition, you must declarewhether the definition applies to a WAN link or a LAN network.

The traffic shaper needs to know whether a packet is traveling on the WAN, and, if so, inwhich direction. To provide this information:

• For simple inline deployments, you declare that one port of the accelerated bridgebelongs to the WAN link and that the other port belongs to the LAN.

• In other deployment modes, the appliance examines IP addresses, MAC addresses,VLANs, or WCCP service groups. (Note that testing for WCCP service groups is not yetsupported.)

• If a site has multiple WANs, the local link definitions must include rules that enable theappliance to distinguish traffic from different WANs.

How the Traffic Shaper Users Link Definitions

623

624

Configuring Link Definitions

Link definitions are arranged in an ordered list, one entry per link, which is tested from topto bottom for every packet entering or leaving the appliance. The first matching definitiondetermines which link the packet belongs to. Within each link definition is an ordered list ofrules, which is also tested from top to bottom. Each packet is compared to these rules, andif it matches one of them, the packet is considered to be traveling over that link.

Within a single rule, the fields are all ANDed together, so all specified values have tomatch. All fields default to Any, a wildcard entry that always matches. When a fieldconsists of a list, such as a list of IP subnets, the list entries are ORed together. That is, ifany element matches, the list as a whole is considered to be a match.

Citrix recommends port based link definitions for simple inline deployments, and IP basedlink definitions for all other deployments.

Figure 1. Link definition rules

To configure link definitions, set parameters on the Create/Edit Link page, which youaccess from the Configuration: Links: Link Definition tab.

625

Inline Links

Most CloudBridge appliances use a simple inline deployment, where each acceleratedbridge serves just one WAN link. This is the simplest mode to configure.

Example: Simple Inline Link

Figure 1. Simple inline link example

In Figure 1, all traffic passing through the accelerated bridge is assumed to be WAN traffic.The link is an ADSL link with different send and receive speeds (6.0 mbps down, 1.0 mbpsup). The WAN is connected to accelerated bridge port apA.1, and the LAN is connectedaccelerated bridge port apA.2.

This link is easy to configure on the Edit Links page, shown in the following figure.

Figure 2. WAN definition (top) and LAN definition (bottom)

The tasks for defining the WAN-side link (apA.1) are:

1. Give the WAN a descriptive name, such as “WAN to HQ (apA.1).”

2. Set the type to “WAN.”

3. Set the incoming and outgoing bandwidth limits to 95% of the nominal link speed.

4. Verify that a rule has been defined that specifies the WAN Ethernet adapter, which inthis example is apA.1

5. Click Save.

The tasks for the LAN-side link (apA.2) are similar:

1. Give it a descriptive name, such as “Local LAN (apA.2).”

2. Set the type to “LAN.”

3. Set the incoming and outgoing bandwidth limits to 95% of the nominal Ethernet speed(95 mbps or 950 mbps).

4. Verify that a rule exists that specifies the LAN Ethernet adapter, which in this exampleis apA.2.

5. Click Save.

Example: Inline Deployment with Dual Bridges

Inline Links

626

Figure 3. Inline, dual-bridge link example

The configuration shown in Figure 3 is similar to the one shown in Figure 1-3, but the sitehas a second link, a T1 link to the corporate WAN, in addition to the ADSL Internet link. TheCloudBridge has two accelerated bridges, one for each WAN link.

Configuration is almost as simple as the single-bridge case, with the following additionalsteps:

1. Edit a second WAN link on apB, which in this case is apB.1. Set the type to “WAN.” Setthe link bandwidth to 95% of the 1.5 mbps T1 speed, and give the link a new name,such as “WAN to HQ.”

2. Add a rule specifying apB.2 to the “LAN” definition and delete the default linkdefinition for apB.2. (Alternatively, you can edit the default link definition for apB.2 tospecify it as a LAN link, as was done for apA.2.)

Inline Links

627

628

Non-Inline Links

For other than simple inline deployments (which serve only one WAN per acceleratedbridge), use IP subnets instead of bridge ports to distinguish LAN traffic from WAN traffic.This approach is essential for one-arm deployments, which use only a single bridge port. IPsubnets are sometimes useful for inline deployments as well, especially when the applianceserves more than one WAN. For simple inline deployments, however, port based links areeasier to define.

The traffic classifier applies a specialized convention when examining the Src IP and Dst IP:

• The Src IP field is examined only in packets entering the appliance.

• The Dst IP field is examined only in packets exiting the appliance.

This convention can sometimes be confusing, but it allows the direction of packet travel tobe implicitly considered as part of the definition.

Example: Using IP Addresses in Link Definitions

Figure 1. Simple inline LAN definition using IP-based rules

For the configuration shown in the above figure, you can define the LAN and WAN linkswithout specifying the Ethernet ports at all, using the LAN subnet instead:

• Create a rule for the LAN link definition and specify the LAN subnet in the Src IPfield.

• Create a rule for the WAN link definition and specify the LAN subnet (not the WANsubnet) in the Dst IP field.

Example: WCCP and Virtual Inline Modes

Figure 2. WCCP or virtual inline deployment using IP-based rules

Configuration of the WCCP link in the above figure, using IP addresses, is the same as inExample 1, because the LAN and WAN IP subnets are identical.

When WCCP-GRE is used, the GRE headers are ignored and the IP headers within theencapsulated data packets are used. Therefore, this same link definition works forWCCP-L2, WCCP-GRE, inline, and virtual inline modes.

(WCCP and virtual inline modes require configuration of your router. WCCP also requiresconfiguration on the Configuration: Advanced Deployments page.)

Non-Inline Links

629

630

Secure Traffic Acceleration

CloudBridge appliance supports secure traffic acceleration for various applications.

631

Secure Peering

Several advanced functions require that the CloudBridge appliances at the two ends of thelink establish a secure peer relationship with each other, setting up an SSL signaling tunnel(also called a signaling connection). These features are SSL compression, signed CIFSsupport, and encrypted MAPI support.

When secure peering is enabled, compression is automatically disabled for all partnerappliances (and computers running the CloudBridge Plug-in) that have not established asecure peer relationship with the local appliance.

To establish a secure peer relationship, you have to generate security keys and certificates,and configure a securing signaling tunnel between the appliances. Before configuring thetunnel, order a crypto license from Citrix.

632

How Secure Peering Works

When the appliance at one end of a connection detects that the other appliance has securepeering enabled, it attempts to open an SSL signaling tunnel. If the two appliancessuccessfully authenticate each other over this tunnel, they have a secure peeringrelationship. All accelerated connections between the two appliances are encrypted, andcompression is enabled.

When an appliance has secure peering enabled, connections with a partner for which itdoes not have a secure peer relationship are not encrypted or compressed, though TCPflow-control acceleration is still available. Compression is disabled to ensure that datastored in compression history from secured partners cannot be shared with unsecuredpartners.

Note: Because an appliance with secure peering enabled does not compress connectionsto unsecured partners, using the same appliance successfully with a mix of secured andunsecured partners is difficult. Keep this point in mind when designing your acceleratednetwork.

A keystore password is required to access the security parameters. This keystore passwordis different from the administrator's password, to allow security administration to beseparated from other tasks. If the keystore password is reset, all existing encrypted dataand private keys are lost.

To protect data even if the appliance is stolen, the keystore password must be reenteredevery time the appliance is restarted. Until this is done, secure peering and compressionare disabled.

633

Generating Security Keys and Certificates

CloudBridge products are shipped without the required keys and certificates for the SSLsignaling tunnel. You must generate them yourself. You can generate keys and certificatesthrough your normal process for generating credentials, or with the "openssl" package fromhttp://www.openssl.org.

For testing purposes, you can generate and use a self-signed X509 certificate based on aprivate key (which you also generate). In production, use certificates that refer to a trustedcertifying authority. The following example calls openssl from the command line on a PC togenerate a private key (my.key) and self-signed certificate (my.crt):

# Generate a 2048-bit private keyopenssl genrsa -out my.key 2048# Now create a Certificate Signing Requestopenssl req -new -key my.key -out my.csr# Finally, create a self-signed certificate with a 365-day expirationopenssl x509 -req -days 365 -in my.csr -signkey my.key -out my.crt

For production use, consult your organization's security policies.

http://www.openssl.org

634

Configuring the Secure Signaling Tunnel

The following procedure uses the Configuration: SSL Encryption, Configuration: SecurePartners, and Configuration: SSL Encryption pages. Perform the procedure on both the localand remote appliances.

Note: The Configuration: SSL Acceleration page has an unusual structure. It is dividedinto five tabs, but it has buttons instead of tab icons.

To configure a secure signaling tunnel

1. Hide the Configure SSL Connection Guide.

Click the Hide SSL Guide link at the upper right-hand corner of the online help block.

2. Install a crypto license.

Without a crypto license, SSL Compression and User Data Encryption are not available,and the Configuration: SSL Acceleration page displays a yellow warning message to thateffect.

a. Order a crypto license from Citrix.

b. If you are using a network license server, go to the System Settings: LicenseManagement: License Server tab to install the crypto license. Otherwise, use theConfiguration: Licensing: Local Licenses tab.

c. Verify successful installation on the Licensed Features tab of the Configuration:Licensing page. The Crypto License heading should appear in the LicensedFeatures table, and the crypto license expiration date should be displayed.

3. Set a key store password, and then open the key store.

On the Configuration: SSL Encryption page, open the key store and assign a password toit. (You have to reenter this password after every restart, so do not forget it.)

4. Optionally, encrypt the compression history on the local appliance’s disk by clickingEnable Encryption.

This step is recommended. User data encryption prevents unauthorized reading of thedisk based compression history, in case the appliance is stolen or returned to thefactory. The security of disk data encryption relies on the key store password not beingcompromised. This feature uses AES-256 encryption.

Note: If you use disk data encryption you have to reenter the key store passwordafter every time the appliance is restarted, even if secure peering is not used.Otherwise, the key store password is needed only for secure peering.

Note: Disk data encryption does not encrypt the entire disk, just the compressionhistory.

5. Under Configuration: SSL Encryption, enable SSL compression by clicking Enable.

6. Install credentials for the SSL signaling connection.

The appliances use these credentials to authenticate each other, and to encryptcommunication between them. On each appliance, acquire a CA certificate andcertificate-key pair for the SSL signaling connection. When using self-signedcertificates, the same certificate can be used for the CA certificate and thecertificate-key pair. When using proper certificates, these two are different, and theiruse is the same as in your other secure devices.

a. To install the CA Certificate, on the Configuration: SSL Acceleration page, clickManage CAs at the bottom of the page, and then click Add. Create a name for yourCA certificate in the Name field. Use the Input Method field to specify whether youwant to upload the CA certificate as a file or paste it into a text box, and then usethe selected method to install it. Finally, click Add again.

Figure 1. Installing Certificates

b. Installing the certificate-key pair is almost identical to installing the CA Certificate.At the bottom of the page, click Manage Keys, and then click Add. Certificate-keypairs are sometimes generated as a single file and sometimes as two files. TheConfiguration: SSL Acceleration page supports both formats. Choose the one thatfits your certificate-key pair, add the certificate-key pair, and then click Add again.

7. On the Secure Partners: Configuration page, set up the SSL signaling connection on theappliance:


635

Figure 2. Configuring Peer Communication

a. Next to Partner State, enable Peer Connections by selecting Enabled

b. Next to Partner Security, select the certificate-key pair and CA certificate storethat you installed in the previous step.

c. Under Certificate Verification, select the method for identifying authorized peers.

Signature/Expiration is the default: that is, the credentials are examined forauthenticity on the basis of their signature and expiration date. Other optionsinclude Signature/Expiration/Common Name White List, where the common nameon the certificate must be present in a white list (which appears below the radiobutton when this option is selected); Signature/Expiration/Common Name BlackList, where the common name must not appear in the black list (which appearsbelow the radio button when this option is selected); and None.

Caution: If Certificate Validation: None is selected, the appliance attempts toperform SSL compression with any partner appliance, regardless of the partner'sidentity. As a result, a clear-text record of the encrypted connections is retainedin the disk based compression history of the partner appliance. The encryption ofthis history can be disabled at the option of the remote appliance's administrator,leaving open the possibility that your encrypted traffic can be intercepted.


636

d. Optionally, create a new SSL Cipher Specification.

This specification uses the OpenSSL syntax for specifying acceptable ciphers for thesignaling connection. The signaling connection carries key information and shoulduse a cipher specification suitable for this task, according to the standards used byyour organization.

e. Select a discovery method.

Peers are selected either by auto-discovery or through the optional list of knownpeer IP addresses on the Connect To list. Specify one method or the other by eitherselecting or clearing the Enable Auto-Discovery check box.

f. If your network uses NAT and your appliance cannot be reached at its signalingaddress, select the Publish NAT address to peers check box, click Add, and enterthe address-port combination at which it can actually be reached.

g. If the addresses and ports on which the appliance listens for signaling connectionshave not been specified, next to Listen On, click Add and specify them.

(If already defined, the CloudBridge Plug-in signaling connection is the default.)The address must be on the same subnet as the accelerated bridge, but must bedifferent from the management IP address on that subnet. Ports 443 and 2312 arepreferred.

h. Optionally, next to Connect To, specify the IP-address: port pairs of remote hosts.

You can use a list of such pairs in addition to or instead of auto-discovery foridentifying peers.

i. Click Save.

If another appliance has been configured for SSL acceleration, that appliance andthis one should now be able to open secure SSL signaling connections with eachother. (In fact, only one connection is needed, and it does not matter whichappliance succeeds in opening this connection. But configure both directionsanyway.) An SSL connection should open the next time an accelerated connectionalerts the appliance that a remote appliance is available for an SSL signalingconnection. At this point, the remote appliance should appear on the Monitoring:Secure Partners page. If accelerated connections are being established but the SSLsignaling connection is not, check your settings.


637

638

Joining a Windows Domain forCIFS/MAPI Enhancements

If your deployment meets the necessary requirements, joining a Windows domain enablesthe following capabilities:

• Acceleration of "Signed" Windows Filesystem (CIFS) traffic—By joining the sameWindows domain as the server, the server-side appliance can accelerate signed traffic.This feature works with servers using either the older SMB1 protocol (the only versionsupported on Windows Server 2003 and Windows XP) or the newer SMB2 protocol(supported by Windows Server 2012, Windows Server 2008, Windows Vista, Windows 7,Windows 8). Protocol acceleration for the SMB3 protocol is not supported, meaning thatwhen both the client and server support SMB3 (Windows Server 2012, Windows Server2008, Windows 8), protocol acceleration is not used.

• Acceleration of encrypted Outlook/Exchange (MAPI) traffic—By joining the sameWindows domain as the Exchange server, the server-side appliance becomes part of thesecurity infrastructure and can accelerate encrypted MAPI traffic with partnerappliances for which it has a secure peer relationship. In this case, mail clients will runwith the default encryption settings.

639

How Joining a Windows Domain Works

When the appliance joins the Windows domain, and the Windows domain controller acceptsthe appliance as a delegate user, the appliance becomes a trusted member of the domainfor certain functions. This allows the appliance to be declared a member of the domain'ssecurity infrastructure, which in turn allows the acceleration of authenticated andencrypted data streams using Windows protocols such as CIFS and MAPI.

For the purposes of accelerating CIFS and MAPI, security delegation can be limited to therelevant services as part of the standard Windows delegation mechanism. This constraineddelegation became available with Windows Server 2003.

Figure 1. Windows Domain Authentication Flow

Joining a Windows domain also requires that the two appliances (or appliance andCloudBridge Plug-in) have a secure peer relationship with each other. The datacenterappliance joins the Windows domain, and, for purposes of CIFS/MAPI acceleration, theremote appliance acts as a slave to the datacenter appliance, being controlled over thesecure SSL tunnel between the two. Therefore, the delegate user credentials do not have toleave the datacenter.

As with all accelerated connections between two appliances in a secure peer relationship,the CIFS/MAPI connections and NTLM authentications are encrypted over the WAN.

If the appliances do not have a secure peer relationship, or if the datacenter appliance hasnot successfully joined the domain, the connections fall back to TCP flow-controlacceleration, which performs no security operations, compression, or data transformations,meaning that the connections take place as if the appliances were not there.

640

Requirements

To benefit from joining a domain, your CloudBridge deployment must meet the followingrequirements:

• Both the client-side and server-side acceleration appliances must have established a"secure peer relationship."

• Outlook must not be configured for the nondefault "Kerberos only" or "NTLM only"option. The default (negotiated) option is required for acceleration.

• The client and server can be members of any domain that has two-way trust with theappliance's domain.

Client OS Client AuthenticationMode

Optimization Comments

WindowsXP /

WindowsVista /

Windows7/

Windows8

NegotiateAuthentication(SPNEGO)

TCP flow-controlacceleration +Compression + CIFSprotocol acceleration

Default setting used byall Windows versions

WindowsXP /

WindowsVista /

Windows7 /

Windows8

NTLM only or Kerberosonly

TCP flow-controlacceleration only

Non-defaultauthentication modes

• The client and server can be members of any domain that has two-way trust with theserver-side appliance’s domain. One-way trust is not supported

• A Kerberos delegate user must be set up on the domain controller, to be used by theappliance to participate in the domain’s security infrastructure.

• The DNS server IPs for the domain must be configured and reachable on the server-sideappliance.

• The domain servers must be fully reachable, with both forward and reverse lookups forall the IPs of the domain controllers configured on the DNS servers.

• The server-side CloudBridge appliance’s host name must be unique. Using the defaulthost name of “hostname” is likely to cause problems.

Note: The Macintosh Outlook client does not use the MAPI (Outlook/Exchange) standardand is not accelerated by this feature.

Limitations• “Sealed” CIFS connections are not accelerated even after the appliance joins the

Windows domain.

• The appliances negotiate only NTLM authentication with the client. This negotiationprocess is passed through to the datacenter appliance. Kerberos is supported onlybetween the datacenter appliance and the servers it communicates with locally.

Requirements

641

642

Joining the Windows Domain and Addingthe Kerberos Delegate User

To join the appliance to the Windows domain, go to the Configuration: Windows Domainpage, click Join Domain, and enter the domain administration credentials. The appliancejoins the domain, which involves exchanging a shared secret with the domain controller,allowing the appliance to remain part of the domain indefinitely. (The domainadministration credentials are not saved on the appliance.)

Figure 1. Joining a Windows Domain

The delegated user must be configured for some of the advanced CIFS/MAPI accelerationfeatures to operate.

Microsoft provides full documentation for delegation, delegate users, and constraineddelegation using Service Principal Names (SPNs). See the Microsoft documentation for acomprehensive understanding of these features.

To configure the delegate user

1. On the domain controller that is responsible for the CIFS/MAPI servers to beaccelerated, create a new user. For example, create a user with a user name ofdelegate_user. Create the user with Active Directory Users and Computers, selectingUsers under your domain name.

2. (Windows 2008 Server and newer.) In Active Directory Users and Computers, selectView: Advanced Features to display the Attributes Editor tab in User Properties. In thenew user’s User Properties, set the ServicePrincipalName todelegate/delegate_user (assuming you used the example in step 1).

Figure 2. Creating a Delegate User on the Windows Domain Controller

3. (Windows Server 2003) Create the ServicePrincipalName with setspn.exe –Rdelegate_user. The setspn.exe program is part of the Windows Server 2003 SP1Support Tools CD, and can also be downloaded from the Microsoft Download Center.

Joining the Windows Domain and Adding the Kerberos Delegate User

643

Figure 3. Setting the Service Principal Name (SPN) for Delegation

4. Next, on every server in the domain for which you want acceleration of encryptedCIFS/MAPI traffic, grant delegated user access for CIFS and MAPI, using the ActiveDirectory Users and Computers snap-in to the Microsoft Management Console (MMC):

a. Go to Active Directory Users and Computers: delegate_user: Properties:Delegation.

b. Select Trust this user for delegation to specified services only and Use anyauthentication protocol.

c. Add the CIFS and ExchangeMDB services for delegation, specifying the local hostname as the User or Computer.


644

Figure 4. Adding the Services

5. If the server does not have a DNS reverse lookup entry for the domain controller, youmust run the following two commands. (These commands are examples, for a domaincontroller with a hostname of dc and a fully qualified domain name of dc.example.com, at address 10.102.79.x.)

dnscmd dc /zoneadd 79.102.10.in-addr.arpa /primary

dnscmd dc /recordadd 79.102.10.in-addr.arpa 25 PTR dc.example.com


645

646

CIFS (Windows Filesystem) Acceleration

The CIFS acceleration feature provides a suite of protocol-specific performanceenhancements to CIFS-based (Windows and Samba) file transfer and directory browsing,including enhancements to CIFS transport and to related protocols such as DCERPC.

CIFS acceleration has three parts:

1. TCP flow-control acceleration. This is performed on all accelerated CIFS connections,regardless of protocol version (SMB1, SMB2, or SMB3) or degree of authentication andencryption.

2. CIFS protocol acceleration. These optimizations increase CIFS performance by reducingthe number of round-trips needed by a CIFS command. These optimizations areperformed automatically on SMB1 and SMB2 CIFS connections that either do not use CIFSpacket authentication ("signing"), or where signing is used and the appliances havejoined the Windows domain in a "security delegate" role.

3. CIFS compression. CIFS connections are compressed automatically whenever they alsomeet the requirements for CIFS protocol acceleration. In addition, SMB3 connectionsare compressed when unsigned and unsealed.

On networks where CIFS signing is enabled, CIFS protocol acceleration and compressionrequire that you either disable CIFS packet authentication (signing), or have yourdatacenter appliances join the Windows domain, and create a secure peer relationshipbetween the datacenter appliances and your remote appliances and CloudBridge Plug-ins.

Table 1. CIFS acceleration features, by SMB protocol version and whether the appliance hasjoined the windows domain.

SMBVersion

TCP Flow Control Compression Protocol Acceleration

Signing disabled

SMB 1.0 Y Y Y

SMB 2.0 Y Y Y

SMB 2.1 Y Y N

SMB 3.0 Y Y N

Signing enabled, CloudBridge has joined domain

SMB 1.0 Y Y Y

SMB 2.0 Y Y Y

SMB 2.1 Y Y N

SMB 3.0 Y Y N

Signing enabled, CloudBridge has not joined domain

SMB 1.0 Y N N

SMB 2.0 Y N N

SMB 2.1 Y N N

SMB 3.0 Y N NTable 2. Which SMB protocol version is used, by client and server OS

Client/ServerOS

Windows 8Windows Server2012

Windows 7Windows Server2008 R2

Windows VistaWindows Server2008

Previousversions ofWindows

Windows 8 WindowsServer2012

SMB 3.0 SMB 2.1 SMB 2.0 SMB 1.0

Windows 7 WindowsServer2008R2

SMB 2.1 SMB 2.1 SMB 2.0 SMB 1.0

WindowsVista WindowsServer2008

SMB 2.0 SMB 2.0 SMB 2.0 SMB 1.0

Previous versions of Windows

SMB 1.0 SMB 1.0 SMB 1.0 SMB 1.0

Supported Versions of CIFS

Not every CIFS implementation uses request patterns that are recognized by the appliance.These unsupported versions do not achieve acceleration in the full range of cases, as shownin the following table.

Table 3. CloudBridgeSupport for CIFS Servers and Clients

Product Server Client

Windows Server2003-2012

Yes* Yes*

Windows XP,Vista, 7, 8,2000

Yes* Yes*

NetApp Yes N/A

Samba (mostversions)

Yes No

Windows NT Yes No


647

Windows MEand earlier

No No

Others See Note

* Newer Windows versions will use the SMB3 protocol when both client and server supportit. Protocol acceleration is not supported for SMB3, so protocol acceleration with an SMB3-capable OS occurs only when communicating with an older OS.

Note: Most third-party CIFS implementations emulate one of the servers or clientslisted above. To the extent that the emulation is successful, traffic is accelerated, ornot, as shown in the above table. If the emulation behaves differently from what theCIFS accelerator expects, CIFS acceleration is terminated for that connection.

The behavior of CIFS acceleration with a given CIFS implementation cannot be known forcertain until it has been tested.

The modes of CIFS acceleration are:

• Large file reads and writes

• Small file reads and writes

• Directory browsing.

Large file reads and writes—These SMB1 optimizations are for file transfers of at least 640KB in size. Safe read-ahead and write-behind techniques are used to stream the datawithout pauses for every transfer (a transfer is 64 KB or less).

These optimizations are enabled only if the transfer has a BATCH or EXCLUSIVE lock and is"simple." File copies are always simple. Files opened through applications might or mightnot be, depending on how they are handled within the application.

Speedup ratios of 10x are readily obtainable with CIFS acceleration, provided that your linkand disks are fast enough to accommodate ten times your current transfer speeds. 50xspeedup can be obtained if necessary, but is not normally enabled, because of memoryconsumption. Contact your Citrix representative if 10x is not sufficient.

Small file reads and writes—Small-file enhancements center more around metadata(directory) optimizations than around data streaming. Native CIFS does not combinemetadata requests in an efficient way. CIFS acceleration does. As with large-fileacceleration, these optimizations are not performed unless they are safe (for example, theyare not performed if the CIFS client was not granted an exclusive lock on the directory.)When the SMB2 protocol is used, file metadata is cached locally for even greaterimprovements.

Directory Browsing—Standard CIFS clients perform directory browsing in an extremelyinefficient way, requiring an enormous number of round trips to open a remote folder. CIFSacceleration reduces the number of round trips to 2 or 3. When the SMB2 protocol is used,directory data is cached locally for even greater improvements.


648

649

CIFS Protocol Acceleration

CIFS acceleration is supported on all models. CIFS is a TCP based protocol and benefits fromflow control. However, CIFS is implemented in a way that is highly inefficient on long-haulnetworks, requiring an excessive number of round trips to complete an operation. Becausethe protocol is very sensitive to link latency, full acceleration must be protocol-aware.

CIFS acceleration reduces the number of round-trips through a variety of techniques. Thepattern of requests from the client is analyzed and its next action is predicted. In manycases, it is safe to act on the prediction even if it is wrong, and these safe operations arethe basis of many optimizations.

For example, SMB1 clients issue sequential file reads in a non overlapping fashion, waitingfor each 64KB read to complete before issuing the next one. By implementing read-ahead,the appliance can safely deliver up to 10x acceleration by prefetching the anticipated data.

Additional techniques accelerate directory browsing and small-file operations. Accelerationis applied not only to CIFS operations, but also to the related RPC operations.

Configuring CIFS Protocol AccelerationCIFS acceleration is enabled by default for connections that do not use CIFS signing. If yournetwork uses signing, it can either be disabled or the server-side appliances can join theWindows domain.

Disabling CIFS Signing

Depending on their security settings, Windows servers or domain servers might need to havetheir security settings adjusted.

Figure 1. Windows Server Security Options, Windows Server 2003 and Windows Server 2008.

Windows file servers have two security modes: "sealing" and "signing."

Sealing encrypts the data stream prevents CIFS protocol acceleration altogether.

Signing adds authentication data to every data packet, without encrypting the data stream.This prevents acceleration unless you have implemented the procedures described inJoining the Windows Domain and Adding the Kerberos Delegate User. When thisrequirement is met, signing is accelerated automatically. Otherwise, signing must bedisabled (if it is not disabled already) for protocol acceleration to take place.

By default, Windows file servers offer signing but do not require it, except for domainservers, which require it by default.

To achieve CIFS acceleration with systems that currently require signing, you must changethe system security settings to disable this requirement. You can do so in the local securitysettings on the file server, or in group policies. The following examples, for Windows Server2003 and Windows Server 2008, show the local settings. The group-policy changes are, ofcourse, almost identical. (For an example of the Local Security Settings screen, see thefigure, Windows Server Security Options, Windows Server 2003 and Windows Server 2008.)


650

To change the server’s setting to allow CIFSacceleration

1. Go to the system’s Local Security Settings page.

2. Set Domain member: Digitally encrypt or sign secure channel data (always) toDisabled.

3. Set Microsoft network client: Digitally sign communications (always) to Disabled.

4. Set Microsoft network server: Digitally sign communications (always) to Disabled.


651

652

Interpreting CIFS Statistics

The Monitoring: Filesystem (CIFS/SMB) page shows a list of accelerated CIFS connections.These connections are divided into "optimized" and "non-optimized" connections. Becauseall these connections are accelerated (with flow control and compression), "optimized"connections have CIFS optimizations added in addition to flow control and compression,while "non-optimized" connections have flow control and compression only.

653

CIFS Management Summary

• CIFS acceleration provides significant improvement even at relatively short linkdistances.

• CIFS acceleration begins when a file system is first accessed by the client. Ifacceleration is enabled with the file server and client already up and running, noacceleration occurs for many minutes, until the preexisting CIFS connections are fullyclosed. CIFS connections are very persistent and last a long time before closingthemselves, even when idle. This behavior is annoying during test, but has littleimportance in normal deployment.

• Dismounting and remounting a file system in Windows does not close the CIFSconnections, because Windows does not really dismount the file system fully. Rebootingthe client or server works. For a less invasive measure, use the NET USE devicename/DELETE command from the Windows command line to fully dismount the volume. InLinux, smbmount and umount fully dismount the volume.

• Disabling and then reenabling CIFS read and write optimizations in the appliance raisessimilar issues. Existing connections do not become accelerated when CIFS is enabled,and the number of “protocol errors detected” on the Monitoring: Filesystem (CIFS/SMB)page increases briefly.

• CIFS statistics can be confusing, because only the appliance farthest from the fileserverreports CIFS acceleration with full statistics. The other appliance sees it as ordinaryacceleration.

• CIFS acceleration is not supported in proxy mode.

• If CIFS acceleration does not take place with a Windows server, check the server’ssecurity settings.

654

Microsoft Outlook(MAPI) Acceleration

Microsoft Outlook acceleration provides improved performance for traffic betweenMicrosoft Outlook clients and Microsoft Exchange Servers, increasing throughput with avariety of optimizations, including data prefetching and compression.

This feature is also called "MAPI acceleration," after the MAPI protocol used betweenOutlook and Exchange Server.

In networks where the Outlook data stream is unencrypted (the default before Outlook2007), this feature requires no configuration.

In networks where the Outlook data is encrypted (the default with Outlook 2007 and later),acceleration can be obtained in one of two ways: by disabling encryption in the Outlookclients or by having the appliances join the Windows domain.

Supported Outlook/Exchange Versions and ModesCloudBridge appliances provide MAPI acceleration for Microsoft Outlook 2003-2010 andExchange Server 2003-2010, in the following circumstances:

• Any combination of supported clients and servers (using the MAPI protocol) issupported.

• Outlook must connect to the Exchange Server normally, using the MAPI protocol (notthrough an HTTP or HTTPS proxy or "Outlook Anywhere").

• If the server-side appliance has joined a Windows domain, connections with MAPIencryption are accelerated. Otherwise, they are not, and encryption should be disabledin the Outlook clients.

ConfigurationOutlook acceleration is a zero-configuration feature that is enabled by default. (If notwanted, it can be disabled by disabling acceleration on the MAPI service class on theConfiguration: Service Class Policy page.) Outlook acceleration takes place automaticallyif the following conditions are met:

• There is an appliance at the Exchange Server end of the WAN.

• Either there is an appliance at the Outlook end of the WAN, or the system runningOutlook is also running the CloudBridge Plug-in.

• All Outlook/Exchange traffic passes through the appliances (or appliance and plug-in).

• Either the Exchange Server or Outlook is restarted (acceleration does not begin untilexisting MAPI connections are closed).

• Either encryption is disabled on Outlook, or the server-side appliance belongs to theWindows domain and has a secure peer relationship with the client-side appliance (orCloudBridge Plug-in). In the case where the appliance has joined the Windows domain,authentication on the domain must be kept at the default setting (negotiate), foracceleration to work.

Disabling Encryption on Outlook 2007 or Outlook 2010

Unless the server-side appliance has joined the Windows domain and has a secure peerrelationship with the client-side appliance (or CloudBridge Plug-in), encryption betweenOutlook and Exchange Server must be disabled for acceleration to take place.

Encryption was disabled by default before Outlook 2007. Starting with Outlook 2007,encryption is enabled by default.

Performance Note

MAPI uses a different data format from other protocols. This difference preventseffective cross-protocol compression. That is, a file that was first transferred throughFTP and then as an email attachment does not receive a compression advantage on thesecond transfer. If the same data is sent twice in MAPI format, the second transferreceives full compression.

Microsoft Outlook(MAPI) Acceleration

655

656

SSL Compression

CloudBridge SSL compression applies multisession compression to SSL connections (forexample, HTTPS traffic), providing compression ratios of up to 10,000:1.

Note: SSL compression requires a secure peering (signaling) connection between the twoappliances at the ends of the accelerated link.

Encryption is maintained from end to end by splitting the connection into three encryptedsegments: client to client-side appliance, client-side appliance to server-side appliance,and server-side appliance to server.

Figure 1. SSL Compression

Caution: SSL Compression decrypts the encrypted data stream and, unless the User DataEncryption option is used, the compression histories of both acceleration units retainclear-text records of the decrypted data. Verify that your deployment and settings areconsistent with your organization's security policies. Citrix recommends that you enableencryption of the compression history on each unit when you configure the securepeering signaling connection required for SSL acceleration.

Note: When you enable SSL compression, the appliance stops attempting compressionwith other appliances with which it does not have a secure peer relationship (whetherCloudBridge, CloudBridge, or CloudBridge Plug-in). This feature is thus best-suited fornetworks where all appliances are configured for SSL compression.

Note: With SSL compression enabled, you must manually type in the Key Store passwordeach time the appliance is restarted.

657

How SSL Compression Works

SSL compression has access to the clear-text data of the connection, because theserver-side appliance acts as a security delegate of the endpoint servers. This behavior ispossible because the server-side appliance is configured with copies of the servers' securitycredentials (private keys and certificates), allowing it to act on the servers' behalf. To theclient, this behavior is equivalent to communicating directly with the endpoint server.

Because the appliance is working as a security delegate of the server, most configuration ison the server-side appliance. The client-side appliance (or plug-in) acts as a satellite of theserver-side appliance and does not require per-server configuration.

The server-side and client-side appliances share session status through an SSL signalingconnection. All accelerated connections between the two appliances are sent over SSL dataconnections, whether the original connections were encrypted or not.

Note: SSL compression does not necessarily encrypt all link traffic. Traffic that wasoriginally encrypted remains encrypted, but unencrypted traffic is not always encrypted.The appliances do not attempt to encrypt unaccelerated traffic. Because there is noabsolute guarantee that any given connection will be accelerated (various events preventacceleration), there is no guarantee that the appliances will encrypt a given unencryptedconnection.

SSL compression operates in one of two modes: transparent proxy or split proxy. These twomodes support slightly different SSL features. You select the mode that provides thefeatures a given application requires.

SSL Transparent ProxyIn SSL transparent proxy mode (not to be confused with transparent mode on theCloudBridge Plug-in), the server-side appliance masquerades as the server. The server'scredentials (certificate-key pair) are installed on the server-side appliance so that it canact on the server's behalf. The server-side appliance then configures the client-sideappliance to handle the client end of the connection. The server's credentials are notinstalled on the client-side appliance.

True client authentication is supported in this mode, but Temp RSA and Diffie-Hellman arenot. SSL transparent proxy mode is suited for applications that require client authenticationif the following features are not required: Diffie-Hellman, Temp RSA, TLS session tickets,SSL version 2. Also, session renegotiation must not be attempted, or the connectionterminates.

No configuration is required on the client-side appliance (other than configuring a securepeering relationship with the server-side appliance), and no configuration is required on theclient, which treats the connection exactly as if it were communicating directly with theserver.

Figure 1. SSL Transparent Proxy Mode

SSL Split ProxySSL split proxy mode is preferred in most instances, because it supports Temp RSA andDiffie-Hellman, which many applications require. In SSL split proxy mode, the server-sideappliance masquerades as a server to the client, and as a client to the server. You installserver credentials (a certificate-key pair) on the server-side appliance to allow it to act onthe server's behalf. You can also install optional client credentials, which are used when theapplication requires client authentication.

Because the server-side appliance is masquerading as a client, true client authentication isnot supported in this mode (that is, the server cannot authenticate the actual endpointclient). If the server-side appliance is not configured with client credentials, attempts atclient authentication fail. If the server-side appliance is configured with client credentials,it responds to client authentication with these credentials, regardless of the identity of theactual client.

No configuration is required on the client-side appliance (other than configuring a securepeering relationship with the server-side appliance), and no configuration is required on theclient, which treats the connection as if it were communicating directly with the server.The server credentials on the server-side appliance are not installed on the client-sideappliance.

To support multiple servers, multiple private certificate-key pairs can be installed on theappliance, one per SSL profile. Special SSL rules in the service class definitions match upservers to SSL profiles, and thus SSL profiles to credentials.

The CA certificates and certificate-key pairs and CA certificates do not actually have tomatch those of the servers. Due to the nature of a split proxy, they can be any credentialsthat are acceptable to the client application (valid credentials issued by a trustedauthority). Note that, in the case of HTTPS connections, Web browsers issue a warning ifthe common name does not match the domain name in the URL. In general, using copies ofthe server's credentials is the more trouble-free option.


658

Figure 2. SSL Split Proxy Mode


659

660

Installing Server and Client Certificates

For SSL compression to work, the CloudBridge appliance needs certificates from either theserver or the client. To support multiple servers, multiple private keys can be installed onthe appliance, one per SSL profile. Special SSL rules in the service class definitions matchup servers to SSL profiles, and thus SSL profiles to private keys.

To install server and client certificates

1. Install credentials from your SSL server by acquiring copies of your server’s CAcertificate and private certificate-key pair, and installing them on the server-sideappliance. Use the Cert/Key pairs and CA Certificates tabs on the Configuration: SSLAcceleration page.

The procedure is the same as adding cert/key pairs and CA certificates for thesignaling connection.

2. For split-proxy mode, on the server-side appliance only, set up a split-proxy SSLprofile for your SSL server, as follows:

Figure 1. Configuring Split Proxy Mode

a. On the Configuration: SSL Acceleration page, click Add to add a new profile. TheAdd SSL Profile screen appears.

b. On the Add SSL Profile screen, next to Profile Name, type a name for the profile(usually the name of the server).

c. Select the Profile Enabled box.

d. For Proxy Type, select Split.


661

e. If your SSL server uses more than one virtual host name, in the Virtual Host Namefield, type the virtual host name that matches the server credentials youprovided earlier. Otherwise, you can leave this field blank. (To support multiplevirtual hosts, you create one SSL profile per hostname.) This option is effectiveonly with TLS.

f. In the Certificate/Private Key and CA Certificate Store fields, select thecredentials that you installed in the preceding step.

g. Leave the Build Certificate Chain check box selected (the default). This optioncauses the SSL certificate chain to be built by the server-side appliance.

h. The Certificate Verification option is the same as for peer validation. Forexample, if Signature/Expiration is chosen, the CA certificate store and key/certpair you installed must have a valid signature and be unexpired, or this profile isnot used.

i. Under Server-Side Proxy Configuration, select the protocols and specify theciphers to be allowed for communication with the server.

j. If you want to require the server’s credentials to match the credentials used inthis profile, select the Authentication required check box.

k. If you want to allow SSL session renegotiation, select the type of renegotiationfrom the Renegotiation type drop-down list.

Caution: This option is disabled by default, to prevent renegotiation exploits.

l. Under Client-Side Proxy Configuration, select the protocols, ciphers, andrenegotiation settings allowed for communication with the client-side appliance.

3. For transparent proxy only, on the Profiles tab of the Configuration: SSL Accelerationpage of the server-side appliance only, create an SSL Transparent Proxy for your SSLserver.

SSL transparent proxy is less commonly used, because its strict requirements arematched by fewer applications, unless their default configurations are modified.However, configuration of the server-side appliance is simple:

a. Click Add to add a new profile.

b. In the Profile Name field, select the name of a profile.

c. Select the Profile Enabled check box.

d. For Proxy Type, select Transparent.

e. If your SSL server uses more than one virtual host name, in the Virtual Host Namefield, type the virtual host name that matches the server credentials that youprovided earlier. Otherwise, you can leave the field blank.

This option is effective only for TLS. To support multiple virtual host names,create multiple SSL Profiles.

f. In the SSL Server’s Private Key field, select your server’s private key, which youinstalled in step 1.


662

g. Click Add.

Figure 2. SSL Service Class Rules

4. On the server-side appliance, go to the Configuration: Service Classes page andcreate a new service class with appropriate SSL rules:

a. Create the service class. On the Configuration: Service Classes page, clickCreate, type a name for the new service class (for example, “AcceleratedHTTPS”), and then click Create again. The new service class appears at the topof the service class list.

b. Enable acceleration by setting the acceleration policy to Disk or Memory.

c. Create a rule. Click Add Rule. In the Dst IP field type the server’s IP address (forexample, 172.16.0.1 or, equivalently, 172.16.0.1/32.

d. Toggle the “Bidirectional” Icon (between the Src IP and Dst IP columns) to makethe rule unidirectional, as shown by a single arrow.

SSL rules do not work with bidirectional mode set.

e. Attach the rule to an SSL profile. Click the SSL Profile field, then use the pop-upwindow to create a list of SSL profiles that can be used for this rule, then clickSave.

Each SSL rule must attached to one or more SSL profiles.

f. Click Save to save the rule.

g. Set service classes on the client-side appliance.

SSL traffic is not compressed unless it falls into a service class, on the client-sideappliance, that enables acceleration and compression. This can be an ordinaryservice-class rule, not an SSL rule (only the server-side appliance needs SSLrules), but it must enable acceleration and compression. The traffic falls into anexisting service class, such as “HTTPS” or “Other TCP Traffic.” If this class’spolicy enables acceleration and compression, no additional configuration isneeded.


663

5. Verify operation of the rule. Send traffic that should be receiving SSL accelerationthrough the appliances. In the Monitoring: Connections list, in the Details column forthe connection, click the info balloon and verify that SSL connections matching theSSL service class rules are being compressed correctly.

The displayed information includes the connection’s service class, in the DetailedConnection Information table. If it matches your SSL service class, SSL compression istaking place.


664

665

Using SSL Compression with theCloudBridge Plug-in

The CloudBridge Plug-in is always used as the client-side unit and thus requires noadditional SSL configuration other than installing credentials for the SSL signaling (securepeering) connection. The main difference between SSL compression on the plug-in and theappliance is that the plug-in is unable to encrypt the user data in the disk basedcompression history.

Caution: Because disk based compression history on the Plug-in is not encrypted, itretains a clear-text record of potentially sensitive and ephemeral encryptedcommunications. This lack of encryption is potentially dangerous on computers for whichphysical access is not controlled. Therefore, Citrix recommends the following bestpractices:

• Do not use Certificate Validation: None on your appliances. (Note that, in this case,the appliance refuses to allow compression with plug-ins that do not have appropriatecertificates.)

• Install certificates only on systems that can be verified to meet your organization’srequirements for physical or data security (for example, laptops that use full-diskencryption).

The CloudBridge Plug-in supports both SSL split proxy and SSL transparent proxy. Theplug-in ships without certificate-key pairs for the SSL signaling connection. If desired, thesame credentials can be used by all plug-ins, or each plug-in can have its own credentials.

The plug-in does not attempt SSL compression unless credentials have been installed.

The plug-in inherits its crypto license from the appliance.

666

SCPS Support

CloudBridge software supports the SCPS (Space Communications Protocol Standard) TCPvariant. SCPS is widely used for satellite communication.

See http://www.scps.org for general SCPS information.

SCPS is a TCP variant used in satellite communication and similar applications. Theappliance can accelerate SCPS connections if the SCPS option is selected on theConfiguration: Tuning page.

The main practical difference between SCPS and the default appliance behavior is thatSCPS-style "selective negative acknowledgements" (SNACKs) are used instead of standardselective acknowledgements (SACKs). These two methods of enhancing data retransmissionsare mutually exclusive, so if the appliance on one end of the connection has SCPS enabledand one does not, retransmission performance suffers. This condition also causes an "SCPSMode Mismatch" alert.

If you must mix SCPS-enabled appliances with non-SCPS-enabled appliances, deploy them insuch a way that mismatches do not occur. You can either use IP-based service class rules orarrange the deployment so that each path has matching appliances.

http://www.scps.org

667

Traffic Classification

The two main functions of a CloudBridge or CloudBridge appliance are traffic shaping,which maximizes link usage for all types of traffic, and acceleration, which appliescompression and various optimizations to accelerate TCP traffic. Two basic components ofboth traffic shaping and acceleration are the application-classifier mechanism and theservice-class mechanism. The former identifies the type of traffic, so that the latter canassign the traffic to a service class. Each service class has a traffic shaping policy and anacceleration policy.

668

The Application Classifier

The application classifier uses application definitions to categorize the traffic by protocoland application. This information is used to create reports, and by the service-classmechanism. Many applications are already defined, and you can define more as needed.

Protocol and Port Specifications in ApplicationDefinitions

The application classifier uses the official protocol and port specifications from the InternetAssigned Numbers Authority (IANA), http://www.iana.org . Sometimes applications otherthan the official ones use a port. The classifier generally cannot detect such use. If yournetwork uses such applications, you can usually resolve this problem by renaming theapplication, in the application classifier, to indicate the actual application that uses thisport on your network. For example, if you use port 3128 not for its standard use for a Squidweb cache, but for a SOCKS proxy, you could rename the Squid (TCP) application to S OCKS(Port 3128) for clarity.

Applications must not have overlapping definitions. For example, if one application on yournetwork uses TCP ports 3120 and 3128, and another application uses port 3120, only oneCloudBridge application definition can include port 3120.

Configuring Application DefinitionsOn the Configuration: Application Classifiers: Create Application page, each definitionstarts with a top-level classification. The following top-level classifications are available inthe Classification Type drop-down list:

• Ether type List, for Ethernet packet types

• Citrix Published Application Name, for XenApp/XenDesktop applications

• IP Protocol Number List, for IP protocols such as ICMP or GRE

• TCP, for TCP applications

• UDP, for UDP applications

• Web Address (URL), for specific Web sites or domains

http://www.iana.org

Figure 1. Defining a New Application

To configure application definitions

1. Click the Create button on the Configuration: Application Classifiers page.

2. Fill in the Application Classifiers: Create Application page with the name you havechosen for the application, an optional description, the Application Group it belongsto (such as Voice over IP (VoIP), the classification type (such as UDP) and additionalinformation relevant to the classification type (such as the UDP port numbers used bythe application).

3. Click the Save button.

4. Test your definition by sending matching traffic through the appliance and lookingfor it on the Active Applications tab on the Reports: Top Applications page.

The Application Classifier

669

670

Service Classes

Service classes are assigned traffic-shaping policies and acceleration policies to be used forall connections that match the service-class definition. Service classes can be based on thefollowing parameters:

• Applications

• IP or VLAN addresses

• DSCP bits

• SSL profiles

The default service-class definitions are recommended as a starting point. Modify them ifthey prove inadequate for your links.

The service classes are defined in an ordered list. The first definition that matches thetraffic being processed becomes the service class for the traffic.

671

Differences Between AccelerationDecisions and Traffic Shaping Policies

To make an acceleration decision, the CloudBridge appliance examines the initial SYNpacket of each TCP connection to determine whether the connection is a candidate foracceleration. The SYN packet contains no payload, only headers, so the accelerationdecision must be based on the contents of the SYN packet's headers, such as the destinationport or destination IP address of the connection. Acceleration, once applied, lasts for theduration of the connection.

Unlike acceleration decisions, traffic-shaping policies can be based on the contents of theconnection's data stream. Depending on how long it takes for the application classifier toreceive enough data for a final classification, a connection might be reclassified during itslifetime.

For example, the first packet in an HTTP connection to http://www.example.com is a SYNpacket that contains a header but no payload. The header has an IP destination port of 80,which matches the HTTP: Internet service class definition, so the acceleration enginebases its acceleration decision, in this case, none (no acceleration) on that service class.

The traffic shaper uses the traffic-shaping policy from the HTTP: Internet service-class,but this decision is temporary. The first payload packet contains the string GEThttp://www.example.com, which matches the example application definition in theapplication classifier. The service class that includes the example application is selectedby the traffic shaper, instead the service class that includes HTTP: Internet, and thetraffic shaper uses the service-class policy named in that service-class definition.

Note: Regardless of the service class policy, the reporting feature tracks the usage of theexample application.

Important: All traffic is associated with an application and a service class, and all serviceclasses have a traffic shaping policy, but only TCP connections have an accelerationpolicy other than none.

672

Configuring Service Class Definitions

Because service-class definitions are an ordered list, a definition that is an exception to ageneral case must precede the more general definition on the service-class page. The firstdefinition whose rule matches the traffic is the one that is applied. For example:

• Service classes based on URLs must precede the HTTP service classes in theservice-class list, because any URL-based rule also matches the HTTP service class.Therefore, putting the HTTP service class first would prevent the URL-based rules orpublished application-based rules from ever being used.

• Similarly, service classes based on ICA (XenApp/XenDesktop) published applicationsmust precede the Citrix service class.

Because all URL-based rules match the HTTP service class, putting the HTTP service classabove them would result in the URL-based rules or published application-based rules neverbeing used.

Figure 1. Default Service Class List

To create or edit a service class

1. On the Configuration: Service Classes page, click Create, or, next to an existingservice class, click Edit.

2. On the Service Classes: Edit Service Class page, set the following parameters:

• Name—The name of the service class.

• Acceleration policy—none, flow control only, memory, or disk. Memoryand Disk specify where to store the traffic history used for compression. Disk isusually the best choice, because the appliance automatically selects disk ormemory, depending on which is more appropriate for the traffic. Memoryspecifies memory only. None is used only for uncompressible encrypted trafficand real-time video.

• Traffic shaping policy—Assigns a traffic-shaping policy to the service class. Trafficshaping policies have a weighted priority and other attributes that determinehow matching traffic will be treated, relative to other traffic. Most serviceclasses are set to Default Policy, but higher-priority traffic can be assigned ahigher-priority traffic-shaping policy, and lower-priority traffic can be assigned alower-priority policy.

• Filter rules—Rules defining service classes. If a rule is evaluated as TRUE for agiven connection, the connection is assigned to that service class. Filter rules formost service classes consist solely of a list of applications, but rules can alsoinclude IP addresses, VLAN tags, DSCP values, and SSL profile names. All thefields in a rule default to Any (a wildcard). Fields within a rule are ANDedtogether.

• Enabled/disabled—If you clear the Enabled check box for a service class, thatclass is not applied to traffic, but its definition is retained.

3. Click Save.

Configuring Service Class Definitions

673

674

Traffic Shaping

The CloudBridge traffic shaper is an easy-to-use solution for link congestion. Traffic shapingis highly configurable for sites with special needs, but the default settings are fine for mostinstallations, providing the following benefits:

• Increased responsiveness for interactive traffic such as XenApp and XenDesktop.

• Protection of latency- and jitter-sensitive VoIP traffic.

• No “hitting the wall” during peak periods. You get usable performance even underextreme load.

• Improved bandwidth utilization by allowing bulk transfers to fill the link with whateverbandwidth is left over from interactive tasks.

• Extension of the benefits of fair queuing to all traffic

The traffic shaper is based on bandwidth-limited fair queuing, which gives each serviceclass its fair share of the link bandwidth. If the link is otherwise idle, any connection (in anyservice class) can use the entire link. When multiple connections are competing for the linkbandwidth, the traffic shaper applies traffic shaping policies to determine the right mix oftraffic. Every TCP connection or non-TCP flow has a traffic shaping policy. The trafficshaping policy is arrived at in a three-stage process:

1. The traffic is examined by the application classifier to determine what application itbelongs to.

2. The application is looked up in the service-class list to see which service-class it belongsto.

3. The traffic-shaping policy specified by the service-class definition sets the weightedpriority and other parameters for this traffic.

The total bandwidth available for all connections sharing a link is determined by a linkdefinition. Similarly to the way an application is matched against a list of service classes todetermine the service class, a link is matched against a list of link definitions find thedefinition that specifies the inbound and outbound bandwidths of the link. To rememberwhich entity does what, keep the following points in mind:

• The link definition tells the traffic shaper how fast to send data for the link.

• The application classifier determines which service class to use.

• The service-class definition specifies the traffic-shaping policy and whetheracceleration is to be attempted.

• The traffic-shaping policy sets the weighted priority and a few other parameters to beused on the traffic.

Note: For more information about the application classifier and service classes, seeMechanisms Common to Acceleration and Traffic Shaping.

Some highlights of the traffic shaper:

• All WAN traffic is subject to traffic shaping: accelerated connections, unacceleratedconnections, and non-TCP traffic such as UDP flows and GRE streams.

• The algorithm is weighted fair queuing, in which the administrator assigns each serviceclass a priority. Each service class represents a bandwidth pool, entitled to a minimumfraction of the link speed, equal to (my_priority/sum_of_all_priorities). A service classwith a weighted priority of 100 gets twice as much bandwidth as a service class with aweighted priority of 50. You can assign weights from 1 through 256.

• Each connection within a service class gets an equal share of the bandwidth allotted tothat service class.

• Each connection gets its fair share of the link bandwidth, because priorities are appliedto the actual WAN data transferred, after compression. For example, if you have twodata streams with the same priority, one achieving 10:1 compression and the otherachieving 2:1 compression, users see a 5:1 difference in throughput, even though theWAN link usage of the two connections is identical. In practice, this disparity isdesirable, because WAN bandwidth, not application bandwidth, is the scarce resourcethat needs to be managed.

• Traffic-shaping policies apply equally to both accelerated and unaccelerated traffic.For example, an accelerated XenApp connection and an unaccelerated XenAppconnection both receive traffic shaping, so both can have an elevated prioritycompared to bulk traffic. As another example, time-sensitive non-TCP traffic, such asVoIP (which uses the UDP protocol) can be expedited.

• Traffic shaping is applied to the WAN link in both the sending and receiving directions,to both accelerated and non-accelerated traffic. This feature prevents congestion andincreased latency even when the other side of the link is not equipped with aCloudBridge appliance. For example, Internet downloads can be prioritized andmanaged.

• The traffic-shaping policy for a service class can be specified on a per-link basis ifdesired.

In addition to shaping the traffic directly, the traffic shaper can affect it indirectly bysetting the Differentiated Services Code Point (DSCP) field to inform downstream routersabout the type of traffic shaping each packet requires.

Traffic Shaping

675

http://support.citrix.com/proddocs/topic/cloudbridge-70/br-adv-mechan-comm-traff-shap-acc--con.html

676

Traffic Shaping Changes Since Release5.x

In releases 6.0 and later, a new traffic-shaping engine manages all the traffic on your WANlinks, in both the incoming and outgoing directions. It replaces the previous system,Repeater QoS, which operated only on accelerated traffic and in the sending direction only.

When upgrading an appliance from release 5.x to release 6.x, any Repeater QoS definitionsare automatically converted to traffic-shaping policies. For example, if a QoS category of"Queue A" was assigned 30% of the link in release 5.x, this category is converted into atraffic-shaping policy called "Queue A" with a priority of 30.

For the release 5.x default case, in which 100% of the link is assigned to Queue A, noconversion is done. The release 6.0 defaults are used instead.

However, the principles of release 6.x traffic shaping are different from those of Repeater5.x QoS. QoS settings cannot be migrated when you upgrade to release 6.x. Advantages oftraffic shaping over the old system include:

• All link traffic is shaped, not just accelerated connections.

• The old system of five queues has been replaced with a one queue per service class,with weighted fair queuing among queues.

• Traffic is shaped independently for each link.

• The improved application classifier allows more fine-grained control over trafficshaping.

677

Weighted Fair Queuing

In any link, the bottleneck gateway determines the queuing discipline, because data in thenon-bottleneck gateways does not back up. Without pending data in the queues, thequeuing protocol is irrelevant.

Most IP networks use deep FIFO queues. If traffic arrives faster than the bottleneck speed,the queues fill up and all packets suffer increased queuing times. Sometimes the traffic isdivided into a few different classes with separate FIFOs, but the problem remains. A singleconnection sending too much data can cause large delays, packet losses, or both for all theother connections in its class.

A CloudBridge appliance uses weighted fair queuing, which provides a separate queue foreach connection. With fair queuing, a too-fast connection can overflow only its own queue.It has no effect on other connections. But because of lossless flow control, there is no suchthing as a too-fast connection, and queues do not overflow.

The result is that each connection has its traffic metered into the link in a fair manner, andthe link as a whole has an optimal bandwidth and latency profile.

The following figure shows the effect of fair queuing. A connection that requires less thanits fair share of bandwidth (the bottom connection) gets as much bandwidth as it attemptsto use. In addition, it has very little queuing latency. Connections that attempt to use morethan their fair share get their fair share, plus any bandwidth left over from connectionsthat use less than their fair share.

Figure 1. Fair Queuing in Action

The optimal latency profile provides users of interactive and transactional applications withideal performance, even when they are sharing the link with multiple bulk transfers. Thecombination of lossless, transparent flow control and fair queuing enables you to combineall kinds of traffic over the same link safely and transparently.

The difference between weighted fair queuing and unweighted fair queuing is thatweighted fair queuing includes the option of giving some traffic a higher priority (weight)than others. Traffic with a weight of two receives twice the bandwidth of traffic with aweight of one. In a CloudBridge configuration, the weights are assigned in traffic-shaping

policies.

Weighted Fair Queuing

678

679

Traffic Shaping Policies

Every service class definition specifies a traffic-shaping policy, which sets parameters fortraffic of the associated service class. The following figure shows the page on which youcreate a traffic-shaping policy.

Figure 1. Creating a New Traffic-Shaping Policy

A traffic-shaping policy consists of the following parameters:

• Name—The name of the policy.

• Weighted Priority (1-256)—Traffic with a higher weighted priority gets morebandwidth. A service class with a weighted priority of 256 is entitled to 256 times thebandwidth of a connection with a weighted priority of 1. (In practice, these bandwidthratios are seen only in bulk-transfer traffic for which the traffic shaper is the dominantbottleneck. Protocols that are RTT-limited, interactive, or contain their own bandwidthmanagers—Citrix XenApp falls into all three categories—show different ratios, becausefactors other than the traffic shaper also affect the traffic.)

• ICA priorities—Usually used only in the Citrix policy, to declare a mapping between thefour XenApp/XenDesktop priority bits and traffic-shaper weighted priorities. Creatingan ICA Traffic-Shaping Policy That Specifies Per-Priority DSCP Values shows the TrafficShaping Policies: Create Policy page with the Set ICA Priorities section expanded.

• Optimize for Voice—Handle with care. This option gives the traffic a weighted priorityof infinity, so it monopolizes the link if there is enough traffic to do so.

• Use only for VoIP data traffic (not VoIP control traffic).

• Always use a maximum bandwidth policy with this feature, such as “75% of link speed.”

• Never use this feature for TCP traffic.

• Set Diffserv/TOS—Sets the DSCP bits on output packets to the selected value. Used tocontrol downstream routers. For ICA (XenApp/XenDesktop) traffic, each of the four ICApriority values can be tagged with a different DSCP value. This capability is particularlyvaluable with the new Multistream ICA feature, in which the XenApp or XenDesktopclient uses different connections for different priority levels.

• Limit Bandwidth—Prevents the traffic using this policy from exceeding the specifiedbandwidth, stated either as a percentage of link speed or as an absolute value. Citrixrecommends specifying a percentage, so that the same definition can apply to links ofdifferent speeds. This feature can leave bandwidth unused. For example, a policy set to50% of link speed does not allow the affected traffic to use more than 50% of the link,even if the link is otherwise idle. Throttling traffic in this way is inconsistent withmaximum performance, so this feature is rarely used, except with VoIP traffic with theMaximize for Voice setting.

A CloudBridge appliance ships with factory-default policies that span a broad range ofpriorities, with each policy separated from its neighbors by a factor of two in priority.These policies are listed on the Configuration: Traffic Shaping Policies page. Note that, withthe exception of “Default Policy,” at the bottom of the traffic shaping policies list, thefactory-default policies cannot be edited or deleted. The reason is to ensure that they havethe same meaning on all appliances. To make changes, create a new traffic-shaping policywith the new parameters and change the appropriate service-class definitions to refer tothe new traffic-shaping policy.


680

Figure 2. Creating an ICA Traffic-Shaping Policy That Specifies Per-Priority DSCP Values

You can assign different traffic-shaping priorities to different values of the two-bit ICApriority field (a bit field in the Citrix ICA and CGP protocols used by XenApp andXenDesktop).

Note: The controls for ICA priorities are hidden by default on the Configuration: TrafficShaping Policies: Create Policy page. Press the Show All Advanced Options button to showthem.

The advanced options support both single-connection and multi-connection ICA/CGPstreams. In single-connection streams (the traditional ICA/CGP implementation) all fourpriorities are multiplexed in a single connection, and the ICA priority field of theconnection changes with the kind of date being sent. The CloudBridge appliance changes itstraffic-shaping priority to match. The newer multi-connection option uses differentconnections for different priority levels, with a static ICA priority for each connection.

ICA priorities can be mapped to Differentiated Services Code Point (DSCP) values in the IPheader, informing the downstream routers about the kind of handling that each packetrequires.

Note that, if you clear the Set ICA Priorities check box for a traffic-shaping policy, existingconnections governed by that policy are reclassified as Other TCP traffic for the rest oftheir lifetimes. They cannot be transferred from one ICA traffic-shaping state to another.


681

682

TCP Flow-Control Acceleration

Ordinary WANs have very poor responsiveness at high link utilization and at long distances.A widely used rule of thumb for ordinary, non-accelerated WAN links is, "once linkutilization reaches 40%, it is time to add more bandwidth, because performance andreliability have degraded to the point where the link is largely unusable." Interactiveperformance suffers, making it hard for people to get work done, and connectionsfrequently time out. Accelerated links do not have this problem. A link with 95% utilizationis still perfectly usable.

CloudBridge appliances become virtual gateways that control the TCP traffic on the WANlink. Ordinary TCP is controlled on a per-connection basis by the endpoint devices. Optimalcontrol of link traffic is difficult, because neither the endpoint devices nor individualconnections have any knowledge of the link speed or the amount of competing traffic. Agateway, on the other hand, is in an ideal position to monitor and control link traffic.Ordinary gateways squander this opportunity because they cannot supply the flow controlthat TCP lacks. CloudBridge technology adds the intelligence that is missing in the networkequipment and the TCP connections alike. The result is greatly improved WAN performance,even under harsh conditions such as high loss or extreme distance.

CloudBridge flow control is lossless and transparent, and it implements a broad spectrum ofspeed optimizations. No configuration is required, because of autodiscovery andautoconfiguration. You might, however, have to tweak your firewalls if they block the TCPoptions used by the acceleration algorithms.

683

Lossless, Transparent Flow Control

Acceleration operates on any TCP connection passing through two appliances (one at thesending site and one at the receiving site), or a CloudBridge appliance and a CloudBridgePlug-in. Although the above figure shows a network of two appliances, any appliance canaccelerate connections between any number of other appliance-equipped sitessimultaneously. This allows a single appliance to be used per site, rather than two per link.

Like any gateway, the CloudBridge appliance meters packets onto the link. Unlike ordinarygateways, however, it imposes transparent, lossless flow control on each link segment,including:

• The LAN segment between the sender and the sending appliance

• The WAN segment between the sending and receiving appliances

• The LAN segment between the receiving appliance and the receiver

Flow control can be managed independently for each of these three segments. Thesegments are partly decoupled, so each can have its speed controlled independently. This isimportant when a connection's speed needs to be ramped up or down quickly to its fairbandwidth share, and is also important as a means of supporting enhanced WAN algorithmsand compression.

The TCP protocol is designed to make every TCP connection attempt to increase itsbandwidth usage continuously. However, the link bandwidth is limited. The result is thatthe links become overrun. CloudBridge flow control keeps the TCP connections flowing atjust the right speed. The link is filled but is never overrun, so queuing latency and packetlosses are minimized, while throughput is maximized.

With ordinary TCP, long-running connections (which have had time to seize all thebandwidth) tend to squeeze out short-running connections. This problem, which ruinsinteractive responsiveness, does not occur with flow control .

Flow control is a standard feature on all appliances in the CloudBridge family.

Figure 1. Acceleration Enhances Performance Transparently

Lossless, Transparent Flow Control

684

685

Speed Optimizations

Most TCP implementations do not perform well over WAN links. To name just two problems,the standard TCP retransmission algorithms (Selective Acknowledgments and TCP FastRecovery) are inadequate for links with high loss rates, and do not consider the needs ofshort-lived transactional connections.

CloudBridge implements a broad spectrum of WAN optimizations to keep the data flowingunder all kinds of adverse conditions. These optimizations work transparently to ensure thatthe data arrives at its destination as quickly as possible.

WAN optimization operates transparently and requires no configuration.

WAN optimization is a standard feature on all CloudBridge appliances.

The figure below shows the transfer speeds possible at various distances, withoutacceleration, when the endpoints use standard TCP (TCP Reno). For example, gigabitthroughputs are possible without acceleration within a radius of a few miles, 100 Mbps isattainable to less than 100 miles, and throughput on a worldwide connection is limited toless than 1 Mbps, regardless of the actual speed of the link. With acceleration, however,the speeds above the diagonal line become available to applications. Distance is no longer alimiting factor.

Figure 1. Non-accelerated TCP Performance Plummets With Distance

Note: Without Citrix acceleration, TCP throughput is inversely proportional to distance, making it impossible to extract the full bandwidth of long-distance, high-speed links. With acceleration, the distance factor disappears, and the full speed of a link can be used at any distance. (Chart based on model by Mathis, et al, Pittsburgh Supercomputer

Center.)

Accelerated transfer performance is approximately equal to the link bandwidth. Thetransfer speed is not only higher than with unaccelerated TCP, but is also much moreconstant in the face of changing network conditions. The effect is to make distantconnections behave as if they were local. User-perceived responsiveness remains constantregardless of link utilization. Unlike normal TCP, with which a WAN operating at 90%utilization is useless for interactive tasks, an accelerated link has the same responsivenessat 90% link utilization as at 10%.

With short-haul connections (ones that fall below the diagonal line in the figure above),little or no acceleration takes place under good network conditions, but if the networkbecomes degraded, performance drops off much more slowly than with ordinary TCP.

Non-TCP traffic, such as UDP, is not accelerated. However, it is still managed by the trafficshaper.

ExampleOne example of CloudBridge's advanced TCP optimizations is a retransmission optimizationcalled transactional mode. A peculiarity of TCP is that, if the last packet in a transaction isdropped, its loss not noticed by the sender until a receiver timeout (RTO) period haselapsed. This delay, which is always at least one second long, and often longer, is the causeof the multiple-second delays seen on lossy links-delays that make interactive sessionsunpleasant or impossible.

Transactional mode solves this problem by automatically retransmitting the final packet ofa transaction after a brief delay. Therefore, an RTO does not happen unless both copies aredropped, which is unlikely.

A bulk transfer is basically a single enormous transaction, so the extra bandwidth used bytransactional mode for a bulk transfer can be as little as one packet per file. However,interactive traffic, such as key presses or mouse movements, has small transactions. Atransaction might consist of a single undersized packet. Sending such packets twice has amodest bandwidth requirement. In effect, transactional mode provides forward errorcorrection (FEC) on interactive traffic and gives end-of-transaction RTO protection to othertraffic.

Speed Optimizations

686

687

Autodiscovery and Autoconfiguration

In a patent-pending process called autodiscovery, CloudBridge units detect each other'spresence automatically. The appliances attach TCP header options to the first packets ineach connection: the SYN packet (sent by the client to the server to open the connection),and the SYN-ACK packet (sent by the server to the client to indicate that the connectionhas been accepted). By tagging the SYN packets and listening for tagged SYN and SYN-ACKpackets, the appliances can detect each other's presence in real time, on aconnection-by-connection basis.

The main benefit of autodiscovery is that you do not have to reconfigure all of yourappliances every time you add a new one to your network. They find each otherautomatically. In addition, the same process allows autoconfiguration. The two appliancesuse the TCP header options to exchange operating parameters, including the bandwidthlimits (in both the sending and receiving directions), the basic acceleration mode(hardboost or softboost), and the acceptable compression modes (disk, memory, or none).All of the information that each appliance needs about its partner is exchanged with eachconnection, allowing per-connection variations (for example, per-service-class variations inthe allowable compression types).

Figure 1. How Autodiscovery Works

The autodiscovery process works as follows:

1. The client opens a TCP connection to the server, as usual, by sending it a TCP SYNpacket.

2. The first appliance passes the SYN packet through after attaching a set ofappliance-specific TCP header options to it and adjusting its window size.

3. The second appliance reads the TCP options, removes them from the packet, andforwards them to the server.

4. The server accepts the connection by responding as usual with a TCP SYN-ACK packet.

5. The second appliance remembers that this connection is a candidate for accelerationand attaches its own acceleration options to the SYN-ACK header.

6. The first appliance reads the options added by the second appliance, strips them fromthe packet header, and forwards the packet to the client. The connection is nowaccelerated. The two appliances have exchanged the necessary parameters through theoption values, and they store them in memory for the duration of the connection.

The connection is accelerated, and the acceleration is transparent to the client, server,routers, and firewalls.

Autodiscovery and Autoconfiguration

688

689

Softboost and Hardboost

TCP flow control has two modes: softboost and hardboost.

Softboost uses a rate-based sender that sends accelerated traffic at speeds up to the link'sbandwidth limit. If the bandwidth limit is set slightly lower than the link speed, packet lossand latency are minimized, while link utilization is maximized. Interactive applications seefast response times while bulk-transfer applications see high bandwidth. Softboost sharesthe network with other applications in any topology, and it interoperates with third-partyQoS systems.

Hardboost is more aggressive than softboost. By ignoring packet losses and other so-called"congestion signals," it performs very well on links plagued with heavy,non-congestion-related losses, such as satellite links. It is also excellent on low-quality,long-haul links with a high background packet loss, such as many overseas links. Hardboostis recommended only for point-to-point links that do not achieve adequate performancewith softboost.

Note:

• Hardboost should be used only on fixed-speed point-to-point links or hub-and-spokedeployments where the hub bandwidth is at least equal to the sum of the acceleratedspoke bandwidths.

• Softboost and hardboost are mutually exclusive, which means that all the Appliancesthat must communicate with each other must be set the same. If one unit is set tohardboost and the other is set to softboost, no acceleration takes place.

To select softboost mode

Softboost is the default mode and is recommended in most cases.

1. On the Configuration: Links: Hardboost/Softboost tab, select Softboost as the WANBoost Mode.

2. Click Update.

To select hardboost mode

Select hardboost mode only on fixed-speed point-to-point links or hub-and-spoke linkswhere the hub bandwidth is greater than or equal to that of the accelerated spoke links.

1. On the Configuration: Links: Hardboost/Softboost tab, select Hardboost as the WANBoost Mode.

2. Set WAN Bandwidth Receive Limit to 95% of the link speed.

3. Click Update.

690

Firewall Considerations

The CloudBridge appliance's use of TCP options puts accelerated traffic at risk fromfirewalls that have aggressive rules about denying service to connections using less-commonTCP options.

Some firewalls strip off the "unknown" options and then forward the packet. This actionprevents acceleration but does not impair connectivity.

Other firewalls deny service to connections with unknown options. That is, the SYN packetswith CloudBridge options are dropped by the firewall. When the appliance detects repeatedconnection-attempt failures, it retries without the options. This restores connectivity aftera delay of variable length, usually in the range of 20-60 seconds, but without acceleration.

Any firewall that does not pass CloudBridge options through unmodified must bereconfigured to accept TCP options in the range of 24–31 (decimal).

Most firewalls do not block these options. However, Cisco ASA and PIX firewalls (andperhaps others) with release 7.x firmware might do so by default.

The firewalls at both ends of the link should be examined, because either one might bepermitting options on outgoing connections but blocking them on incoming connections.

The following example should work with Cisco ASA 55x0 firewalls using 7.x firmware.Because it globally allows options in the range of 24-31, there is no customizedper-interface or per-unit configuration:

==================================================================== CONFIGURATION FOR CISCO ASA 55X0 WITH 7.X CODE TO ALLOW TCP OPTIONS ==================================================================== hostname(config)# tcp-map WSOptions hostname(config-tcp-map)# tcp-options range 24 31 allow hostname(config-tcp-map)# class-map WSOptions-class hostname(config-cmap)# match any hostname(config-cmap)# policy-map WSOptions hostname(config-pmap)# class WSOptions-Class hostname(config-pmap-c)# set connection advanced-options WSOptions hostname(config-pmap-c)# service-policy WSOptions global

Configuration for a PIX firewall is similar:

===================================================== POLICY MAP TO ALLOW APPLIANCE TCP OPTIONS TO PASS (PIX 7.x) ===================================================== pixfirewall(config)#access-list tcpmap extended permit tcp any any pixfirewall(config)# tcp-map tcpmap pixfirewall(config-tcp-map)# tcp-opt range 24 31 allow pixfirewall(config-tcp-map)# exit pixfirewall(config)# class-map tcpmap pixfirewall(config-cmap)# match access-list tcpmap pixfirewall(config-cmap)# exit

pixfirewall(config)# policy-map global_policy pixfirewall(config-pmap)# class tcpmap pixfirewall(config-pmap-c)# set connection advanced-options tcpmap

Firewall Considerations

691

692

Video Caching

Video caching improves the viewing experience for HTTP video streams, especially onslower links. Although first time viewing remains without benefit based on WAN speed,however, subsequent viewing will be significantly improved as the cached video stream isprovided at LAN speed.

The video caching feature uses an intercepting proxy cache to examine all HTTP requests.Requests that meet the requirements listed below are cached. Videos are only served fromthe cache if they are evaluated to be fresh by the cache engine. Otherwise, they arere-fetched for the viewer and the cache store from the actual video website.

Unlike normal CloudBridge TCP operation, where the appliance preserves the originalsource and destination addresses, CloudBridge replaces the client's source address with IPaddress assigned to the accelerated bridge, so all HTTP traffic passing through theappliance appears to originate from the appliance itself.

A video is cached when all of the following criteria are met:

• The protocol used to stream the video is HTTP, on port 80.

• The Video Website is available and added from the Supported Application list specifiedon the Video Caching configuration page. By default the supported applications includeYouTube, Vimeo, Youku, and Metacafe.

• Apart from the "Supported Application" listed in Video Caching configuration page, youcan specify additional websites to be supported by the video caching feature. Note thatthese websites should not have any avoidance mechanisms like adding randomcharacters in URL.

• The video must be in one of the recognized video formats, which include: .3gp, .avi,.dat, .divx, .dvx, .dv-avi, .h264, .hdmov, . flv, .fmv,.m15, .m1v, .m21, m2a, .m2v,.m4e .m4v, .m75, .moov, .mov, .movie, .mp21, mp2v, .mp4, .mp4v, .mpe, .mpeg,mpeg4, mpg, mpg2, .mpv, .mts, .ogg, .ogv, .qt, .qtm, .ra, .rm, .ram, .rmd, .rms,rmvb, .rp, rv, .ts, .webm, .wm, .wma, .wmv, .wtv, .vfw, and .vob.

Websites supportedAfter you enable the video caching feature, you can access the Supported Application listfrom the Configuration > Optimization Rules > Video Caching screen. Currently, thesoftware supports the following websites, by default:

• YouTube

• Vimeo.com

• Metacafe.com

• Youku.com

Platforms supportedThe video caching feature is supported by the following appliances:

• CloudBridge 600 with 1Mbps or 2 Mbps bandwidth license model.

• CloudBridge 2000 with all the bandwidth license model.

Video Server supportedVideo caching feature is supported by Adobe Flash Media Server 4.5.

Deployment modes supportedVideo caching is currently supported for Inline mode deployments only.

Caveats for Video Caching FeatureThe following are important caveats regarding the video caching feature.

• If any of the supported websites change the way they present content, then, the videocaching benefit for that site might not be achieved until the video caching policy file isupdated. When such occasional changes happen, Citrix provides an updated videocaching policy file which you can upgrade from your CloudBridge interface and achievethe caching benefits for that video website. For instructions, see Upgrading the VideoCaching Policy File.

• Some video websites might use different file formats for the same video, depending onthe operating system or the browser used to access the video. This might result in acache miss.

Video Caching

693

694

Use Cases

Branch Office with XenApp and XenDesktop Usersusing HDX MediaStream Flash Redirection Feature

HDX flash redirection is a feature of XenApp and XenDesktop. Instead of rendering the videoon the remote XenDesktop using server side internet or the datacenter internet, flashvideos are tunneled to local system through this feature. The video stream happens on theactual client machine and rendered on the actual client using branch office internet. If theuser enables the Video Caching feature on branch side CloudBridge, the user cansignificantly improve the re-watch experience and reduce the bandwidth requirement forstreaming videos.

Enterprise HTTP Video Web Server

In this use case, users access the video web servers from the datacenter. When the userenables the video caching feature on the branch side CloudBridge appliance, the userrequest is served from cache of the branch side CloudBridge appliance. This helps inreducing network traffic to the datacenter CloudBridge appliance. As a result, thebandwidth of the datacenter CloudBridge appliance can be used to serve traffic for otherbranches.

Branch Office Access

In this use case, users access the internet through the web browsers on their computers.Those requests that involve video content from an enabled site, such as Vimeo, are cachedon the local appliance. Any subsequent access of the same video results in cache hits on thelocal appliance, allowing the video to be delivered at LAN speed and without waiting forthe remote server.

Unlike other CloudBridge that provides benefit through acceleration for traffic such as FTP,MAPI, CIFS between paired devices, this feature is a single-ended operation that requiresonly the local appliance, having access to the video website.

Use Cases

695

696

Configuring the Video Caching Feature

You can configure the video caching feature through the CloudBridge graphical userinterface.

NonePre-requisites

• Make sure that you can ping apA/apB gateway and DNS Server details are accurate andresolves to the DNS name www.Citrix.com.

• Video Caching is an optional feature that is tuned off by default, you need to enablethe feature when you have a good amount of HTTP Video traffic.

To configure video caching feature by using the GUI

1. On the Configuration tab, in the navigation pane, expand Appliance Settings, clickNetwork Adapters, and verify that the IP address, network mask, and default gatewayfor an accelerated pair (for example, apA) specified are accurate.

2. On the same tab, verify that the Primary DNS Server details are accurate and resolvesto the DNS name www.Citrix.com.

3. On the Configuration > Appliance Settings > Features screen, enable Video Caching.When prompted with a warning message, click OK.


Note: If you click OK, the service is restarted and a new caching partition is created,reducing the disk space allocated to other disk based compression and invalidatingdisk based compression history.


697

4. Navigate to the Configuration > Optimization Rules > Video Caching page and from theSupported Applications list, select the predefined applications that you want to enable.

5. Click Add>>, and then click Apply. This enables all the predefined video applications.


698

699

Adding Video Websites

Video-content websites that do not require URL rewrite can be configured to support thevideo caching feature. Custom sites (for example, the corporate datacenter) that do nothave any cache avoidance mechanisms can be included as an application classifiers. Thesecan be added to the list of default sites by defining them as supported applications on theVideo Caching configuration page. You can use the Video Websites application group, hasbeen added and can be used to create the application classifiers.

None

To add video websites, follow the following steps:

1. Navigate to Configuration > Optimization Rules > Application Classifiers.

2. From the Application Group drop down menu, select Video Websites, and then clickCreate.

3. In Application Classifiers: Create Application, supply the following information:

a. Name—Type the name of the application.

b. Description—Optionally, type a short description of the application.

c. Application Group—Select the Video Websitesfrom the list.

d. Classification Type—Select the Web Address from the list.

e. Classification Parameters—Type the IP address or server hostname.

4. Click Save. The application you created is available in the Supported Applications list onthe Configuration > Optimization Rules > Video Caching page. You can now select theapplication you added from the Supported Applications list, click Add>>and then

clickApply.

Adding Video Websites

700

701

Configuring the Maximum Size of theCached Objects

You can configure a maximum size of cached objects. An object that is larger than this limitis not cached. By default, the maximum caching object size is 100MB. To change it,navigate to Configuration > Optimization Rules > Video Caching > Advanced and select avalue from the available limits.

702

Configuring the Default Domain Name

For the URLs that do not contain the domain names, you need to append the defaultdomain name to get the response.

None

To configure a default domain name, navigate to Configuration > Optimization Rules >Video Caching > Advanced, specify the domain name in the text box, and click Change .

703

Updating the Video Caching Policy File

If a supported website such as YouTube or any of the supported websites change the waythat it presents content, video caching benefit are lost for that site. To restore videocaching, you can update the Caching Policy file when Citrix makes a new file available.

To update the Video Caching Policy file, navigate to Configuration > System Maintenance >Update Caching Policy and upload the file that you received from Citrix.

704

Excluding a Server from Cache EngineInterception

Currently, all the web traffic (port 80) is routed to the video caching engine. To reduce theload on cache engine, you can specify the IP addresses or subnets that you want to excludefrom the video caching.

None

To exclude a server, navigate to Configuration > Optimization Rules > Video Caching >Advanced, specify the IP address in the text box, select Exclude check box, select theInterface, and click Add.

705

Monitoring

Graphs and data on the Monitoring page, Dashboard page, and Usage page help youevaluate the benefits provided by your video caching configuration. The data-reductionratio resulting from video caching (similar to the overall compression ratio) is displayed onthe Dashboard, on the video caching monitoring page and the Usage graph page. Also,hovering over the Data Reduction ratio on the Dashboard page displays the caching benefitpercentage along with compression benefit percentage on the supported platforms.

The purpose of caching is not just to save bandwidth, but, also to increase performance,decrease load on the video servers, and achieve low impact of network congestion whenvideos are already in cache.

The estimated WAN bandwidth savings resulting from video caching is displayed as follows:

• On Monitoring > Optimization > Video Caching page, you can view the number objectscached and the Cache Hit Ratio in percentage. The bar and the time graph display thenumber of requests and bytes that are served from cache over 1 minute, 1 hour, 1 day,1 week, 1 month. This data is also displayed in a tabular format below the graph.

• On the Dashboard page, you can view the caching benefit in percentage when you hoverover the Data reduction field on the Dashboard. You can also view the bytes servedfrom the cache (Cached Data) under Aggregated Link Throughput.

• On the Monitoring > Optimization > Usage Graphs page, you can view the cached data inthe LAN Monitoring graph.

Figure 1. Viewing caching benefit on Dashboard.

Figure 2. Viewing caching benefit on Monitoring page.

Figure 3. Viewing caching benefit on Usage Page.

Monitoring

706

707

Upgrade and Downgrade Considerations

Upgrading to or downgrading from CloudBridge 7.0 can affect the resources allocated toother disk based caching (DBC).

Upgrade to CloudBridge 7.0 versionThe CloudBridge 7.0 video caching feature is disabled by default. An upgrade to release 7.0does not create a partition for video caching. When you enable the video caching feature,you are prompted with a warning message stating "Service will be restarted and disk basedcompression history will be cleared. Do you want to continue?" If you click OK, accelerationservice is restarted and a new caching partition is created, reducing the disk spaceallocated to other Disk Based Compression and invalidating Disk Based Compression history.

Downgrade from CloudBridge 7.0 versionBecause earlier versions of CloudBridge do not support video caching, downgrading to anearlier version removes the video-caching partion and adds its disk space to Disk BasedCompression. It also clears the Disk Based Compression history.

708

Troubleshooting Video Caching

Issue

Client browser shows the "Access Denied" error page.

Resolution

• Access the CloudBridge appliance as a root user through an SSH utility and run thenslookup www.youtube.com command to verify that the appliance can resolve thevideo website.

• From the SSH utility, verify that you can connect to the DNS Server, reach theapA/apB Gateway, and that a firewall does not block the HTTP connection betweenthe CloudBridge appliance and the server.

• Verify that the video website is accessible by the client when traffic processing isdisabled. This is to check whether bypassing the CloudBridge appliance works. Afterthat, enable traffic processing through the appliance and use Wireshark packetcaptures on the client and on the appliance to verify that they are receiving no HTTPInternal Server errors from the video webserver.

• Use the complete domain-name suffix to access the URL. For example, accessing thehttp://cloudbridge link shows the Access Denied error page, but you can access thehttp://cloudbridge.example.net link. To avoid this issue, you can configure theDomain Append feature from the Advanced tab of the Video Caching configurationpage.

Issue

Video is not served from the cache when the same video is played again, even when theURL is the same.

Cause

• Video is not served from the cache if the server changes the format (for example,from MP4 to FLV) pixel quality (for example, from 240p to 360p), or chunk size fromwhat it was when the video was cached. This behavior occurs even if the same videois played on the same device or browser.

• Video is not served from the cache if the client, such as Windows Media player, sendsthe HTTP request with the pragma: no-cache, expecting fresh content from theservers.

• Video is not served from the cache if the object in cache is stale.

• Video is not served from the cache for a YouTube live stream.

• Currently, only 100 concurrent streams can be written to the cache at the same timefor a CloudBridge 600, 300, or 2000 appliance. Therefore, if the video stream is inthis queue, it only gets cached or can be fetched on subsequent access. See thevideo caching debug page in the support.html page for the current values.

• A new HTTP connection is bypassed and is not served from the cache if the limit of500 HTTP connections is reached on a CloudBridge 600, or the limit of 1500 isreached on a CloudBridge 2000 appliance.

• Video is not served from the cache when HTTP partial content (206) is sent by thevideo server.

How can I determine whether the video file is being cached?

In the "Video Caching" Monitoring page, the counter "No. of Cached Objects" isincremented whenever a file is successfully cached.

Resolving DNS Server Issue when Configuring Video Caching on a CloudBridge Appliance

None

Resolving Gateway Connectivity Issue when Configuring Video Caching on a CloudBridgeAppliance

None

Troubleshooting Video Caching

709

710

XenApp/XenDesktop Acceleration

Note: In this discussion, XenApp refers to the ICA and CGP protocol streams. Therefore,what is said about XenApp applies also to XenDesktop.

XenApp/XenDesktop (ICA/CGP) acceleration has three components:

• Compression--The appliance cooperates with XenApp clients and servers to compressXenApp data streams for interactive data (keyboard/mouse/display/audio) and batchdata (printing and file transfers). This interaction takes place transparently andrequires no configuration of the appliance. A small amount of configuration, describedbelow, is required on older XenApp servers (release 4.x).

• Multistream ICA--In addition to compression, CloudBridge appliances support the newMultistream ICA protocol, in which up to four connections are used for the different ICApriorities, instead of multiplexing all priorities over the same connection. This approachgives interactive tasks greater responsiveness, especially when combined with theappliance’s traffic shaping.

Note: Multistream ICA is disabled by default. It can be enabled on the Features page.

• Traffic shaping--The CloudBridge traffic shaper uses the priority bits in the XenAppdata protocols to modulate the connection’s priority in real time, matching thebandwidth share of each connection to what the connection is transmitting at themoment.

XenApp acceleration applies to both the ICA and CGP protocols within XenApp. TheCloudBridge appliances, XenApp servers, and XenApp clients provide cooperativeacceleration of XenApp connections, providing substantial speedup compared to XenAppalone. This cooperation requires up-to-date versions of all three components.

XenApp compression dynamically switches between memory based compression forinteractive channels (such as mouse, keyboard, and screen data) and disk basedcompression for bulk tasks (such as file transfers and print jobs). Compression ratiosincrease as compression history fills, increasing the amount of data that can be matchedagainst new data. XenApp compression provides several times as much data reduction asdoes unassisted XenApp, often exceeding 50:1 on repetitive bulk transfers such as printingor saving successive versions of the same document.

XenApp compression achieves high link utilization without congestion, by preventing usersfrom interfering with each other.

To enable XenApp acceleration1. If the appliance that has been upgraded to CloudBridge 6.x from an earlier release,

check the ICA service class policy. On the Configuration: Service Classes page, the ICAservice class should show disk in the Acceleration column and ICA Priorities in theTraffic Shaping column. If not, edit the service class definition.

2. Update XenApp 4.x servers and clients. (Not necessary on XenApp 5.0 or later). UsePresentation Server 4.5 with Hotfix Rollup Pack PSE450W2K3R03 (Beta) or later. Thisrelease includes the following server and client software, both of which must beinstalled for XenApp compression:

a. Server package PSE450R03W2K3WS.msp or later.

b. Client version 11.0.0.5357 or later.3. Update XenDesktop servers and clients to release 4.0 or later.

4. Verify XenApp server registry settings. (Not necessary on XenApp 5.0 or later.) On theXenApp servers, verify the following settings and correct or create them as necessary:

HKLM\System\CurrentControlSet\Control\Citrix\WanScaler\EnableForSecureIca = 1HKLM\System\CurrentControlSet\Control\Citrix\WanScaler\EnableWanScalerOptimization = 1HKLM\System\CurrentControlSet\Control\Citrix\WanScaler\UchBehavior = 2

These are all DWORD values.

5. Open and use XenApp connections, between updated XenApp clients and servers, thatpass through the updated CloudBridge. By default, these sessions use CGP. For ICA, onthe client, under Citrix Program Neighborhood, clear the Custom ICA Connections checkbox. Then, right-click a connection icon, navigate to Properties > Options, and clear theEnable Session Reliability check box.

6. Verify acceleration.

After you start XenApp sessions over the accelerated link, accelerated ICA connectionsshould appear on the appliance’s Monitoring: Connections page. A compression ratio ofgreater than 1:1 indicates that compression is taking place.

XenApp/XenDesktop Acceleration

711

712

br-repeater-plugin-wrapper-conDue to technical difficulties, we are unable to display this topic. Citrix is currently fixingthis problem. In the meantime, you can view this topic online:

http://support.citrix.com/proddocs/index.jsp?lang=en&topic=/cloudbridge-70/br-repeater-plugin-wrapper-con.html



713

Hardware and Software Requirements

On the client side of the accelerated link, the CloudBridge Plug-in On the client side of theaccelerated link, the CloudBridge Plug-in is supported on Windows desktop and laptopsystems, but not on netbooks or thin clients. Citrix recommends the following minimumhardware specifications for the computer running the CloudBridge Plug-in:


• 2 GB of RAM

• 2 GB of free disk space

The CloudBridge Plug-in is supported on the following operating systems:

• Windows XP Home

• Windows XP Professional




On the server side, the following appliances currently support CloudBridge Plug-indeployments:

• Repeater 8500 Series

• Repeater 8800 Series

• CloudBridge VPX

• CloudBridge 2000




714

How the CloudBridge Plug-in Works

CloudBridge products use your existing WAN/VPN infrastructure. A computer on which theplug-in is installed continues to access the LAN, WAN, and Internet as it did beforeinstallation of the plug-in. No changes are required to your routing tables, network settings,client applications, or server applications.

Citrix Access Gateway VPNs require a small amount of CloudBridge-specific configuration.

There are two variations on the way connections are handled by the plug-in and appliance:transparent mode and redirector mode. Redirector is a legacy mode that is notrecommended for new deployments.

• Transparent mode for plug-in-to-appliance acceleration is very similar toappliance-to-appliance acceleration. The CloudBridge appliance must be in the pathtaken by the packets when traveling between the plug-in and the server. As withappliance-to-appliance acceleration, transparent mode operates as a transparent proxy,preserving the source and destination IP address and port numbers from one end of theconnection to the other.

• Redirector mode (not recommended) uses an explicit proxy. The plug-in readdressesoutgoing packets to the appliance's redirector IP address. The appliance in turnreaddresses the packets to the server, while changing the return address to point toitself instead of the plug-in. In this mode, the appliance does not have to be physicallyinline with the path between the WAN interface and the server (though this is the idealdeployment).

Best Practice: Use transparent mode when you can, and redirector mode when you must.

715

Transparent Mode

In transparent mode, the packets for accelerated connections must pass through the targetappliance, much as they do in appliance-to-appliance acceleration.

The plug-in is configured with a list of appliances available for acceleration. It attempts tocontact each appliance, opening a signaling connection. If the signaling connection issuccessful, the plug-in downloads the acceleration rules from the appliance, which sendsthe destination addresses for connections that the appliance can accelerate.

Figure 1. Transparent Mode, Highlighting Three Acceleration Paths

Note:

• Traffic flow--Transparent mode accelerates connections between a CloudBridge Plug-inand a plug-in-enabled appliance.

• Licensing--Appliances need a license to support the desired number of plug-ins. In thediagram, Repeater A2 does not need to be licensed for plug-in acceleration, becauseRepeater A1 provides the plug-in acceleration for site A.

• Daisy-chaining--If the connection passes through multiple appliances on the way to thetarget appliance, the appliances in the middle must have "daisy-chaining" enabled, oracceleration is blocked. In the diagram, traffic from home-office and mobile VPN usersthat is destined for Large Branch Office B is accelerated by Repeater B. For this towork, Repeaters A1 and A2 must have daisy-chaining enabled.

Whenever the plug-in opens a new connection, it consults the acceleration rules. If thedestination address matches any of the rules, the plug-in attempts to accelerate theconnection by attaching acceleration options to the initial packet in the connection (theSYN packet). If any appliance known to the plug-in attaches acceleration options to theSYN-ACK response packet, an accelerated connection is established with that appliance.

The application and server are unaware that the accelerated connection has beenestablished. Only the plug-in software and the appliance know that acceleration is takingplace.

Transparent mode resembles appliance-to-appliance acceleration but is not identical to it.The differences are:

• Client-initiated connections only--Transparent mode accepts connections initiated bythe plug-in-equipped system only. If you use a plug-in-equipped system as a server,server connections are not accelerated. Appliance-to-appliance acceleration, on theother hand, works regardless of which side is the client and which is the server.(Active-mode FTP is treated as a special case, because the connection initiating thedata transfer requested by the plug-in is opened by the server.)

• Signaling connection--Transparent mode uses a signaling connection between theplug-in and appliance for the transmission of status information. Appliance-to-applianceacceleration does not require a signaling connection, except for secure peerrelationships, which are disabled by default. If the plug-in cannot open a signalingconnection, it does not attempt to accelerate connections through the appliance.

• Daisy-chaining--For an appliance that is in the path between a plug-in and its selectedtarget appliance, you must enable daisy-chaining on the Configuration: Tuning menu.

Transparent mode is often used with VPNs. The CloudBridge Plug-in is compatible with mostIPSec and PPTP VPNs, and with Citrix Access Gateway VPNs.

The following figure shows packet flow in transparent mode. This packet flow is almostidentical to appliance-to-appliance acceleration, except that the decision of whether or notto attempt to accelerate the connection is based on acceleration rules downloaded over thesignaling connection.

Figure 2. Packet flow in transparent mode

Transparent Mode

716

Transparent Mode

717

718

Redirector Mode

Redirector mode works differently from transparent mode in the following ways:

• The CloudBridge Plug-in software redirects the packets by addressing them explicitly tothe appliance.

• Therefore, the redirector-mode appliance does not have to intercept all of theWAN-link traffic. Because accelerated connections are addressed to it directly, it canbe placed anywhere, as long as it can be reached by both the plug-in and the server.

• The appliance performs its optimizations, then redirects the output packets to theserver, replacing the source IP address in the packets with its own address. From theserver's point of view, the connection originates at the appliance.

• Return traffic from the server is addressed to the appliance, which performsoptimizations in the return direction and forwards the output packets to the plug-in.

• The destination port numbers are not changed, so network monitoring applications canstill classify the traffic.

The below figure shows how the Redirector mode works.

Figure 1. Redirector Mode

The below figure shows the packet flow and address mapping in redirector mode.

Redirector Mode

719

Figure 2. Packet Flow in Redirector Mode

Redirector Mode

720

721

How the Plug-in Selects an Appliance

Each plug-in is configured with a list of appliances that it can contact to request anaccelerated connection.

The appliances each have a list of acceleration rules, which is a list of target addresses orports to which the appliance can establish accelerated connections. The plug-in downloadsthese rules from the appliances and matches the destination address and port of eachconnection with each appliance's rule set. If only one appliance offers to accelerate a givenconnection, selection is easy. If more than one appliance offers to accelerate theconnection, the plug-in must choose one of the appliances.

The rules for appliance selection are as follows:

• If all the appliances offering to accelerate the connection are redirector-modeappliances, the leftmost appliance in the plug-in's appliance list is selected. (If theappliances were specified as DNS addresses, and the DNS record has multiple IPaddresses, these too are scanned from left to right.)

• If some of the appliances offering to accelerate the connection use redirector mode andsome use transparent mode, the transparent-mode appliances are ignored and theselection is made from the redirector-mode appliances.

• If all of the appliances offering to accelerate the connection use transparent mode, theplug-in does not select a specific appliance. It initiates the connection with CloudBridgeSYN options, and whichever candidate appliance attaches appropriate options to thereturning SYN-ACK packet is used. This allows the appliance that is actually in line withthe traffic to identify itself to the plug-in. The plug-in must have an open signalingconnection with the responding appliance, however, or acceleration does not takeplace.

• Some configuration information is considered to be global. This configurationinformation is taken from the leftmost appliance in the list for which a signalingconnection can be opened.

722

Deploying Appliances for Use withPlug-ins

Client acceleration requires special configuration on the CloudBridge appliance. Otherconsiderations include appliance placement. Plug-ins are typically deployed for VPNconnections.

Use a Dedicated Appliance When PossibleAttempting to use the same appliance for both plug-in acceleration and link acceleration isoften difficult, because the two uses sometimes call for the appliance to be at differentpoints in the data center, and the two uses can call for different service-class rules.

In addition, a single appliance can serve as an endpoint for plug-in acceleration or as anendpoint for site-to-site acceleration, but cannot serve both purposes for the sameconnection at the same time. Therefore, when you use an appliance for both plug-inacceleration for your VPN and for site-to-site acceleration to a remote data center, plug-inusers do not receive site-to-site acceleration. The seriousness of this problem depends onhow much of the data used by plug-in users comes from remote sites.

Finally, because a dedicated appliance's resources are not divided between plug-in andsite-to-site demands, they provide more resources and thus higher performance to eachplug-in user.

Use Inline Mode When PossibleAn appliance should be deployed on the same site as the VPN unit that it supports.Typically, the two units are in line with each other. An inline deployment provides thesimplest configuration, the most features, and the highest performance. For best results,the appliance should be directly in line with the VPN unit.

However, appliances can use any deployment mode, except group mode or high availabilitymode. These modes are suitable for both appliance-to-appliance and client-to-applianceacceleration. They can be used alone (transparent mode) or in combination with redirectormode.

Place the Appliances in a Secure Part of Your NetworkAn appliance depends on your existing security infrastructure in the same way that yourservers do. It should be placed on the same side of the firewall (and VPN unit, if used) asthe servers.

Avoid NAT ProblemsNetwork address translation (NAT) at the plug-in side is handled transparently and is not aconcern. At the appliance side, NAT can be troublesome. Apply the following guidelines toensure a smooth deployment:

• Put the appliance in the same address space as the servers, so that whatever addressmodifications are used to reach the servers are also applied to the appliance.

• Never access the appliance by using an address that the appliance does not associatewith itself.

• The appliance must be able to access the servers by using the same IP addresses atwhich plug-in users access the same servers.

• In short, do not apply NAT to the addresses of servers or appliances.

Select Softboost ModeOn the Configure Settings: Bandwidth Management page, select Softboost mode. Softboostis the only type of acceleration supported with the CloudBridge Plug-in.

Define Plug-in Acceleration RulesThe appliance maintains a list of acceleration rules that tell the clients which traffic toaccelerate. Each rule specifies an address or subnet and a port range that the appliance canaccelerate.

What to Accelerate-The choice of what traffic to accelerate depends on the use theappliance is being put to:

• VPN accelerator - If the appliance is being used as a VPN accelerator, with all VPNtraffic passing through the appliance, all TCP traffic should be accelerated, regardlessof destination.

• Redirector mode - Unlike with transparent mode, an appliance in redirector mode is anexplicit proxy, causing the plug-in to forward its traffic to the redirector-modeappliance even when doing so is not desirable. Acceleration can be counterproductive ifthe client forwards traffic to an appliance that is distant from the server, especially ifthis "triangle route" introduces a slow or unreliable link. Therefore, Citrix recommendsthat acceleration rules be configured to allow a given appliance to accelerate its ownsite only.

• Other uses - When the plug-in is used neither as a VPN accelerator nor in redirectormode, the acceleration rules should include addresses that are remote to the users andlocal to datacenters.

Defining the Rules- Define acceleration rules on appliance, on the Configuration:CloudBridge Plug-in: Acceleration Rules tab.

Rules are evaluated in order, and the action (Accelerate or Exclude) is taken from the firstmatching rule. For a connection to be accelerated, it must match an Accelerate rule.

Deploying Appliances for Use with Plug-ins

723

The default action is to not accelerate.

Figure 1. Setting Acceleration Rules

1. On the Configuration: CloudBridge Plug-in: Acceleration Rules tab:

• Add an Accelerated rule for each local LAN subnet that can be reached by theappliance. That is, click Add, select Accelerate, and type the subnet IP address andmask.

• Repeat for each subnet that is local to the appliance.2. If you need to exclude some portion of the included range, add an Exclude rule and

move it above the more general rule. For example, 10.217.1.99 looks like a localaddress. If it is really the local endpoint of a VPN unit, create an Exclude rule for iton a line above the Accelerate rule for 10.217.1.0/24.

3. If you want to use acceleration for only a single port (not recommended), such as port80 for HTTP, replace the wildcard character in the Ports field with the specific portnumber. You can support additional ports by adding additional rules, one per port.

4. In general, list narrow rules (usually exceptions) before general rules.

5. Click Apply. Changes are not saved if you navigate away from this page before applyingthem.

IP Port UsageUse the following guidelines for IP port usage:

• Ports used for communication with CloudBridge Plug-in--The plug-in maintains adialog with the appliance over a signaling connection, which by default is on port 443(HTTPS), which is allowed through most firewalls.

• Ports used for communication with servers--Communication between the CloudBridge Plug-in and the appliance uses the same ports that the client would use for communication with the server if the plug-in and appliance were not present. That is,


724

when a client opens an HTTP connection on port 80, it connects to the appliance onport 80. The appliance in turn contacts the server on port 80.

In redirector mode, only the well-known port (that is, the destination port on the TCPSYN packet) is preserved. The ephemeral port is not preserved. In transparent mode,both ports are preserved.

The appliance assumes that it can communicate with the server on any port requestedby the client, and the client assumes that it can communicate with the appliance onany desired port. This works well if appliance is subject to the same firewall rules asthe servers. When such is the case, any connection that would succeed in a directconnection succeeds in an accelerated connection.

TCP Option Usage and FirewallsCloudBridge parameters are sent in the TCP options. TCP options can occur in any packetand are guaranteed to be present in the SYN and SYN-ACK packets that establish theconnection.

Your firewall must not block TCP options in the range of 24-31 (decimal), or accelerationcannot take place. Most firewalls do not block these options. However, a Cisco PIX or ASAfirewall with release 7.x firmware might do so by default, and therefore you might have toadjust its configuration.


725

726

Customizing the Plug-in MSI File

You can change parameters in the CloudBridge Plug-in distribution file, which is in thestandard Microsoft Installer (MSI) format. Customization requires the use of an MSI editor.

Note: The altered parameters in your edited. MSI file apply only to new installations.When existing plug-in users update to a new release, their existing settings are retained.Therefore, after changing the parameters, you should advise your users to uninstall theold version before installing the new one.

Best Practices: Create a DNS entry that resolves to the nearest plug-in-enabledappliance. For example, define "Repeater.mycompany.com" and have it resolve to yourappliance, if you have only one appliance. Or, if you have, say, five appliances, haveRepeater.mycompany.com resolve to one of your five appliances, with the applianceselected on the basis of closeness to the client or to the VPN unit. For example, a clientusing an address associated with a particular VPN should see Repeater.mycompany.comresolve to the IP address of the CloudBridge appliance connected to that VPN . Build thisaddress into your plug-in binary with an MSI editor, such as Orca. When you add, move, orremove appliances, changing this single DNS definition on your DNS server updates theappliance list on your plug-ins automatically.

You can also have the DNS entry resolve to multiple appliances, but this is undesirableunless all appliances are configured identically, because the plug-in takes some of itcharacteristics from the leftmost appliance in the list and applies them globally (includingSSL compression characteristics). This can lead to undesirable and confusing results,especially if the DNS server rotates the order of IP addresses for each request.

Installing the Orca MSI Editor

There are many MSI editors, including Orca, which is part of Microsoft's free Platform SDKand can be downloaded from Microsoft.

To install the Orca MSI Editor

1. Download the PSDK-x86.exe version of the SDK and execute it. Follow the installationinstructions.

2. Once the SDK is installed, the Orca editor must be installed. It will be underMicrosoft Platform SDK\Bin\Orca.Msi. Launch Orca.msi to install the actualOrca editor (orca.exe).

3. Running Orca--Microsoft provides its Orca documentation online. The followinginformation describes how to edit the most important CloudBridge Plug-inparameters.

4. Launch Orca with Start > All Programs > Orca. When a blank Orca window appears,open the CloudBridge Plug-in MSI file with File > Open.

Figure 1. Using Orca

5. On the Tables menu, click Property. A list of all the editable properties of the .MSIfile appears. Edit the parameters shown in the following table. To edit a parameter,double-click on its value, type the new value, and press Enter.

Parameter Description Default Comments

WSAPPLIANCES List of appliances None Enter the IP or DNSaddresses of yourCloudBridge applianceshere, in acomma-separated list inthe form of { appliance1,appliance2, appliance3 } .If the port used forsignaling connections isdifferent from the default(443), specify the port inthe formAppliance1:port_number .


727

DBCMINSIZE Minimum amountof disk space touse forcompression, inmegabytes

250 Changing this to a largervalue (for example, 2000)improves compressionperformance but preventsinstallation if there is notenough disk space. Theplug-in will not installunless there is at least 100MB of free disk space inaddition to the value thatyou specify forDBCMINSIZE.

PRIVATEKEYPEM Private key forthe plug-in. Partof thecertificate/keypair used withSSL compression

None Use Orca's Paste Cellcommand. The normalPaste function does notpreserve the key's format.Should be a private key inPEM format (starting with-----BEGIN RSAPRIVATE KEY----- )

X509CERTPEM Certificate forthe plug-in. Partof thecertificate/keypair used withSSL compression

None Use Orca's Paste Cellcommand. The normalPaste function does notpreserve the key's format.Should be a certificate inPEM format (starting with-----BEGINCERTIFICATE ----- )

CACERTPEM CertificationAuthorityCertificate forthe plug-in. Usedwith SSLcompression

None Use Orca's Paste Cellcommand. The normalPaste function does notpreserve the key's format.Should be a certificate inPEM format (starting with-----BEGINCERTIFICATE ----- )


728

Figure 2. Editing Parameters in Orca

6. When done, use the File: Save As command to save your edited file with a newfilename; for example, test.msi.

Your plug-in software has now been customized.

Note: Some users have seen a bug in orca that causes it to truncate files to 1 MB. Checkthe size of the saved file. If it has been truncated, make a copy of the original file anduse the Save command to overwrite the original.

Once you have customized the appliance list with Orca and distributed the customized MSIfile to your users, the user does not need to type in any configuration information wheninstalling the software.


729

730

Deploying Plug-ins On Windows Systems

The CloudBridge Plug-in is an executable Microsoft installer (MSI) file that you downloadand install as with any other web-distributed program. Obtain this file from the MyCitrixsection of the Citrix.com website.

Note: The CloudBridge Plug-in user interface refers to itself as "Citrix AccelerationPlug-in Manager."

The only user configuration needed by the plug-in is the list of appliance addresses. This listcan consist of a comma-separated list of IP or DNS address. The two forms can be mixed.You can customize the distribution file so that the list points to your appliance by default.Once installed, operation is transparent. Traffic to accelerated subnets is sent through anappropriate appliance, and all other traffic is sent directly to the server. The userapplication is unaware that any of this is happening.

731

Installation

To install CloudBridge Plug-in accelerator on Windows system:

1. The Repeater*.msi file is an installation file. Close all applications and any windowsthat might be open, and then launch the installer it in the usual way (double-click on ina file window, or use the run command).

Figure 1. Initial Installation Screen

Note: The steps below are for an interactive installation. A silent installation can beperformed with the command:

msiexec /i client_msi_file /qn

2. The installation program prompts for the location in which to install the software. Thedirectory that you specify is used for both the client software and the disk-basedcompression history. Together, they require a minimum of 500 MB of disk space.

3. When the installer finishes, it might ask you to restart the system. After a restart, theCloudBridge Plug-in starts automatically.

Figure 2. Final Installation Screen

4. Right-click the Accelerator icon in the task bar and select Manage Acceleration tolaunch the Citrix Plug-in Accelerator Manager.

Installation

732

Figure 3.CitrixAcceleratorPlug inManager,Initial (Basic)Display

5. If the .MSI file has not been customized for your users, specify the signaling address andthe amount of disk space to use for compression:

• In the Appliances: Signaling Addresses field, type the signaling IP address of yourappliance. If you have more than one Plug-in-enabled appliance, list them all,separated by commas. Either IP or DNS addresses are acceptable.

• Using the Data Cache slider, select the amount of disk space to use forcompression. More is better. 7.5 GB is not too much, if you have that much diskspace available.

• Press the Apply.The CloudBridge Plug-in accelerator is now running. All future connections to acceleratedsubnets will be accelerated

On the plug-in's Advanced.. Rules tab, the Acceleration Rules list should show eachappliance as Connected and each appliance's accelerated subnets as Accelerated. If not,check the Signaling Addresses IP field and your network connectivity in general.

Installation

733

734

Troubleshooting Plug-ins

Plug-in installation generally goes smoothly. If not, check for the following issues:

Common problems

• If you do not reboot the system, the CloudBridge Plug-in will not run properly.

• A highly fragmented disk can result in poor compression performance.

• A failure of acceleration (no accelerated connections listed on the Diagnostics tab)usually indicates that something is preventing communication with the appliance.Check the Configuration: Acceleration Rules listing on the plug-in to make sure thatthe appliance is being contacted successfully and that the target address is included inone of the acceleration rules. Typical causes of connection failures are:

• The appliance is not running, or acceleration has been disabled.

• A firewall is stripping CloudBridge TCP options at some point between the plug-inand appliance.

• The plug-in is using an unsupported VPN.

Deterministic Network Enhancer locking errorOn rare occasions, after you install the plug-in and restart your computer, the followingerror message appears twice:

Deterministic Network Enhancer installation requires a reboot first,to free locked resources. Please run this install again afterrestarting the computer.

If this occurs, do the following:

1. Go to Add/Remove Programs and remove the CloudBridge Plug-in, if present.

2. Go to Control Panel: Network Adapters: Local Area Connection: Properties, find theentry for Deterministic Network Enhancer, clear its check box, and click OK. (Yournetwork adapter might be called by a name other than "Local Area Connection.")

3. Open a command window and go to c:\windows\inf (or the equivalent directory ifyou have installed Windows in a non-standard location).

4. Type the following command:

find "dne2000.cat" oem*.inf

5. Find the highest-numbered oem*.inf file that returned a matching line (the matchingline is CatalogFile= dne2000.cat) and edit it. For example:

notepad oem13.inf

6. Delete everything except the three lines at the top that start with semicolons, and thensave the file. This will clear out any inappropriate or obsolete settings and the nextinstallation will use default values.

7. Retry the installation.

Other Installation ProblemsAny problem with installing the CloudBridge Plug-in is usually the result of existingnetworking, firewall, or antivirus software interfering with the installation. Usually, oncethe installation is complete, there are no further problems.

If the installation fails, try the following steps:

1. Make sure the plug-in installation file has been copied to your local system.

2. Disconnect any active VPN/remote networking clients.

3. Disable any firewall and antivirus software temporarily.

4. If some of this is difficult, do what you can.

5. Reinstall the CloudBridge Plug-in.

6. If this doesn't work, reboot the system and try again.

Troubleshooting Plug-ins

735

736

CloudBridge Plug-in GUI Commands

The CloudBridge Plug-in GUI appears when you right-click the Citrix Accelerator Plug-in iconand select Manage Acceleration. The GUI's Basic display appears first. There is also anAdvanced display that can be used if desired.

737

Basic Display

On the Basic page, you can set two parameters:

• The Signaling Addresses field specifies the IP address of each appliance that the plug-incan connect to. Citrix recommends listing only one appliance, but you can create acomma-separated list. This is an ordered list, with the leftmost appliances havingprecedence over the others. Acceleration is attempted with the leftmost appliance forwhich a signaling connection can be established. You can use both DNS addresses and IPaddresses.

Examples: 10.200.33.200, ws.mycompany.com, ws2.mycompany.com

• The Data Cache slider adjusts the amount of disk space allocated to the plug-in'sdisk-based compression history. More is better.

In addition, there is a button to move to the Advanced display.

738

Advanced Display

The Advanced page contains four tabs: Rules, Connections, Diagnostics, and Certificates.

Figure 1. CitrixAcceleratorManager,Advanced Display

At the bottom of the display are buttons to enable acceleration, disable acceleration, andreturn to the Basic page.

Rules TabThe Rules tab displays an abbreviated list of the acceleration rules downloaded from theappliances. Each list item shows the appliance's signaling address and port, accelerationmode (redirector or transparent), and connection state, followed by a summary of theappliance's rules.

Connections TabThe Connections tab lists the number of open connections of different types:

• Accelerated Connections--The number of open connections between the CloudBridgePlug-in and appliances. This number includes one signaling connection per appliancebut does not include accelerated CIFS connections. Clicking More opens a window witha brief summary of each connection. (All of the More buttons allow you to copy theinformation in the window to the clipboard, should you want to share it with Support.)

• Accelerated CIFS Connections--The number of open, accelerated connections withCIFS (Windows file system) servers. This is usually the same as the number of mountednetwork file systems. Clicking More displays the same information as with acceleratedconnections, plus a status field that reports Active if the CIFS connection is runningwith CloudBridge's special CIFS optimizations.

• Accelerated MAPI Connections--The number of open, accelerated Outlook/Exchangeconnections.

• Accelerated ICA connections--The number of open, accelerated XenApp andXenDesktop connections using the ICA or CGP protocols.

• Unaccelerated Connections--Open connections that are not being accelerated. You canclick More to display a brief description of why the connection was not accelerated.Typically, the reason is that no appliance accelerates the destination address, which isreported as Service policy rule .

• Opening/Closing Connections--Connections that are not fully open, but are in theprocess of opening or closing (TCP "half-open" or "half-closed" connections). The Morebutton displays some additional information about these connections.

Diagnostics TabThe Diagnostics page reports the number of connections in different categories, and otheruseful information.

• Start Tracing/Stop Tracing--If you report a problem, your Citrix representative mightask you to perform a connection trace to help pinpoint problems. This button starts andstops the trace. When you stop tracing, a pop-up window shows the trace files. Sendthem to your Citrix representative by the means he or she recommends.

• Clear History--This feature should not be used.

• Clear Statistics--Pressing this button clears the statistics on the Performance tab.

• Console--A scrollable window with recent status messages, mostly connection-open andconnection-close messages, but also error and miscellaneous status messages.

Advanced Display

739

Figure 2. CitrixAcceleratorManager,Advanced..Diagnostics Tab

Certificates TabOn the Certificates tab, you can install security credentials for the optional secure peeringfeature. The purpose of these security credentials is to enable the appliance to verifywhether the plug-in is a trusted client or not.

Advanced Display

740

Figure 3.Certificates tab

To upload the CA certificate and certificate-key pair:

1. Select CA Certificate Management.

2. Click Import.

3. Upload a CA certificate. The certificate file must use one of the supported file types(.pem, .crt., .cer, or .spc). A dialog box might appear, asking you to Select thecertificate store you want to use and presenting you with a list of keywords. Select thefirst keyword in the list.

4. Select Client Certificate Management.

5. Click Import.

6. Select the format of the certificate-key pair (either PKCS12 or PEM/DER).

Note: In the case of PEM/DER, there are separate upload boxes for certificate andkey. If your certificate-key pair is combined in a single file, specify the file twice,once for each box.

7. Click Submit.

Advanced Display

741

742

Updating the CloudBridge Plug-in

To install a newer version of the CloudBridge Plug-in, follow the same procedure you usedwhen installing the plug-in for the first time.

Uninstalling the CloudBridge Plug-inTo uninstall the CloudBridge Plug-in To uninstall the CloudBridge Plug-in, use the WindowsAdd/Remove Programs utility. The CloudBridge Plug-in is listed as Citrix AccelerationPlug-in in the list of currently installed programs. Select it and click Remove.

You must restart the system to finish uninstalling the client.

743

CloudBridge (2.0) on AWS

As a tool for building a cloud-extended data center, the Citrix CloudBridge is a fundamentalpart of the Citrix Cloud framework. This product can reduce the cost of moving yourapplications to the cloud, reduce the risk of application failure, and increase networkefficiency in your cloud environment.

With CloudBridge, you can create a network bridge (or more than one) connecting one ormore cloud computing instances-virtual servers in the cloud-to your network withoutreconfiguring your network. Cloud-hosted applications appear as though they are running onone contiguous enterprise network.

Setting up a network bridge involves configuring two CloudBridge appliances or virtualappliances, one on each side of the bridge. On each appliance, you configure one or moreGRE tunnels and configure IPSec on the tunnel or tunnels. You then assign a name to thenetwork bridge and bind the GRE tunnel(s) to it. Optionally, you can bind VLANs and IPaddresses to the network bridge.

If you need only one GRE tunnel, you can use an alternative configuration method in whichyou configure all of the network bridge elements in one dialog box in the configurationutility. You can add more tunnels later.

For more information about CloudBridge on AWS, see CloudBridge.

http://support.citrix.com/proddocs/topic/ns-system-10-map/ns-cloudbridge-wrapper-con.html

744

Reference Material

You can refer to the following documentation for quick reference:

745

Graphical User Interface

CloudBridge, and CloudBridge VPX have essentially identical graphical user interfaces(GUIs). CloudBridge 4000/5000 also contains this GUI as a subset of its user interface.

The GUI is browser-based, supporting HTTP and HTTPS. By default, the GUI is enabled on allactive Ethernet ports, using the management IP address assigned to each port, but the GUIcan be disabled on a port-by-port basis.

The GUI is divided into pages, reached through tabs on the header and navigation bar onthe left-hand column of each page. The GUI pages are divided into three categories:

• The Dashboard, which allows you to perform the top-level monitoring.

• Monitoring pages, which display the activity of the appliance’s features in real time.You can also with create printable displays of the appliance’s status.

• Configuration pages, on which you can adjust the appliance’s modes and parameters.You can also back up, restore, troubleshoot, and update the appliance’s software.

746

Dashboard Page

The dashboard shows you the status of the entire appliance at a glance. It has graphs forincoming and outgoing traffic, top applications by WAN volume, top service classes bycompression ratio, WAN throughput by traffic-shaping policy, and more. By default, thepage updates every minute, but this can be changed by pressing the Customize button.

Figure 1. Dashboard Page

Most features of the dashboard are disabled until you define your appliance’s links.

Aggregate Link Throughput GraphThis graph shows the incoming traffic (WAN to LAN) and outgoing traffic (LAN to WAN).

The LAN-side and WAN-side traffic are shown in different colors. When on compression,caching, or application acceleration is going on, the LAN-side traffic and the WAN-sidetraffic are essentially identical, because the appliance is not modifying the data as it passesthrough. Compression and caching reduce the amount of WAN-side traffic.

Appliance Status TableThis table gives a grab bag of information about the appliance. We recommend that youminimize this table in normal use, because the graphs are generally more useful.

The statistics in this table are self-explanatory.

Top Applications by WAN Volume GraphThis graph shows the top ten applications, ranked by WAN data volume, measured over thelast hour.

Top Service Classes by Compression Ratio GraphThis graph shows the top compressed service classes, ranked by compression ratio. Notethat service classes are not identical to applications. (There are hundreds of applicationsand only about 20 service classes by default.)

The compression ratio is dependent on the amount of long-term redundancy in the datastreams, and tends to increase over time as the appliance’s compression history fills.

Top ICA/CGP Applications by WAN Volume GraphThis graph is similar to the Top Applications graph but considers only Citrix XenApp/XenDesktop published application data over the last hour.

Traffic Shaping: WAN Throughput GraphThis graph shows the predominant traffic-shaping policies being applied to the WAN trafficin the last hour. There are separate graphs for incoming (WAN to LAN) and outgoing (LAN toWAN) traffic.

Using the Graphical User Interface

747

748

Dashboard Page

The dashboard shows you the status of the entire appliance at a glance. It has graphs forincoming and outgoing traffic, top applications by WAN volume, top service classes bycompression ratio, WAN throughput by traffic-shaping policy, and more. By default, thepage updates every minute, but this can be changed by pressing the Customize button.

Figure 1. Dashboard Page

Most features of the dashboard are disabled until you define your appliance’s links.

Aggregate Link Throughput GraphThis graph shows the incoming traffic (WAN to LAN) and outgoing traffic (LAN to WAN).

The LAN-side and WAN-side traffic are shown in different colors. When on compression,caching, or application acceleration is going on, the LAN-side traffic and the WAN-sidetraffic are essentially identical, because the appliance is not modifying the data as it passesthrough. Compression and caching reduce the amount of WAN-side traffic.

Appliance Status TableThis table gives a grab bag of information about the appliance. We recommend that youminimize this table in normal use, because the graphs are generally more useful.

The statistics in this table are self-explanatory.

Top Applications by WAN Volume GraphThis graph shows the top ten applications, ranked by WAN data volume, measured over thelast hour.

Top Service Classes by Compression Ratio GraphThis graph shows the top compressed service classes, ranked by compression ratio. Notethat service classes are not identical to applications. (There are hundreds of applicationsand only about 20 service classes by default.)

The compression ratio is dependent on the amount of long-term redundancy in the datastreams, and tends to increase over time as the appliance’s compression history fills.

Top ICA/CGP Applications by WAN Volume GraphThis graph is similar to the Top Applications graph but considers only Citrix XenApp/XenDesktop published application data over the last hour.

Traffic Shaping: WAN Throughput GraphThis graph shows the predominant traffic-shaping policies being applied to the WAN trafficin the last hour. There are separate graphs for incoming (WAN to LAN) and outgoing (LAN toWAN) traffic.

Dashboard Page

749

750

Features Page

This page has enable/disable toggles for the appliance’s features, plus a masterenable/disable toggle called Traffic Processing.

Figure 1. Part of the Features page

In normal use, this page is helpful mostly for disabling features, since many features requiremore configuration than simply toggling their state from disabled to enabled. Most featuresshould be enabled on the relevant page under the Configuration menu.

Traffic ProcessingThis is the master enable/disable toggle. When disabled, all features of the Appliance aredisabled and all traffic passes through without modification or traffic shaping.

Traffic AccelerationThis toggle enables and disables the acceleration engine.

Traffic ShapingThis toggle enables and disables the traffic-shaping engine.

CIFS Protocol OptimizationSets the CIFS/SMB/Windows Filesystem acceleration mode. Options are Enabled forall CIFS, allowing full acceleration, Enabled for SMB1 Only, which accelerates theSMB1 protocol (used through Windows XP and Windows Server 2003), Enabled for SMB2Only, which accelerates the newer SMB2 protocol (Vista/Windows 7/Windows Server 2008),or Disabled.

Group ModeCan be used to disable group mode, if enabled.

High AvailabilityCan be used to disable high-availability mode, if enabled.

ICA Multi-StreamEnables ICA multi-stream acceleration support. If enabled, multi-stream ICA sessions will benegotiated when both the client and server are multi-stream-enabled. Otherwise,single-stream ICA sessions will be used.

If multi-stream, multi-port ICA is enabled on your XenApp servers, you must also modify the“ICA” service class to include the additional ports you have defined for multi-port mode.

MAPI Cross-Protocol OptimizationAllows MAPI session data to match non-MAPI session data in the compressor.

SCPSSCPS is a TCP variant used in satellite communication and similar applications. TheAppliance can accelerate SCPS connections if this option is selected.

The main practical difference between SCPS and the default Appliance behavior is thatSCPS-style selective negative acknowledgements (SNACKs) are used instead of standardselective acknowledgements (SACKs). These two methods of enhancing data retransmissionsare mutually exclusive, so if the Appliance on one end of the connection has SCPS enabledand one does not, retransmission performance will suffer. This condition will cause an SCPSMode Mismatch alert.

We recommend that, if you must mix SCPS-enabled Appliances with non-SCPS enabledAppliances, that you deploy them in such a way that mismatches do not occur. This can bedone with IP-based service class rules or by always deploying the Appliances so thataccelerated paths contain matched pairs rather than odd numbers of units.

Features Page

751

Secure PartnerDuplicates the functionality of the Partner State toggle on the Configuration: SecurePartners page.

SNMPDuplicates the functionality of the SNMP Status button on the Logging/Monitoring: SNMPtab.

SSH AccessDuplicates the functionality of the SSH Access Enable/Disable button on the Configuration:Administrator Interface: SSH Access page.

SSL OptimizationDuplicates the functionality of the SSL Optimization Enable/Disable button on the SSLEncryption page.

Syslog SupportDuplicates the functionality of the Send to Syslog Server checkbox on the Configuration:Logging/Monitoring: Syslog Server tab.

User Data Store EncryptionDuplicates the functionality of the Enable Encryption button on the Configuration: SSLEncryption page.

WCCPDuplicates the functionality of the Enable button on the Configuration: AdvancedDeployments: WCCP tab.

Features Page

752

753

Quick Installation Page

The Quick Installation page allows a complete single-page installation of many appliances,and a partial installation for most other appliances.

Figure 1. Quick Installation page

Additional configuration will be required if any of the following are true:

• The appliance is not using inline mode.

• Your appliance has dual accelerated bridges (apA and apB).


754

• The appliance is part of a high-availability or group-mode pair.

• You plan to use SSL acceleration or hardboost.

• You need to make changes to the default traffic-shaping policies.

The fields in the quick installation are:

• Adapter—For most appliances, this is apA, the accelerated bridge. Dual-bridge systemswill allow you to select apB instead.

• IP Address, Gateway, Netmask—These will already be configured (from the LCDfront-panel installation step), but you can change them if desired.

• Primary/Secondary DNS IP Address—Lets you specify a primary and backup DNS server.

• NTP Time Server—Allows you to specify an NTP time server to keep your appliance’sclock synchronized. Highly recommended.

• Date/Time—If you cannot use an NTP time server, the date and time can be setmanually here.

• Local Time Zone—Specify your time zone here.

• Citrix License Type—Gives you a choice between Local License and a network licensethat matches your hardware. Legacy (release 5.x) licenses are local licenses; newlicenses are generally network licenses.

• License Server Address—You must specify a license server when using networklicenses. You can use either an IP address (such as 172.16.0.44) or a hostname (such aslicense_server.example.com).

• Licensing Service Port—If your license server uses a port different from the defaultvalue of 27000, specify it here.

• Receive (Download) Speed—Use 95% of your nominal WAN receive rate.

• Send (Upload) Speed—Use 95% of your nominal WAN send rate.

• WAN-side Adapter—This will be either apA.1 or apA.2, depending on which port theEthernet cable to your WAN is plugged into. (Dual-bridge systems might use apB.1 orapB.2.)

• Perform Quick Install—Press the Install button to perform the installation.

• Wait for System to Restart—After the system restarts, continue with your configurationif necessary. Otherwise, your appliance is configured and operational.


755

756

Monitoring Pages

The Monitoring pages enable you to examine the real-time operation of the appliance'sfunctional units, showing such things as the effect of the compression engine or a list ofaccelerated connections.

These pages are especially useful when you are looking for more detail than is present onthe Dashboard page.

757

Citrix (ICA/CGP)

This page allows you to monitor total ICA traffic (in the sending direction only) and the listof ICA connections.

ICA Connections TabThe ICA Connections tab lists all the currently open Citrix (ICA/CGP) connections, includingwith the client computer’s name and the name of the XenApp published application orXenDesktop desktop. The ICA connection list is similar to the main Connections list(Connections) and can be filtered or sorted in the same way.

ICA Statistics TabThe ICA Statistics tab summarizes XenApp/XenDesktop statistics: by ICA packet priority, byprotocol type, by stream type, and by ICA virtual channel.

Figure 1. ICA Statistics Tab

Acceleration Graphs TabsThe Acceleration Graphs tab shows the sender-side behavior of acceleratedXenApp/XenDesktop traffic. Non-accelerated traffic is not shown. Timescales for thesegraphs are selectable between 60 seconds and one month.

The real-time effect of compression can be estimated by comparing the WAN-sidethroughput to the LAN-side throughput. (Compression reduces the WAN-side data volume.)

Citrix (ICA/CGP)

758

759

Compression

The Monitoring: Compression page gives a real-time view of the multi-level compressionengine, which automatically selects the optimum compression engine for the data beingcompressed. This graph can span one minute, one hour, one day, one week, or one month.

The compression engine dynamically selects between several algorithm. Each algorithm iscalled a matcher. The smallest compression engines have a relatively small compressionhistory, and can match strings within a few thousand or tens of thousands of bytes of thecurrent data. The big matcher can handle matches between 100 MB and several gigabytes insize, depending on the appliance model. Finally, the disk matcher can handle matches ofalmost arbitrary size.

Figure 1. Compression page

Each matcher is color-coded. The graph is similar to the usage graph (Section 9.3.9), exceptonly compressed traffic is shown. The vertical axis gives the effective throughput of thecompressed data, which can be many times greater than the WAN data rate. Compressionand decompression are shown separately.

• Raw data is not compressed at all. It has a compression ratio of 1:1.

• The micro matcher and little matcher have compression ratios that typically fall in therange of 1:1 to 10:1.

• The big matcher usually gives memory-based compression ratios in excess of 10:1, andsometimes in excess of 200:1.

• The disk matcher can give compression ratios up to 10,000:1.

Other compression points:

• First-pass data (data that does not match anything already in compression memory)gives compression ratios anywhere between 1:1 (typical for compressed binary data)and 10:1 or even more (where there is significant internal redundancy, which oftenoccurs in source code, Microsoft Office documents, etc.)

• Second-pass data generally gives compression ratios in excess of 10:1 and often inexcess of 100:1.

• If enough data has gone by, the first-pass copy will no longer be in compression historywhen the object is sent again, and second-pass compression ratios will not be seen. Thisdepends on the size of the compression history and the number of partner Appliances.The total amount of disk-matcher compression history is 100 GB or more on all modelsof Appliance.

• If the Appliance is communicating with many different Acceleration Partners, this limitsthe amount of compression history that any one unit can have.

Compression

760

761

Connections

This page consists of a list of accelerated connections and a filter specification. The list ofaccelerated connections identifies the IP and port numbers for the two endpoint systems,gives information about the duration and data transferred in the connection so far, andidentifies the other appliance (or CloudBridge Plug-in) in the connection. Clicking on the IPaddress of an Acceleration Partner appliance takes you to the management interface ofthat appliance.

Figure 1. Connections page (accelerated connections)

Selecting Which Accelerated Connections to ShowIn a busy system, with hundreds or thousands of connections, it can be difficult to find theinformation you are looking for. You have two methods of dealing with this information:

• Sorting. Clicking on the column headers will sort the connections by the value in thatcolumn, in ascending order. Clicking the header again will sort the columns indescending order.

• Filtering. The Action > Connection Filter Wizard can be used to hide all connectionsthat do not pass the stated tests. Filtering can be performed on:

• Source IP and port range

• Destination IP and port range

• Connection duration

• Bytes transferred

• Connection state: opening (half-open), open, closing (half-closed) closed, all.

Note: Half-open and half-closed connections may be listed as acceleratedconnections. The accelerated vs. non-accelerated status of a connection isgenerally not known until the connection is fully open (that is, until the SYN-ACKpacket is received by the system that sent the SYN packet). Half-openconnections can be identified because they have an Acceleration Partner of Noneand a Bytes Transferred of '0'.

Half-open and half-closed connections can be filtered out of the list with the'Connection State' filter. Selecting Open will show only fully open connections.

Unaccelerated Connections TabYou can choose to display either accelerated or unaccelerated connections. The displayformat is similar in either case. However, the unaccelerated connections display shows anUnaccelerated Reason in the left-most column.

Figure 2. Unaccelerated Connections

Common reasons for non-acceleration are:

Table 1. Non-acceleration reasons (Sheet 1 of 2)

Code Description

UR:1 Reason is unknown

UR:2 No partner Acceleration unit was detected

UR:3 Routing asymmetry: the SYN packet did notpass through this unit.

UR:4 Routing asymmetry: the SYN-ACK packetdid not pass through this unit.

UR:5 No room in TCP SYN or SYN-ACK header foracceleration options.

UR:6 Service policy rule forbids acceleration onthis connection.

UR:7 Not used.

UR:8 Not used.

UR:9 One unit is configured for hardboost andthe other for softboost.

Connections

762

UR:10 Maximum number of acceleratedconnections has been reached.

UR:11 Connection failed both with and withoutacceleration options (destination notresponding or responds with TCP reset).

UR:12 Connection failed when accelerationoptions were attached, but succeededwithout acceleration (firewall problem).

UR:13 This unit is between two other units anddaisy-chaining is enabled.

UR:14 Maximum number of simultaneous partnerAppliances has been reached.

UR:15 Connection matches an invalid proxy-modeentry.

UR:16 Not used.

UR:17 Not used.

UR:18 Bad proxy configuration detected on theAcceleration Partner.

UR:19 Not used.

UR:20 Proxy loop detected.

UR:21 Too many proxy connections, cannotallocate any new connections.

UR:22 No initial TCP handshake seen (often seenafter an Acceleration unit is enabled andthere are many pre-existingnon-accelerated connections).

UR:23 Group mode connection is accelerated by adifferent group member.

UR:24 Auto-discovery is disabled.

UR:25 Group mode connection, but group-modeacceleration has been disabled.

UR:26 Plug-in connection is using invalidSignaling/Redirector IP address.

UR:27 Cannot establish a signaling connection topartner.

Connection Details PageThe left-most column in the Accelerated Connection table is the Details column, containinglinks to per-connection information.

The connection details start with WAN and LAN traffic graphs, continues with a table givingoverall status of the connection, and concludes with a longer table giving detailedinformation about the connection.

Connections

763

WAN/LAN graphs. These show only the traffic for the selected connection. Otherwise, theyare the same as the usual throughput graph.

Figure 3. Connection Details page, Detailed Connection Information table

Detailed Connection Information table. This table reports:

• Creation Time: the date and time when the connection was opened.

Connections

764

• Uncompressed Bytes Transmitted: the amount of data transferred in the connection sofar (in both directions, before compression)

• Compressed Bytes Transmitted: the amount of data transferred in the connection so far(in both directions, after compression)

• Effective Compression Ratio: the number of uncompressed bytes divided by the numberof compressed bytes. The value in parenthesis is 1/(compression ratio).

• Duration: the elapsed time since the connection was opened.

• Idle Time: the elapsed time since the last data transfer.

• Status: The state of the TCP connection (Open, Closing, Closed, etc.). The code afterthis state is for use by Support and is not documented here.

• Acceleration Partner: The IP address of the partner Appliance, as reported by theAcceleration Partner itself.

Detailed Per-Endpoint Information table. This table is primarily for the use of Support and isnot fully documented here. Some of the reported values are not always accurate. Inparticular, the RTT value uses a counter-intuitive smoothing algorithm and may giveunexpected results.

The table reports values for both the local and remote sides of the flow, labeled LANEndpoint and WAN Endpoint, respectively.

Some of the more interesting values include:

• Send Rate Setting. The bandwidth limit in the sending direction.

• Send Rate Setting Constrained: The bandwidth limit as constrained by the AccelerationPartner, which may have a lower bandwidth limit or may be dividing its bandwidthbetween multiple partners.

• Receive Rate Setting/Receive Rate Setting Constrained: As above, but in the receivingdirection.

• Smoothed Round-Trip Time: Do not use this value. This uses the standard TCP RTTcalculation, which behaves differently from what one would expect.

• Largest Receive Window: The largest advertised window used so far in the connection.This is typically much larger on the WAN side than the LAN side, since the long RTT of aWAN link requires a larger amount of in-flight data. This value tends to grow as needed.(The default maximum is 8 MB on the WAN side and 64 KB on the LAN side.)

• Total Wire Bytes Transmitted/Transmitted Good: The amount of data send, withheaders, payload, and retransmissions all counted equally. The loss rate can becalculated from the difference between 'transmitted' and 'transmitted good.'

• Total Wire Bytes Received/Received Good: As above, but in the opposite direction.

Note: Do not calculate loss rates by subtracting data received from data sent, sincethat does not account for data still in flight.

Connections

765

• Total Payload Bytes: As above, but with headers and retransmissions removed from thecalculation.

Figure 4. Connection Details page, Detailed Per-Endpoint Information table

Flow InformationA 'flow' consists of all the traffic flowing between a pair of Appliances. Clicking on the i linkmarked 'Flow' will give information for the flow as a whole. The entries should beself-explanatory.

Connections

766

767

Filesystem (CIFS/SMB)

Acceleration Graphs TabThe Acceleration Graphs tab shows four graphs:

• CIFS Accelerated Read Traffic, the total bandwidth from accelerated CIFS readrequests. (Note that “read” vs. “write” is based on whether the CIFS command was aread or write command, and has nothing to do with the send/receive direction as seenby the Appliance.)

• CIFS Accelerated Write Traffic, the total bandwidth from accelerated CIFS writerequests.

• CIFS Saved Requests, the difference in bandwidth between the accelerated throughputand the throughput that would have been achieved without acceleration.

• CIFS (SMB2) Requests Responded Locally, the bandwidth of requests serviced locallyrather than passed on to the endpoint server, such as the bandwidth savings frommetadata caching.

Figure 1. CIFS Acceleration Graphs

Connections TabsConnections. The Optimized Connection and Non-Optimized Connection tabs display thetable of CIPS connections.

Figure 2. Connections Tabs

“File Details” and Read/Write counters. When the appliance is on the server side of thelink, the “File Details” entry always reads “Not Available” and the read and write countersalways read zero. Information about the connection can be obtained from the client-sideappliance.

The Signed column. Reports whether CIFS signing is in effect.

The Reason column. For so-called “non-accelerated” connections, a Reason column gives acode specifying why CIFS optimizations were not used. The reasons are one of these:

• The connection uses the Vista SMB 2.0 format, and SMB 2.0 acceleration is not enabled.

• CIFS optimizations are disabled on the Appliance.

• Security settings on the connection prevent optimization.

• The connection requires CIFS signing, which prevents optimization.

• CIFS optimization is disabled or not supported on the remote Acceleration unit.

• The CIFS “dialect level” is not supported.

• The connection is not using the negotiated protocol.

Filesystem (CIFS/SMB)

768

769

Logging

The logging page shows system activity, including configuration changes and boot progressmessages.

Status reports are logged every minute, including system status, adapter status, connectionstatus, and flow status. Events, including the opening or closing of an acceleratedconnection, are also logged. Unaccelerated connections are not logged. Traffic shaping andclassification are not logged.

Figure 1. Monitoring: Appliance Performance > Logging page

You can search for a particular report based on Records or Date/Time settings.

770

Outlook (MAPI)

The Monitoring: Optimization > Outlook MAPI Status page has three tabs: AccelerationGraphs, Accelerated MAPI Sessions, and Unaccelerated MAPI Sessions.

Acceleration GraphsThe Acceleration Graphs tab shows the accelerated MAPI traffic for the last 60 seconds. Thetwo graphs are 'Read-Ahead Throughput,' showing the performance of traffic traveling fromthe Exchange Server to the Outlook client, and 'Write-Behind Traffic,' showing traffic fromthe Outlook client to the Exchange server.

These graphs will look different on the two Appliances, and different from the main usagegraphs as well, since they show movement into and out of the MAPI engine, not actualtraffic on the WAN. The differences are caused by buffering.

Figure 1. Acceleration Graphs tab

Accelerated MAPI SessionsThis tab shows the status of open accelerated MAPI sessions, including the IP addresses ofthe two endpoints, user name, number of connections (MAPI uses multiple connections peruser), and total traffic.

Figure 2. Accelerated MAPI Sessions Tab

Unaccelerated MAPI SessionsThis tab shows the status of unaccelerated MAPI sessions, including the reason why theconnection was not accelerated, the two endpoints, and the number of connections.

Figure 3. Unaccelerated MAPISessions Tab

Outlook (MAPI)

771

772

CloudBridge Partners

The CloudBridge Partners page shows traffic statistics for all partner appliances that thelocal appliances has communicated with since its last restart. This information is in theMonitoring-> Partners & Plug-ins -> CloudBridge Partners-> Active Repeater Partners table.

Figure 1. CloudBridge Partners Page

A second table, System Information, contains information that is not related to partnerappliances, but to the local appliance.

Monitoring: Active Partner CloudBridge TableThe Monitoring: Active Partner CloudBridge table contains a row for each partnerappliance.

The columns display standard statistics for the accelerated traffic between the localappliance and each partner:

• Management IP address of the partner appliance.

• Total bytes sent and received since the last restart.

• Data rate, sent and received, over the last minute.

• Current number of active (non-idle) accelerated connections.

• Maximum number of simultaneous active accelerated connections since the last restart.

• Maximum total number of accelerated connections since the last restart

• Idle time since any traffic on any accelerated connection was seen.

System Information TableThe System Information table shows information about the local appliance, not the remotepartner appliances:

• Agent ID, the management IP address of the local appliance.

• Current system load, expressed in the range of 0%-100%.

• Average input queue latency, shown in milliseconds if non-zero.

CloudBridge Partners

773

774

CloudBridge Plug-ins

This page reports on the CloudBridge Plug-in currently connected to the Appliance. The listis similar to the Active Connection list and can be filtered and sorted in similar ways.

Figure 1. Monitoring CloudBridge Plug-in

Clicking the Details link shows client connection details similar to that in the figure below.

Figure 2. Detailed Plug-in Information

775

Secure Partners

This page reports the SSL signaling connection status of peer Appliances or CloudBridgePlug-ins that have been detected since the last restart. By default, only currentlyconnected peers are displayed, but this can be changed with the Connection Statuspull-down in the Filter table.

Figure 1. Peer Status command

In the Peer table, each peer is listed by name and its IP address (not the signaling addressused by its SSL tunnel, which is not reported). Its connection status, length of connection,and time since last contact are also reported. These all refer to the secure signalingconnection, which the units use to exchange security information, not data connections.Click on the Details column for more information about a given peer’s signaling connection.

Note: The 'true/false' status in the Secure column means that a secure signalingconnection has been established and that new accelerated connections will be encrypted.It does not mean that all traffic passing through the unit is encrypted, becausenon-accelerated traffic is never encrypted by the Appliance.

776

Server Load Indicator

On the Monitoring: Server Load Indicator page, the System Load gauge indicates the totalload on the Appliance. The pointer is in the green region if the load is low, in the yellowregion if the load is high, or in the red region if the load is extreme.

Under the gauge, two graphs show the LAN-side data rate, in terms of packets per secondand bits per second. The appliance tracks packet rates more closely than bit rates.

The graph at the bottom of the page shows LAN input-queue latency over the last minute. Ahigh input-queue latency indicates that the Appliance is becoming overloaded.

Figure 1. Server Load Indicator

777

Usage Graph

The Monitoring: Usage Graph page shows real-time throughput graphs for the WAN and LANsides of the Appliance’s acceleration engine. The graph defaults to a static display, but anauto-refresh mode can be selected by clicking the Toggle link. Clicking the left-arrow iconnext to the graph shows information for one period further back in time; clicking the rightarrow, if present, moves the display one period forward in time.

The amount of time covered by the display varies from one minute to one month. Theshorter timescales are useful when setting parameters such as bandwidth limits or serviceclass rules; the longer timescales are useful for general monitoring.

Restarting the Appliance will cause all the graph data to be lost.

• The graph shows the traffic as seen by the acceleration engine. This means that onlyTCP traffic is shown, and it is not segregated by link; it shows global TCP traffic throughthe Appliance.

• Dark blue indicates accelerated 'goodput,' or payload data.

• Light blue indicates the overhead of accelerated connections: packet headers,acknowledgment packets (ACKs), and retransmissions.

• Orange indicates non-accelerated traffic.

• The graphs are stacked, so the topmost point on the graph shows total acceleratedtraffic (LAN-side graph) or total line usage (WAN-side graph).

Figure 1. Monitoring: Usage Graph page

Tabs at the top of the page allow you to select a timescale to display: the last minute,hour, day, week or month.

Accelerated Line Usage (light blue): Total accelerated line usage, including headers, ACKpackets, and retransmitted packets.

Accelerated Goodput (dark blue): Payload data, excluding retransmissions and headers.

Non-Accelerated (orange): Non-accelerated TCP traffic (including data and overhead)Non-TCP traffic is not included in the graph.)

Compression is taking place during periods when the LAN traffic is higher than the WANtraffic. In the diagram above, a data stream of 250-300 mbps has been reduced by morethan 500:1, to around 400 kbps.

The Graph Settings link takes you to the Configuration: Administrator Interface page, whichallows you so change the graphing features, including the frequency of update and whetherseparate graphs are shown for the sending and receiving directions.

Clicking Popup Graph will create a new window containing a similar auto-refreshingthroughput graph.

Usage Graph

778

779

WCCP

The Monitoring: Appliance Performance: WCCP page reports on the status of the appliance’sWCCP interface. For each configured WCCP service group, it reports the accelerated pairused by that service group, the routers identified for that service group, the type of partnerassignment (Hash or Mask), the connection mode (GRE or L2) used by the router, lastcontact time, connection status, and packets in and out.

The page is auto-updating and lags the actual state of the interface by only a few seconds.

Figure 1. Monitoring: WCCP page

Most of the fields are self-explanatory except for the Status field, which is described below:

Table 1. WCCP status messages (Sheet 1 of 2)

Text Description

Unknown error WCCP interface is not working for anunknown reason.

Undefined interface The defined interface for the service groupdoes not exist.

Bad configuration The service group configuration does notmake sense.

Disable interface The accelerated interface defined for theservice group has been disabled.

Bad subnet for interface The accelerated interface has a networkdefinition that contains no subnet portion(subnet works out to 0.0.0.0, usually dueto the subnet field not being defined).

Internal problem Internal software error.

Service Group is disabled The service group has been manuallydisabled on the WCCP Configuration page.

Acceleration is disabled The service group does not operate whenacceleration is disabled.

WCCP is disabled WCCP itself is disabled.

Contacting router No response has been received yet fromthe router.

Connecting to router At least one packet has been received fromthe router, and WCCP protocolnegotiations are underway.

Connected to router Negotiation is complete and the WCCPinterface is fully active.

Disconnecting from router The appliance is terminating its connectionto the router, probably due to auser-initiated configuration change.

No response from router The router has been completelyunresponsive for at least five minutes

Router’s forward or return capabilitymismatch

Cannot communicate with the routerbecause the specified mode is notavailable. Usually means that theappliance is configured for WCCP-L2, butthe router does not support this mode.

Multicast discovering Attempting to find multicast service grouppartners.

Multicast failed to discover No multicast group partners were found inthe last five minutes.

Multicast shutdown The multicast service group is no longerattempting to discover partners.

Router’s view has other cache There is another WCCP device, such asanother appliance, using the same servicegroup. We do not allow this.

Router assignment capability mismatch There is a mismatch between theconfigured router assignment and theactual capabilities of the router. Forexample, if Auto is selected, andcommunication with the first connectedrouter caused the 'Hash' method to beselected, if a subsequent router does notsupport 'Hash,' this status message will begiven.

Router is off-net and appliance’s gatewayis invalid

Packet forwarding cannot take placebecause the appliance’s gateway is invalid(not on the same subnet as the appliance).

Service group had socket send error Internal software error. Please report thisevent to Support.

WCCP

780

781

Compression

Compression Graphs TabThese tabs show graphs and tables based on several timescales (minute, hour, day, etc.):

Figure 1. Compression graphs tabs

• Accelerated Line Usage. This has nothing to do with compression, but shows the topaccelerated service classes by the amount of WAN bandwidth used.

• Non-Accelerated Line Usage. This has nothing to do with compression, but shows thetop non-accelerated service classes by the amount of WAN bandwidth used.

• Compression by Service Class. Shows the data size before and after compression, forcompressed traffic only. This is measured at the compression engine, and gives theamount of data seen by the user’s application (that is, it excludes headers andretransmissions), and thus has data sizes smaller than those seen on the link for boththe “before” and “after” categories, since it measures “goodput” rather than totalusage.

• Service Class Details. This has nothing to do with compression but shows some statisticson a per-service-class basis.

Compression Status TabThe Compression Status tab shows cumulative compression statistics rather thansecond-by-second results. The statistics can be cleared at any time by clicking Clear. Thisaffects only the statistics on this page. Otherwise, the data covers the time since the lastrestart. Statistics are reported separately for the sending and receiving direction.

Figure 2. Compression status tab

The compression ratios have their usual meaning (uncompressed bytes / compressed bytes).

The “Data Reduction” values are a different way of expressing the same information as thecompression ratio. For example, a connection with 10:1 compression has a bandwidthreduction of 90%.

Only payload bytes are considered in these calculations. However, compression aggregatespackets (several packets can be compressed into one), so the number of packets (and hencethe number of header bytes) tends to be reduced by an amount roughly equal to thecompression ratio. That is, a 2:1 compression ratio will tend to halve the number ofpackets, which is equivalent to 2:1 header compression.

Compression

782

783

LAN vs WAN

The LAN vs. WAN report compares all LAN traffic to all WAN traffic (includingnon-accelerated traffic). This can provide meaningful insights in some (but not all)deployments. In simple inline deployments, where LAN traffic is directly related to WANtraffic in some way, the difference between the traffic volumes shows some of the effect ofcaching and compression, since these operations reduce WAN data usage. However,read-ahead and some flow-control optimizations increase total WAN usage, even thoughthey increase overall performance at the same time, making this page hard to interpret.

Figure 1. Reports: LAN vs. WAN page

As with other historical pages, this covers timescales from “last minute” to “last restart.”

784

Link Usage

The Monitoring: Optimization: Link Usage shows the LAN-side and WAN-side traffic in bothdirections.


Figure 1. Link Usage page

785

Service Classes

The Monitoring: Optimization: Service Classes page shows the WAN-side traffic over thespecified time period, with each service class shown in a different color, along with a tablegiving traffic statistics for the service classes. See also the Top Applications graph, which issimilar but breaks the traffic down into individual applications, which gives finer-grainedreporting than service classes.


Figure 1. Service Classes

786

Top Applications

Historical GraphsThe Monitoring: Optimization: Top Applications page lists the most common applications interms of WAN usage, showing pie charts, and time graph, and a table of total usage overthe specified time interval. By default, the top ten applications are listed. This can bechanged by clicking Customize.


The second table on the historical tabs shows the list of applications for a second time,with links to historical information on the application, the parent application, and theapplication group.

Figure 1. Top Applications

Active Applications TabThe Active Applications tab shows a table of all applications seen since the last restart,sorted by WAN data volume.

Figure 2. Active Applications tab

Top Applications

787

788

Traffic Shaping

The Reports: Traffic ShapingMonitoring: Optimization: Traffic Shaping page shows historicalgraphs and tables of WAN traffic, with each traffic-shaping policy shown in a differentcolor.

As with other historical pages, this covers timescales from “last minute” to “last restart.”The “last restart” tab has a different format and allows you to click on an individualtraffic-shaping policy and see its historical graphs in isolation.

Figure 1. Traffic Shaping page

789

Configuration Pages

The Configuration pages enable you to set up and adjust the operation of the appliance'sfeatures. Basic configuration can be performed on the Quick Installation page alone, butadvanced configuration also makes use of these pages.

790

Administrator Interface

This page has a range of options relating to the browser-based and LCD front-panelinterfaces. It is divided into four eight tabs: Web Access, HTTPS Certificate, User Accounts,Radius, TACACS+, SSH Access, Graphing, and Miscellaneous.

Web Access Tab

Figure 1. Web Access Tab

• Web Access Protocol--Selects between HTTP and secure HTTP (HTTPS).HTTPS is thedefault.

• HTTP/HTTPS Ports--Sets the port used for each protocol. The non-selected protocol isgreyed out. To access it, select the protocol, press Update, and then change the portnumber. Setting the port numbers to zero will disable browser-based access(re-enabling browser-based access will require the use of the serial interface or thecommand-line interface).

• HTTP Forwarding to HTTPS--If HTTPS is the selected protocol, attempts to reach theinterface via HTTP will result in an redirect to the correct protocol and port.

HTTPS Certificate TabHTTPS SSL Certificate, HTTPS SSL Private Key. These boxes allow you to paste in your owncertificate and private key for SSL security, which is used by HTTPS. The Appliance isdelivered with a default SSL key and certificate, which is not particularly secure. Toreplace it with your own key and certificate, generate these using your organization’sstandard procedure, then paste them into the boxes on the UI page and press the Updatebutton.

Figure 2. Configure Settings: UI page, HTTPS Certificate tab

User Accounts TabThese users accounts are maintained locally by the Appliance. There are two types ofaccounts: Admin and Viewer.

• Admin accounts allow the user to view all pages and modify all settings.

• Viewer accounts allow the user to see only the Main page and pop-up performancegraphs.

You can create as many accounts as you like.

The menu page is self-explanatory. Changes take effect as soon as the Update, Delete, orAdd buttons are pressed.

Figure 3. User Accounts Tab


791

RADIUS and TACACS+ TabsRADIUS and TACACS+ authentication are also supported. The user interface for the two aresimilar. Enter the IP address of the authentication server, verify the port number (thedefault is usually correct), enter the shared secret and press the Update button.

Figure 4. RADIUS Authentication Tab

Note on RADIUS authentication--Radius authentication will succeed if the RADIUS serverreturns an 'Accept-Access' packet with an appropriate 'Service-Type' attribute. If'Service-Type' is 'Login,' then the user is granted viewer access. If it is 'Administrative,' thenthe user is granted admin access. Otherwise, access is denied.

Figure 5. TACACS+ Authentication Tab

Note on TACACS authentication--Administrative privileges are granted if the TACACS userhas privilege level 15. Lower levels will be granted viewer access.

Note: For accounts that exist locally on the Appliance, the locally defined passwordcontinues to work after Radius or TACACS+ authentication are enabled; the remote serveris queried only if the password fails to match the locally stored value.


792

SSH Access TabTwo methods of accessing the unit are enabled by default, but can be disabled if desired.One is SSH access, which must be running for the CLI feature to work. It also allows Supportaccess to the Appliance if necessary. The other is 'Web Access,' access to the browser-baseduser interface.

The two functions have Disable/Enable buttons. However, if you disable web access, youwill of course not be able to access the button to re-enable it. To re-enable thebrowser-based user interface, use the RS-232 or CLI interface.

Figure 6. Security: Manage Users page

Graphing TabThis tab controls the graphing functions of the acceleration engine, which covers the graphson the Monitoring pages but not those on the Reports pages or the Dashboard, which areconfigured separately.

• Display WAN Side Graph/Display LAN Side Graph--The data flow is not identical on theLAN side of the Appliance and the WAN side. The differences between the two flowscan provide useful information. For example, the difference between accelerated lineusage and good put should be very low on the LAN side, because LANs usually (but notalways) have a low packet-loss rate. But if there is a problem with the local LAN (afailing switch, for example, or a port accidentally configured to half-duplex), lossesmay be high. By default, both graphs are shown.

• Combine Send/Recv Graphs--By default, send and receive traffic are added together,but they can be displayed separately. This is useful on busy systems with traffic movingin both directions.

• Autoscale Graphs--By default, bandwidth graphs are scaled automatically, but they canbe scaled to user-specified limits.

• Graph Refresh Rate--The data displayed on the graphs covers 60 seconds of activityand is collected at one-second intervals. The default refresh rate is ten seconds.Sensible values for the refresh interval are between 1 and 60 seconds.

• Autorefresh Graph--Unchecking this box means that the reload browser button must bepressed to see an up-to-date graph.


793

Miscellaneous Tab

Figure 7. Configure Settings: UI page, Miscellaneous tab

• Lock Changes via LCD--Checking this box prevents system settings from being updatedvia the front-panel interface. By default, the front-panel is not locked.

• Max Connections Shown on Connection Page--A busy system may have thousands ofopen connections. The default is to show the first 800. This may be set to any valuedesired.

• GUI Session Timeout--If the Web interface is idle for more than this time (in minutes),you will have to log in again. Setting the value to zero will disable session timeouts.

• CLI Session Timeout--If the command-line interface is idle for more than this time (inminutes), you will have to log in again. Setting the value to zero will disable sessiontimeouts.

• Login Failure Limit--If an invalid password is given more than this many times in a row,you will not be able to login until the 'login failure lockout period' has expired.

• Login Failure Lockout Period--Logins are disabled by this many seconds if the 'loginfailure limit' has been exceeded.


794

• Show SSL Connection Help Guide--Enables some online help text at the bottom ofSSL-acceleration related pages. Disabled by default. Because this User’s Guide hasmuch more comprehensive procedures, this help guide is not recommended.


795

796

Advanced Deployments

This page has the configuration for advanced deployment modes: WCCP, high-availability,group mode, and proxy mode.

WCCP Configuration TabThis page allows WCCP mode to be configured. In WCCP mode, the router sends data to theAppliance, which returns it after processing to the router. Both L2 and GRE transport aresupported.

Figure 1. WCCP Configuration Tab

See WCCP Mode for the procedure for setting up your router and Appliance for use withWCCP.

A single Appliance can be shared by in WCCP mode, which is convenient for sites withasymmetrically routed links. These routers can all be in a single service class or in differentservice classes. A given service class supports either multicast or unicast operation, but notboth.

The parameters on this page are as follows:

• Enable/Disable. Enables or disables WCCP functionality. If an active WCCP interface isdisabled, the router will notice this after a timeout period (less than 60 seconds) andstop sending packets to the Appliance. Instead, it will send them directly to thenext-hop router.

• New WCCP Service Group. Opens a dialog box on the right-hand edge of the screen.

• Id. This is the service group number, which is also used by the router. Must not conflictwith other WCCP devices on the local network. The default value of 51 is usuallyadequate.

• Enabled. This allows individual service groups to be enabled or disabled, in addition tothe master enable/disable button at the top of the page.

• Priority. This is the WCCP protocol priority. This should be left at the default value of0.

http://support.citrix.com/proddocs/topic/cloudbridge-gui-map-70/br-adv-wccp-mode-con.html

• Router Assignment. Can be Hash, Mask, or Auto. The default is Hash, which is used bymost routers. Some programmable switches support only the Mask method.

• Router Forwarding/Router Packet Return. Can be GRE, Level-2, or Auto. The default isAuto, which means that the Appliance uses GRE if it must and L2 (which is faster) if itcan. This capability is negotiated with the router in each direction. The only reason notto use Auto is if a bug in your router prevents negotiation from succeeding. Routerpacket return is only user-selectable when the Router Communication parameter(below) is set to Multicast.

• Router Communication. Multicast or Unicast. The default is Multicast, which requiresthat you set up a multicast address in your routers and at the Appliance. With Unicast,the Appliance must be given the router’s address, but the router does not need to knowthe Appliance’s address. Although Multicast is the default, Unicast is the more flexiblemode and requires less configuration, so it is recommended.

• Multicast Address. if Multicast is selected, this gives the multicast address used by yourrouters and Appliances for this purpose.

• Time To Live [1-15]. The TTL value for packets sent by multicast. Some routers insistthat this be set to 1, meaning that the packet cannot be forwarded beyond the currentsubnet. This makes multicast operation more restrictive than unicast operation.

• Router Addressing. One or more addresses for your routers. If you specify more thanone router’s IP address, the Appliance will work with multiple routers within the sameservice group. Alternatively, you can assign different routers to different servicegroups. The results are functionally equivalent.

• Create. Don’t forget to click Create before leaving the page.

High Availability (HA) TabNote: Clicking Update will terminate all open TCP connections.

This page allows you to set up Appliances as high-availability pairs, so that if one unit fails,the other will take over.

High Availability Status: One of Standalone, Primary, or Secondary. A standalone unit is notpart of an HA pair. A primary unit is actively handling accelerated connections. A secondaryunit is idle, ready to take over if the primary unit fails.

Partner High Availability Status: Status of the HA partner, if present.

SSL Common Name: Uniquely identifies this Appliance. You type this string into the PartnerSSL Common Name field on your HA partner Appliance.

Virtual VIP Configuration: The virtual IP address used to manage the pair as a unit is not sethere, but on the Configure Settings: UI page. A link is provided here.

VRRP VRID: This identifies the HA pair according to the VRRP (Virtual Router RedundancyProtocol) as defined in RFC 2338. The default value of 0 is not a valid VRRP VRID, whichmust be in the range of 1-255. If there are no other VRRP devices on the subnet containingthe Appliance, the choice of a VRRP ID is arbitrary.


797

Note that, while the Appliance uses a VRRP ID (which is designed primarily for routers), theAppliance is not a router.

Partner SSL Common Name: Copy this from the Acceleration Partner’s SSL Common Namefield.

Enabled: Turns high-availability functionality on or off. You will be warned that enabling ordisabling high availability will terminate all open connections.

HA Partner Info TabLists information about the HA partner unit, if configured

Figure 2. HA Partner Info Tab

HA VIP Address TabRepeats the VIP information from the Configure Settings: Network Adapters: IP Addressestab.

Figure 3. HA VIP Address Tab

Group Mode TabGroup mode is a means for allowing two or more redundant links to be shared by two ormore inline Appliances, with no requirement that all the packets for a given connectionpass through the same Appliance.


798

Group mode and the fields on the Group Mode page are fully explained in Group Mode.

Figure 4. Group Mode Tab

HA/Group Mode SSL Certificates TabWhen an Appliance is a member of a high-availability pair or group-mode group, thesecertificates and keys are used to authenticate each other.

Private keys and certificates are factory-installed, but can be replaced, if desired. ClickEdit, and paste the new certificates and key in the boxes provided, replacing the old ones,then click Update.

Proxy TabIn proxy mode, the Appliance masquerades locally as the remote system. Traffic for theremote system is then forwarded to a remote Appliance and then to the remote systemitself.

Figure 5. Proxy Tab


799

http://support.citrix.com/proddocs/topic/cloudbridge-gui-map-70/br-adv-group-mode-con.html

Proxying involves address translation. The addresses are entered in the Proxy Configurationpage.

With a proxy connection, one end of the connection may be left in inline mode. When thisis done, the in-lined appliance requires no configuration.

When you enter a new proxy definition, the appliance pings the target address when youclick Add. If the ping is unsuccessful, a warning icon is displayed and the target address isshown in red. However, the proxy entry is still active. On paths where pings are blocked butTCP traffic is not, the proxy definition will work in spite of the warning icon.


800

801

Application Classifiers

The Configuration: Application Classifiers page defines all the applications recognized bythe CloudBridge classifier.

Figure 1. Defining a New Application

The classifier uses application definitions to divide the traffic into protocols andapplications. This is used to create reports and to set traffic-shaping policies through theservice-class mechanism. A great many applications are already defined, and you can definemore as needed.

• Application Group list--Applications are divided into groups, and by selecting one fromthe Application Group list, you can restrict the display to the members of the selectedgroup.

• Only show user modified settings checkbox--This checkbox allows you to show onlyapplications that differ from the defaults, whether by being added or modified.

• Auto-discover Citrix published applications checkbox--This option allows any Citrixpublished applications seen in the data stream to be added to the application listautomatically. Once discovered, they will show up in reports and can be used fortraffic-shaping policies.

• Expand All/Collapse All buttons--In the collapsed state, just the application names aredisplayed. Otherwise, their definitions are shown as well.

• Create button--Used to create a new application.

• Edit button--Allows an existing application to be altered. This process is essentially thesame as creating a new application.

• Delete button--Deletes an application.

Note: Use caution when editing or deleting applications, since there is no way to resetthe definitions to their defaults without resetting the entire Appliance to its factorydefaults.

Application Classifiers

802

803

Licensing

A license file must be installed before your Appliance will accelerate connections. Licensefiles are generally obtained on MyCitrix. See the release notes for more information.

Figure 1. License Information Tab

The License Information tab gives the information needed for the creation of a license foryour Appliance, or to match up a pre-generated license with the correct Appliance. If alicense has been successfully installed, the Required Action field will say, None.

The format of the License Information tab is different if no license has been installed. TheRequired Action field will report that only a legacy license is installed. A link is provided togo to the MyCitrix and obtain another.

License Server TabThis tab specifies whether licenses will be obtained locally or remotely. If local licenses areused, they are installed using the Local Licenses tab. With remote licensing, the license fileis installed on a Citrix License Server running on the machine of your choice. Remotelicenses were introduced in release 5.6.

Figure 2. License Server Tab

If remote licenses are used, the Remote License Server address must be supplied, plus theRemote License Server Port (the default value will almost always be correct). Also, the typeof license must be specified in the Model pull-down menu.

These licenses specify the maximum supported bandwidth. The remote license server needsto have a license available for the model selected, or no license will be acquired.

If SSL acceleration, MAPI acceleration, or signed SMB acceleration are required, then a“crypto license” must also be installed. Checking the Crypto License Requested box willacquire a crypto license, if available.

Local Licenses TabThis tab is where you install the license itself. Most Appliances with local licenses will have1-3 active licenses: for acceleration, for the CloudBridge Plug-in, and for SSL acceleration(the crypto license).

The steps for installing a license are:

1. Add a new license by pressing the Add button.

2. Type a name into the License Name Field. This name can be anything, but it cannot beblank.

3. Upload the license you obtained from Citrix via the Add box.

4. Press the Install button.

5. After a delay, the license should install successfully.

Licensed Features TabThis tab reports the features that have been licensed for this Appliance.

Licensing

804

Figure 3. Configuration: Licensing page

Licensing

805

806

Links

The Configuration: Links page is where your WAN and LAN links are defined. Defining linksenables the Appliance’s reporting and traffic shaping.

Link Definition TabThis tab is the entry point for defining and modifying links. New links are defined byclicking the Create button. Existing links are modified by clicking the Edit button. Boththese actions take you to a similar form that allows you to specify link-definition rules.

Figure 1. Link Definition tab

The order in which the links are shown on this is significant. When deciding which link apacket belongs to, the Appliance tests the links in order, and the first matching link isselected. This means that overlapping definitions are allowed, and the last definition in thelink can match all traffic, serving as a default link.

The Order buttons can move a link up or down the list.

The Expand All button will show the expanded form of the display, summarizing the linkdefinitions instead of displaying only the names of the link.

The Edit Link and Create Link FormsA link definition has a set of send/receive bandwidth limits and a list of rules that definewhich traffic belongs to the link. Within a rule, the fields are all ANDed together, so allspecified values have to match. All fields default to Any, a wildcard entry that matches alltraffic. When a field consists of a list, such as a list of IP subnets, these are ORed together:that is, if any element matches, then the list as a whole is considered to be a match.

Figure 2. Edit Link form

Figure 3. Create Link form

Links can be based on the Ethernet adapter associated with the traffic, the source anddestination IP addresses, VLAN tag, WCCP service group (for WCCP-GRE only), and thesource and destination Ethernet MAC address. A simple inline deployment might identifyonly the LAN-side and WAN-side accelerated bridge ports (apA.1 and apA.2), while acomplex datacenter deployment might need to use most of the features provided on theform to disambiguate traffic.

Defining a link in terms of its IP addresses is possible except when redundant links are used.Since a given packet may go over either link in an active-standby or active-active dual-linkdeployment, some other method must be used to determine which link the packet is using.If dual bridges are used, then the traffic for one link can go over apA and the other overapB, and the links can be defined in terms of adapters. If the two links are served bydifferent routers, the MAC addresses of the routers can be used to tell the traffic apart.When all else fails, WCCP-GRE can be used, and the router can use a different service groupfor each WAN link, allowing the CloudBridge unit to tell the link traffic apart in by servicegroup.

Links

807

• Adapter--This specifies a list of adapters (Ethernet ports). When links can be identifiedby ethernet adapter, this simplifies configuration.

• Src IP--The Source IP rules are considered for packets entering the unit (packets exitingthe unit are ignored). On these packets, the rules in the Src IP field are comparedagainst the Source Address field in the IP header. The rule specifies a list of IPaddresses or subnets. Negative matches, such as “Exclude 10.0.0.1” are also supported.

• Dst IP--The Destination IP rules are considered for packets exiting the unit (packetsentering the unit are ignored). On these packets, the rules in the Dst IP field arecompared against the Destination Address field in the IP header. The rule specifies a listof IP addresses or subnets. Negative matches, such as “Exclude 10.0.0.1” are alsosupported.

• VLAN--The VLAN rules are applied to the VLAN headers of packets entering or exitingthe unit.

• WCCP Service Group--The WCCP Service Group rules are applied to GRE-encapsulatedWCCP packets entering or leaving the unit. (This does not work with L2 WCCP.)

The traffic classifier uses the Src IP and Dest IP fields in a specialized way (the same appliesto Src MAC and Dst MAC):

• The Src field is only examined on packets entering the appliance.

• The Dst is only examined on packets exiting the appliance.

This convention allows the direction of packet travel to be implicitly considered as part ofthe definition. The same concepts applies to the Src MAC and Dst MAC rules.

Hardboost/Softboost TabThis tab allows you to select between hardboost and softboost modes. If hardboost isselected, the hardboost bandwidth limit must be set. This number represents the speed atwhich the acceleration engine will attempt to send and receive data and must be no fasterthan the WAN link on which the hardboost partner is reached.

Figure 4. Hardboost/Softboost tab

When softboost is selected, these bandwidth limits are not in effect and are not shown.

Links

808

Traffic Shaping TabThis tab shows all the service-class traffic-shaping policies sorted by link, making it easierto do per-link policy selection.

Figure 5. Traffic Shaping tab

Links

809

810

Logging/Monitoring

The Configuration: Appliance Settings: Logging/Monitoring page controls the logging andalert settings for the Appliance. It has seven tabs: Log Options, Log Extraction, LogStatistics, Log Removal, Alert Options, Syslog Server, and SNMP.

Log Options TabThese options set the kind of information that is stored in the log:

• Log System Records—This gives general statistics about connections every 60 seconds.Most users will want to disable this option.

• Log Adapter Records—This reports the status of each Ethernet port every 60 seconds.Most users will want to disable this option.

• Log Flow Records—This summarizes the status of the communication between this unitand each active Acceleration Partner every 60 seconds. Most users will want to disablethis option.

• Log Connection Records.—This summarizes the state of each active acceleratedconnections every 60 seconds. Most users will want to disable this option.

• Log Open/Close Records—Adds a log entry whenever an accelerated connection isopened or closed. These records contain performance statistics in addition toidentifying the endpoints and the connection duration. Leave this option enabled.

• Log Text Records—Shows kernel and other OS messages. Leave this option enabled.

• Log Alert Records—Repeats the information from the Alerts page in the log. Leave thisoption enabled.

• Other Settings—The Log Max Size, Lines Displayed, and Max Export Count fields areself-explanatory and rarely need to be changed.

Figure 1. Log Options Tab

Log Extraction TabTo export log files, select a range of entries by number of date/time, and click the Export.Your browser will show an Open/Save dialog that allows you to open the log file with adefault application or save it to a file. Log files are exported as ordinary ASCII text fileswith a.txt extension or as XML files. Line ending style is selectable for convenience whenimportant to systems with different newline conventions (such as Windows CR/LF vs. UNIXLF).

Figure 2. Log Extraction Tab

Logging/Monitoring

811

Log Statistics TabThe Log Statistics tab gives basic information about the logging system.

Figure 3. Log Statistics Tab

Log Removal TabYou can erase the log files by clicking Remove.

Alert Options TabTwo Kinds of Alert Message

There are two kinds of Alerts:

1. User-configurable alerts, which appear on the Configure Settings: Alert page. These aremostly informational and are primarily of use when troubleshooting. Each of thesealerts has a radio button to select between Alert, Logged, and Disabled.

2. Internal alerts. These generally indicate a more serious problem, and cannot be maskedby the user. They do not appear on the Configure Settings: Alert page.

User-Configurable Alerts

• Alerted means that when the condition occurs, it will be logged, the alert icon willappear at the top of the screen, and the condition will be listed when the Error link isclicked.

• Logged means that when the condition occurs, it will be logged, but the alert icon willnot appear and the condition will not be listed when the Error link is clicked.

• Disabled means the condition will not be logged. Not all conditions can be disabled.These lack a radio button under the Disabled column.

• The Alert Retention Time parameter sets how long an Alert stays active after thecondition that caused it has gone away.

Logging/Monitoring

812

Figure 4. Part of the Alert Options Tab

Each parameter has an associated description in the Help column (the text for which willnot be repeated here).

Changes will not take effect unless you click the Update.

The Reset to defaults button restores the factory-recommended settings.

Alerts include:

• WAN Loss Rate

• LAN Loss Rate

• Connection Stalled (probable application hang)

• Connection Timeout

• Invalid Connection Attempt

• NIC Negotiated Half-Duplex

• ARP Timeout

• Attempt to Exceed License Key File Limit

• Asymmetric Network Configuration

• Invalid or Illegal Packets Received

• Out of CPU Resources

• Out of Memory Resources

• Internal Errors

Logging/Monitoring

813

• Compression Error Detected

• Softboost-Hardboost Mismatch

• Disk Drive is Degraded

• NIC Watchdog Bypass Event

• Disk is Fragmented

• Network Unreachable

• DNS Lookup Failed

• Appliance in the Middle Intercepting Options

• Major Internal Errors

• Minor Internal Errors

• Internal Warning

• WCCP Detected Major Error

• WCCP Detected Minor Error

• WCCP Warning

• Network Driver Hang Detected

• Signaling Channel Establishment Error

• SCPS Mode Mismatch Detected

• CloudBridge Plug-in count is nearing its limit

• SSL Communication Error

Internal Alerts

Contact your support representative if you receive Alert messages that are notrepresented on the Configure Settings: Alert page.

Some of these messages give guidance about whether you should contact us immediatelyor at your convenience.

Alert Messages

Potential error conditions are reported at one of three levels: they can be ignored, theycan be logged, or they can be logged and also cause an Alert warning to appear at thetop of the page.

The Alerts page lets you select the reporting for different types of error. Clicking on thelink displays information about the outstanding alerts.

Logging/Monitoring

814

Figure 5. Alert Details PageAlerts will clear themselves if the problem goes away for long enough (by default, forone hour).

Syslog Server TabLog entries can be sent to a syslog server at any IP you select.

Alert messages are sent with a severity level of “warning”. All other messages are sent witha severity of “info”.

Alert messages contain the string “ALERT:”.

All messages are sent to the syslog server, whether they are enabled in the Log Options tabor not.

An example of syslog output is shown below. The Appliance is identified through themanagement IP at the start of the message. Each message is formatted as a single line.

May 08 14:40:36 172.16.0.101 Open:69.59.212.183:3672Partner:172.16.0.102{00-13-72-3C-68-51}->207.47.50.203:443May 08 14:40:37 172.16.0.101 Connection Status:66.151.150.190:443<->69.59.212.183:3609 Duration:58.000 SecMay 08 14:40:37 172.16.0.101 Connection Status:207.47.50.203:443<->69.59.212.183:3668 Duration:0 Secs

Figure 6. Configure Settings: Syslog Server

Logging/Monitoring

815

SNMP TabThis tab sets up SNMP monitoring of the Appliance. SNMP operation is disabled by default,but is enabled by the button at the top of the page. SNMP v1 and v2c are supported.

Figure 7. SNMP Tab

Fields on this page have their conventional meanings. Management access must berestricted by giving an IP or network number for the “management station.” However, thiscan be circumvented by setting the IP Bit mask to zero (equivalent to a bit mask of0.0.0.0). To give access to any host on a Class C subnet, set the IP Bit Mask to 24(equivalent to 255.255.255.0). To limit access to a single host, set the IP Bit Mask to 32(equivalent to 255.255.255.255).

SNMP accesses are read-only; that is, monitoring but not configuration is supported bySNMP.

The parameters available via SNMP are documented in the .MIB files themselves.

Installing the SNMP MIB FilesSNMP MIB files can be downloaded from the links at the bottom of the page. The files resideon the Appliance. They must be loaded into the SNMP manager in the following order:

Logging/Monitoring

816

APPACCELERATION-PRODUCTS-MIB.txtAPPACCELERATION-SMI.txtAPPACCELERATION-STATUS-MIB.txtAPPACCELERATION-TC.txtCITRIX-COMMON-MIB.txt

Logging/Monitoring

817

818

Network Adapters

IP Addresses TabThis tab allows you to configure the IP address, netmask, gateway, HA virtual address, andVLAN of each interface, as well as enabling or disabling the interface.

Figure 1. IP Addresses Tab

For complete information on port usage. What follows below is a summary.

Accelerated PairsMost Appliances have four ports: two configured as a bridge called “Accelerated Pair A,” orapA, and two non-bridged motherboard ports, Primary and Aux1.

A typical installation uses only apA. Some Appliances may have a second accelerated pair.Acceleration is not supported on Primary or Aux1.

Accelerated pairs do not require an IP address for simple inline-mode operation, but an IPaddress is required if you use the CloudBridge Plug-in, WCCP, or SSL acceleration. If apA is

left without an IP address, the Primary port should be enabled and have an IP addressassigned to it so that the Appliance can be managed. Access from the serial and front-panelinterfaces will still be active. Per-port access is controlled on the Configuration: NetworkAdapters page.

Address FormatsExcept for the hostname, the network settings expect static IP addresses or masks in theusual decimal dotted-quad notation, such as “10.0.0.150”. These should be assigned as ifthe Appliance were simply another computer on its subnet, not as if it were a router (sinceit isn’t a router).

Changes do not take effect until you click the Update button and restart the unit.

HA Virtual IP AddressesIf high-availability mode is used, one enabled interface needs to define an HA virtual IPaddress. This is used to manage the pair as if it were a single unit. Both Appliances in thepair use the same HA Virtual IP address.

Web Management AccessBy default, the browser-based user interface can be accessed from any enabled interface.You can use this checkbox to disable management access on selected interfaces.

VLAN SettingsIf your network uses VLANs, the Appliance should be set to a valid VLAN address.

Inline traffic will be accelerated regardless of the VLAN addresses (if any) of the packets,but traffic addressed to the Appliance itself must match the Appliance’s VLAN setting – thatis, either no VLAN at all or a matching VLAN.

The correct VLAN setting is necessary for the proper operation of:

• The browser-based user interface.

• Virtual inline mode.

• Proxy mode.

VLAN support is enabled by entering the VLAN number (a decimal number in the range of0-4095), checking the Enable box, and pressing Update.

Changes do not take effect until the unit is restarted.

Note: When the VLAN is enabled, the management interface only responds to browser traffic from the specified VLAN. Thus, accidentally specifying the wrong VLAN will make the browser-based interface inaccessible. This can be reset from the LCD front-panel

Network Adapters

819

interface.

Ethernet TabEach Ethernet interface used by the Appliance is listed here, along with its speed (10, 100,or 1000 Mbps), its duplex setting (full or half), and its auto-negotiation state (auto or forcedto a specific mode).

Figure 2. Ethernet Tab

Note: Auto-negotiation failures on Fast Ethernet (100 Mbps) networks are the mostcommon cause of performance problems with Appliances. These are caused by a flaw inthe Fast Ethernet Specification.

A pull-down menu allows you to reset the modes of the individual Ethernet ports. Changesdo not take effect until you click the Update Adapter Configuration button.

Clicking on the individual adapter links (such as eth1) will open the Detailed Informationpage for the adapter.

Detailed Adapter InformationThe Detailed Adapter Information page gives both summary statistics for the adapter andsecond-by-second transmit and receive statistics.

Clicking on the black arrows next to the graphs will move the view into the past (leftarrows) or towards the present (right arrows) in one-minute increments.

The table offers More Info links for bridged adapters (that is, the two adapters used ininline mode) and individual flows. (A flow is the set of all accelerated connections betweena given pair of Appliances.) The statistics for bridged adapters and individual flows are

Network Adapters

820

similar to those for individual adapters, with summary tables and second- by-second graphs.

Figure 3. Ethernet Adapter Detailed Information Page, Top Half

Network Adapters

821

Figure 4. Ethernet Adapter Detailed Information Page, Bottom Half

Network Adapters

822

823


This page controls how the Appliance interacts with CloudBridge Plug-in. This page controlshow the Appliance interacts with CloudBridge Plug-in. CloudBridge Plug-in support is alicensed option; so this page is greyed out if no Plug-ins are supported by your license.

Signaling Channel Configuration Tab

Figure 1. Signaling Channel Configuration Tab

This tab controls the basic operation of the Appliance when dealing with Plug-ins.

• Signaling IP--This is an IP address that is used for the signaling connection between thePlug-in and the Appliance, which transfers status information, and for data connectionswhen using redirector mode.

• Signaling Port--This is the port used by the signaling connection. Defaults to port 443(HTTPS), which is generally the best choice.

• Connection Mode--Choices are transparent mode (in which connections are interceptedand accelerated transparently, as with Appliance-to-Appliance communication) andredirector mode (where the Plug-in addresses accelerated connections to the signaling.

• IP directly--Transparent mode is recommended; redirector mode has several liabilitiesthat make it a mode of last resort.

• Enable Plug-in-Appliance RTT Detection--This feature prevents acceleration when the Plug-in and Appliance are on the same LAN. Such “local acceleration” is undesirable

because the Appliance’s bandwidth limit will be applied to local connections, which willgreatly reduce the speed of LAN-to-LAN traffic.

• Min--Plug-in-Appliance RTT for Acceleration. This value should be larger than any RTT(ping time) seen on the local LAN, but smaller than that seen by any remote user. Thedefault value of 20 ms is adequate for most networks.

• Refresh/Cancel/Apply--Depending on context, some subset of these buttons willappear.

Note: Changes to the connection status will not be updated in real time. Click Refresh tosee the actual status.

Acceleration Rules TabThis tab defines which Plug-in connections will be accelerated. The rules are based on thedestination address of the connection’s SYN packet (that is, the IP address of the server).Rules can either include or exclude addresses or port ranges. The first matching entrydetermines whether Plug-in acceleration is allowed or disallowed.

Note: If the rules on this page specify that acceleration is allowed, acceleration will beenabled even if it is forbidden on the service-class policies page.

Best Practices With Acceleration Rules• Use Accelerate rules for all subnets that are local to the Appliance. Generally this

means the LAN subnets at the site where the appliance is installed.

• If there are any destination addresses in this space that are not really LAN addresses,add Exclude rules for these addresses and move the Exclude rules above the Acceleraterules. This would include any remote sites with addresses that seem local.

• If the appliance is in line with a VPN (and is not in line with anything else), and isoperating in transparent mode, you can set the Appliance to accelerate your entireenterprise rather than just the local site. In this case, the only accelerated connectionswill be from Plug-in VPN connections and accelerating all the traffic between thePlug-in and VPN is optimal.

General Configuration TabThis tab enables various housekeeping and diagnostic features related to the CloudBridgePlug-in. The operation of most features is TBD.


824

Figure 2. General Client Configuration


825

826

Secure Partners

This page is used to set up the SSL signaling connection used by SSL compression.

Figure 1. Configuring Peer Communication

827

Service Classes

Service Class Definition TabService classes map applications, IP ranges, incoming Diffserv (DSCP) fields, or VLANs toacceleration and traffic-shaping policies. Figure 1. Service Class Definition Tab

This page shows the list of defined service classes. This is an ordered list; the first matchingservice-class definition will be used. Each service class has controls to move the definitionwithin the list, edit the definition, or delete it.

By default, only the service class names are shown, but they can be expanded to summarizetheir definitions as well.

Creating a New Service Class

Click on the Create button at the top of the page. This will pop up the Create ServiceClass Page. Give the new service class a name, select an acceleration policy (choices are:none, flow-control only, memory-based compression only, and disk-based compression),assign a traffic-shaping policy, and enter a set of filter rules. Typically a single filter rulewill be used, specifying an application or an IP range.Rules can be based on the application, source and destination IP address, VLAN tag, orthe incoming DiffServ (TOS/DSCP) bits. If the SSL Profiles field is used, any trafficmatching the service class is considered to also match the selected SSL profile.

The traffic-shaping policies can be set to the same policy for all links or with per-linkpolicies. In most installations, per-link policies are not desirable.

Multiple rules can be specified. Fields within a single rule are ANDed together, so allspecified fields must match. When multiple rules are used, they are evaluated in order.If any rule matches, the traffic is considered to belong to the service class.

Traffic-shaping policies are chosen from the pull-down menu. By default, a range ofpolicies from Very Low to Very High are defined, each policy having twice the weightedpriority of the next-lower policy. In addition, there is a VoIP Traffic policy that has aneffectively infinite weight (and thus must be used with caution), and a Default Policy.

Editing an Existing Service Class

This process is essentially the same as creating a new service class.

Meaning of Acceleration Policies

Flow Control Only--The Flow Control checkbox enables or disables acceleration.Recommended for traffic that is 100% uncompressible because the same data will neverbe seen twice (mostly encrypted protocols and live video). Note that pre-compressedtraffic such as JPG images, ZIP archives, and audio/video streams that are played morethan once are all highly compressible on the second pass. For example, if two peopleplay the same YouTube video, the compressor will achieve a high compression ratio forthe second users, since the video data will be the same as before and will match the firstcopy.

Disk Compression--Enables flow control and the full range of compression features(disk-based and memory-based compression). Recommended for most traffic.

Service Classes

828

Memory-based Compression--Enables flow control and memory-based compression only.This option is rarely used.

Rules are Evaluated In Order

Acceleration policy--When a connection is opened, the first matching policy in the listwill be used. Rules can be moved up and down in the list using the Move Up and MoveDown buttons. Changes do not take effect until the Apply button is pressed.

Acceleration policies are based solely on information available on the first packet of theconnection (the SYN packet). The results of deep packet inspection are not availableuntil later in the connection, so such matches cannot be made.

Acceleration policies are only meaningful on accelerated connections.

Traffic-Shaping Policy--The initial traffic-shaping policy is based on the first packetseen, but deep-packet inspection may change this decision. For example, an applicationthat is defined based on a URL will match when a data packet containing an HTTP GETurl command is seen. This will reclassify the traffic-shaping policy for the connection.

All WAN data flows have a traffic-shaping policy, whether they are accelerated ornon-accelerated, TCP or non-TCP.

Only Acceleration Features Allowed by Both Units Are Used

Only acceleration options that are agreed upon by both Appliances will be used. Forexample, if one unit selects compression for a connection and the other does not, theconnection will be uncompressed. Traffic will not be accelerated unless there are twoAppliances involved, one at either end of the link, and both enable flow-control orcompression for the connection.

Other TCP Traffic is a special category that specifies the default acceleration action totake if no other service classes apply.

Special-Case Handling for Internet HTTP/HTTPS

The service class policies for HTTP and HTTPS are split into Private and Internet variants.The reason for this is that some Web sites have paranoid firewalls that reset TCPconnections with unknown TCP options, which sometimes include acceleration options.While such connections will be retried as unaccelerated connections after a timeoutperiod, this is time-consuming and annoying to the users.

The Web (Private) and Web (Private-Secure) service classes define HTTP and HTTPSservice on the standard private networks of 10.0.0.0/8, 172.16.0.0/12, and192.168.0.0/16, as defined in RFC1918. These addresses are not routable on the publicInternet, and instead are used by most organizations for their private networks. As such,we can assume that the problem of paranoid firewalls will not occur on these networks,and HTTP and HTTPS traffic can be accelerated normally.

The Web (Internet) and Web (Internet-Secure) service classes are for non-private Webtraffic and have flow control and compression disabled.

The ordering of the two sets of rules is important; the Private rules need to occur first inthe Service Class Policy list.

Service Classes

829

These rules are not necessary unless Internet traffic passes through a single Appliance. IfInternet traffic passes through two Acceleration units (two Appliances or an Applianceand a Plug-in), the Internet rules can be set to the same values as the Private rules,allowing acceleration on all Web traffic.

Traffic Shaping TabThis tab reiterates the service classes, but with the traffic-shaping policies listed as oneline per link, to make it easier to examine or alter per-link policies.

Service Classes

830

831

SSL Acceleration

This page consists of five disguised tabs (disguised because they are implemented asbuttons). They are:

• Profiles--Allows you to set up server profiles, typically one per endpoint SSL server. .

• Manage CA’s--Allows you to upload CA certificates. See .

• Manage Keys--Upload certificate/key pair. See .

• Import SSL--Upload an SSL configuration previously saved on the Export SSL tab.

Figure 1. Import SSL Tab

• Export SSL--Save the current SSL configuration to a file.

Figure 2. Export SSL Tab

832

SSL Encryption

This page has the main password and enable/disable toggles for SSL compression.

• Key Store--For greater security, keys are password-protected. SSL compression will nottake place unless the key store is opened with the password. For security reasons, SSLcompression is disabled after each restart, until this password is entered. If user dataencryption is used, compression is also disabled until this password is entered. .

• User Data Store--User data, consisting mostly of disk-based compression history, canoptionally be encrypted using AES-256 encryption. Changing the encryption state causesdisk-based compression history to be lost. Encrypting the user data protects thecontents from disk-based compression history from being examined if the unit is stolenor removed from service.

• SSL Optimization--The master enable/disable switch for the SSL compression feature.

Figure 1. SSL Encryption Page

833


The Configuration: Traffic Shaping Policies page allows you to add traffic-shaping policies.The default policies are adequate for most installations and cannot be edited or deleted(except for the ICA Priorities and Default policies). However, if you have specialrequirements, new polices can be added or edited.

Figure 1. Traffic Shaping Policies Page

Creating and Editing PoliciesPressing the Create button takes you to the Create Policy page, which has the followingfields (some of which are hidden by default, but can be revealed with the Show AdvancedOptions button):

Figure 2. Create Policy Page

• Name--The name of the new policy. Must be unique.

• Weighted Priority--This can be the same as an existing priority value or can be a customvalue between 1 and 256. A connection with a priority of 256 will get 256 times thebandwidth share as a connection with a priority of 1.

• Set ICA Priorities--If this policy will be used for Citrix XenApp/XenDesktop traffic, thetraffic’s internal priority values can be mapped to CloudBridge priorities.

• Optimize for Voice--If checked, this policy will have effectively infinite priority. This ishighly undesirable for most traffic, since it will prevent meaningful traffic shaping andwill cause data starvation for other traffic if there is enough “optimized for voice”traffic to fill the link. Use only for VoIP, and always use in conjunction with abandwidth limit on the policy (for example, 50% of the link speed).

• Set Diffserv/TOS--Sets the Diffserv field of matching traffic to the indicated value,informing downstream routers of the traffic priority.

• Set ICA Diffserv/TOS--As above, but allows the Diffserv field to be set differentlydepending on the priority field within the ICA data stream. Has no effect on non-ICAtraffic.

• Limit Bandwidth--Prevents the traffic from this policy from exceeding a specifiedpercentage of link bandwidth, or a specified absolute rate. Because this limitsperformance, it is rarely used except with voice traffic.

• Editing policies is essentially identical to creating new ones.


834

835

Tuning

This page contains a number of TCP-oriented settings, including which ports areaccelerated, TCP window scaling limits, connection timeouts, etc. The individual settingare listed below.

Figure 1. Tuning Page

Note: Unlike the other pages, the buttons on the Tuning page are greyed out until youchange a parameter.

Window SettingsThere are two tuning settings: the WAN scale limit and the LAN scale limit. These set theTCP scaling option between the two Appliances (See RFC 1323). The default LAN scale limitis 16, corresponding to a 64 KB (216 bytes) advertised window. The default WAN scale limitis 23, corresponding to an 8 MB (223 bytes) advertised window.

These values rarely need to be changed from their defaults, though in WANs with a veryhigh bandwidth-delay product, the WAN scale limit may need to be increased, while on aWAN with a very low bandwidth-delay product, the WAN scale limit may need to bedecreased. The rule of thumb is to have a WAN scale limit that is at least 2-3 times thebandwidth-delay product.

For example, a 200 Mbps link with a 500 ms RTT has a bandwidth-delay product of100,000,000 bits. Doubling this gives 200,000,000 bits, or 25,000,000 bytes. This is largerthan the default 8 MB window. Increasing the WAN scale limit to 23 (225 bytes or 32 MB)would accommodate this.

Increasing these limits under other circumstances will not increase performance and willonly waste memory.

Connection TimeoutIdle accelerated connections should time out eventually, as they consume systemresources. This entry gives the idle time that must elapse before the appliance closes aconnection. If the application sends keep-alive packets, these will reset the idle timer.Such connections will never be closed by the connection timeout mechanism.

Some links see thousands of half-closed connections that never become fully closed. Thesemay eventually overflow the appliance’s connection table. The Active Connections page canidentify half-closed connections. If the problem cannot be fixed at its source, shorteningthe idle timeout can eliminate the problem.

Tuning

836

Special PortsWhen using address translation with the ftp or rshell (rsh/rcp/rexec) protocols, the agentperforming the address translation must be protocol-aware. FTP control ports and rshellcontrol ports define which ports are used with these two protocol groups. If you usenonstandard ports for these protocols, adding the port numbers the special ports list willallow them to work in proxy mode.

Privileged Ephemeral PortsPorts in this range can be used as ephemeral ports only by specific applications.

Virtual InlineVirtual inline mode allows a router to send packets to the appliance and receive packetsback from it.

There are two slight variations of this forwarding. The first is to forward packets to thedefault gateway. The second is to forward them to the Ethernet address they came from.Both have the potential to create routing loops. Policy-based routing is required to preventrouter loops. See Virtual Inline Mode.

Daisy-ChainAcceleration takes place between two Appliances. If three or more Appliances are used inseries, the link will not be accelerated end-to-end. Instead, the link between Appliances 1and 2 will be accelerated, but not between Appliances 2 and 3.

Tuning

837

http://support.citrix.com/proddocs/topic/cloudbridge-gui-map-70/br-adv-virt-inline-mode-con.html

Appliances with the Enable Daisy-Chained Units option set will detect when they are in themiddle of a chain, and pretend that such connections are non-accelerated. This guaranteesthat the two endpoint Appliances will both see an accelerated connection.

Daisy-chaining is not recommended for hardboost links.

Peculiarities of Daisy-Chaining

• Daisy-chaining does not need to be enabled except on the middle units.

• The bandwidth graph of the middle unit will display daisy-chained connections asnon-accelerated.

• If a middle appliance has its acceleration disabled or restarts, the daisy-chainedconnections will be reset, just like the ordinary accelerated connections.

TCP Maximum Segment Size (MSS)This specifies the maximum size of the TCP portion of a packet. This defaults to 1380 bytes.If you have a VPN that encapsulates packets inside another header (as PPTP and IPSec VPNsdo), you may need to reduce this to prevent packet fragmentation. Reducing the MSS to1340 will usually accomplish this.

Both the Default MSS and Maximum MSS fields should always be set to the same value.

Forwarding Loop PreventionThe Forwarding Loop Prevention option allows the same packet to traverse appliances twicewithout causing trouble. In most deployments, this does not happen, but sometimes it isunavoidable. Passing the same packet through the same appliance multiple times, orthrough more than one appliance in the same group, can cause problems.

Tuning

838

Legacy CIFS Protocol FilteringAllows specific IP ranges to be either included into or excluded from CIFS acceleration.

Not recommended for new installations.

Generic SettingsThis allows any internal Appliance parameter to be set to an arbitrary value. This isgenerally done only at the request of Support.

For example, the bandwidth limit can be set 1,000 kbps by putting "SlowSendRate" in theSetting field and “1000 K/S” in the Value field.

You can also query the current setting of a parameter by filling in the Setting field butleaving the Value field blank.

Note: The internal Appliance values are not documented and setting them in this way isnot recommended, unless you are advised to do so by Support.

Tuning

839

840

Windows Domain

The Configuration: Appliance Settings: Windows Domain page allows the server-sideappliance to join the same Windows Domain as the servers it is accelerating, allowingencrypted MAPI and signed SMB traffic to be accelerated (providing that the client-sideappliance has SSL acceleration configured to the point where a secure peer relationshipexists between the client-side and server-side appliances).

Figure 1. Windows Domain Page

Joining the domain needs to happen only once, by typing in the domain credentials. (If thedomain password changes, this will have to be repeated.)

Demo Mode

In demo mode, the login credentials of a single user are used instead of the domaincredentials. This allows the acceleration of outcropped MAPI and signed SMB for thatuser. This mode is recommended for demonstration and testing only.

841

System Maintenance Pages

On the System Maintenance pages, you can perform maintenance, update, andtroubleshooting tasks on the appliance.

842

Backup/Restore

System Maintenance: Backup/RestoreBackup Settings/Restore Settings. The unit’s configuration can be saved to a file throughyour browser. License files, SSH parameters, and the IP addresses on the Management IPpage are not saved. Once saved, the file can be restored to the same Appliance. Licensefiles, SSH parameters, and IP addresses are not restored. The file is an ordinary text file,but should not be edited manually.

Reset to Factory Defaults. Sets all parameters except IP addresses, bandwidth settings,and licenses to their factory defaults.

Figure 1. System Maintenance: Backup/Restore page

843

Clear Statistics

System Maintenance: Clear StatisticsThe System Maintenance: Clear Statistics page allows you to reset the appliance’s statistics,allowing you to create reports that start at the beginning of the desired sampling window.

Figure 1. System Maintenance: Clear Statistics page

844

Date/Time

The date and time are set on this page. You can set the date and time manually byupdating the time fields with the current time, or use an NTP server by specifying its IP orDNS address. The Zone field allows you to choose a time zone.

The date and time must be accurate (within 10-20 seconds) for the Appliance to join aWindows Domain successfully.

Figure 1. System Maintenance: Date/Time page

845

Diagnostics

Tracing TabTrace files are effective in helping our Technical Support team pinpoint your problem. Theappliance provides a certain amount of tracing continuously. The results can be packagedinto an ZIP archive if you click Stop Trace. This archive can be downloaded onto yourcomputer, via Retrieve File. Once downloaded, it can be forwarded to Support. Because thetrace files are generated continuously, they also provide crash analysis data.

This tab has a large number of tracing parameters, none of which should be touched exceptat the request of Support.

Figure 1. The Tracing tab

Bypass Card Test TabThe fail-to-wire (Ethernet bypass) functionality of the Ethernet interface can be tested fora user-selected period with the feature. Enter the number of seconds for the unit tofail-to-wire (bypassing all appliance functionality and causing the unit to act as if it had across-over cable between the two ports) and click Submit Query. The bypass relay will closefor the specified number of seconds. Afterwards, normal operation will resume.

Figure 2. Bypass Card Test tab

Retrieve Cores TabIf the appliance software has exited abnormally, core files will have been left behind. Theunit will restart automatically after an abnormal exit, except in cases of persistent crashes,where it will disable acceleration while leaving the management interface active.

Figure 3. Retrieve Cores tab

1. Select one or more core files to send to Support. Choose core files based on date andtime. That is, a core file that was generated at a time when the unit was failing orbehaving strangely is better than one from a period where no one noticed anythingwrong. When in doubt, send them all.

2. In the Core Retrieval table, select the check boxes in the left-hand column of thedesired core files. Leave the checkboxes for “Retrieve Core,” “Trace,” and “Log”checked and the “Timespan” at 20 minutes. (The “Timespan” field tells the system howfar back before the core file was generated to collect log data and similar information.)

3. Click Get Core Files. The selected files will be gathered into a.zip archive (this maytake several minutes), and a new screen will be shown.

4. Click on the Click here link. A dialog box will ask you what you want to do with the file.Select “Save File to Disk.” A “Save As..” dialog box will open. Choose an appropriatedirectory and save the file.

Diagnostics

846

Line Tester TabThe “Line Test: SERVER” function starts an iperf server on the appliance, running in TCPmode. Iperf is a free TCP/UDP performance testing tool, available for Windows and UNIXsystems from:

http://dast.nlanr.net/Projects/Iperf

The documentation for iperf is also on this site. Iperf is preinstalled on appliances as aconvenience.

To run iperf tests, one system (an appliance or other host) must run iperf as a server, andanother must connect to it as a client. The defaults on the Diagnostics Tools page are theusual defaults for iperf. Click Start Server to start an iperf server on the appliance.

The “Line Test: CLIENT” function starts an iperf client on the unit, running in TCP mode.You specify the iperf server to connect to, the port number, the interface, and the lengthof the test. For the latter two parameters, the defaults are usually adequate. When thetest is complete, the connection speed will be reported.

Figure 4. Line Tester tab

Ping and Traceroute TabsThe Ping and Traceroute tabs (not shown) allow you to use the standard ping andtraceroute utilities to test connectivity to remote systems.

System Info TabThe System Info tab takes you to a page that lists all parameters that are not set to theirdefaults. This information is read-only. It is used by Support when some kind ofmisconfiguration is suspected. When you report a problem, you may be asked to check oneor more values on this page.

The information is intended for use by Support, and is not documented.

Diagnostics

847

Figure 5. System Info tab

Diagnostic Data TabThe Diagnostic Data tab packages data for analysis by Citrix Support. There are twofeatures: tracing and one-button data collection. Use them only at the request of CitrixSupport, which will provide you with instructions for which options to set and where to sendthe resulting data files.

Figure 6. Diagnostic Data tab

Diagnostics

848

849

Restart System

When you click Restart System the appliance restarts. This process takes several minutes.

Figure 1. System Tools: Restart System page

850

Update Software

Upgrading to a New ReleaseThe appliance software is upgraded by means of patch files that you obtain from Citrix. Theusual source is http://www.MyCitrix.com. Log into MyCitrix (you need a valid serviceagreement, a login, and a password). Navigate to Downloads: Repeater: Firmware. Select arelease and click on Get Firmware to download the release.

Figure 1. System Upgrade Page

To install a patch file, click Browse… on the System Upgrade Page, select the patch file,and upload it to the appliance. This requires that the patch file be on a file system that canbe accessed by your browser. (This condition is met automatically if you used the samebrowser to download the patch in the first place.)

A patch file will be examined by the appliance and will only be installed if it is a valid patchfile that will upgrade the system to a different release from the one currently in use.

An upgrade preserves license files and system settings. The upgraded unit requires noreconfiguration except for any new features that have been added with the new release.

Once a patch is installed, a new screen will ask if the unit can be restarted. The patch willnot be applied until the unit is restarted. If the user chooses not to restart the systemimmediately, a reminder will be placed at the top of each page.

The unit may require several minutes longer than usual to restart when it is applying apatch.

http://www.mycitrix.com

Figure 2.Displayon a SuccessfulPatchUpload

Downgrading to a Prior ReleaseYou can also revert to any previously installed release by selecting it from the DowngradeRelease pull-down menu and clicking Change.

If you are using Repeater disk encryption, the other releases on the unit will be displayed inorange, and the Downgrade Release option is not available unless you first disable diskencryption.

The appliance maintains copies of older releases, and the downgrade process reverts to oneof these. Licenses and settings are not copied back from the newer release to the olderone. Instead, the unit will revert to the settings that were in effect at the time the olderrelease was upgraded.

Changing the Version TypeThe Change Version Type option allows you to select a debug version of the release.Possible debug versions are “Level 1” or “Level 2.” You should not select these unlessinstructed to do so by Support.

Update Software

851

852

Command Line Reference

You can use the command-line interface (CLI) to access the CloudBridge appliance remotelyfor interactive or scripted configuration, monitoring, and file transfer.

The CLI uses two access mechanisms: SSH, for interactive and script access, and SFTP, fortransferring files into and out of the appliance. Alternatively, RS-232 access is availablelocally, through a null modem cable.

After accessing the appliance, you can enter commands. Command syntax isstraightforward. Numeric fields use decimal values. String fields can include embeddedspaces if the string is enclosed in double quotation marks.

SSH AccessTo access the CLI through SSH, open an SSH connection to the appliance's management IPaddress. Following is an example of the login sequence:

ssh [email protected] Last login: Fri Jun 20 14:50:22 2008 from xx.xx.xx.xxLogin: adminPassword: xxxxxxxxCommand Line Interpreter - Version 1.0Copyright 2008 Citrix Systems. All Rights Reserved.

(admin)>

Windows systems, by default, do not include an SSH package, so you might need to install apackage such as PuTTY. If so, you use "putty" instead of "ssh" to access the appliance.

The logon sequence has two steps:

1. Log on as user cli, which has a null password. You are then prompted to log in withproper credentials for the appliance.

2. Log on as a valid appliance user, typically Admin, but with any user name and passwordthat would work on the appliance’s GUI.

After you log on, all the CLI commands are available.

RS-232 AccessYou can use a terminal emulator to log on to a local appliance's CLI through a null modemcable connected to the appliance's RS-232 serial port. Set the terminal emulator to 115,200baud, 8 data bits, 1 stop bit, no parity. The login procedure is the same as with SSH.

SFTP AccessTo allow file transfers to and from the appliance, enable and activate a special account, forwhich the user name is transfer. This account is disabled by default. To enable it, log onthrough SSH or RS-232 and enter the following CLI command:

set access –type transfer –password <password>

This command enables the transfer account and sets its password to the password that youspecify. Once enabled, the transfer account cannot be disabled. However, you caneffectively disable it by using the same command to assign a very long and difficult toremember password.

To activate the transfer account, use the SFTP utility (or an equivalent Windows utility suchas PSFTP) to log on to the appliance, with user name transfer and the password that youspecified when you enabled the account. Some CLI commands can accept uploaded files asa command argument, or create files for download. After file transfer is enabled, you canuse SFTP or an equivalent utility to transfer files. When transferring files, do not use pathnames on the appliance side of the transfer. Transfer all files into or out of the defaultdirectory. File names should contain only the letters a-z and A-Z, the numerals 0-9, and theperiod and hyphen characters.

Command Line Reference

853

854

CLI Navigation

exitSyntax: exit

Exits from the CLI. Same as 'quit.'

quitSyntax: quit

Exits from the CLI. Same as 'exit.'

855

System Tools

show config-scriptSyntax: show config-script

[-replicate][-file “filename”]

Displays the appliance’s current configuration or, optionally, saves the configuration to thefile “filename.” This configuration can be reloaded into the same appliance or anotherappliance.

-replicate omits appliance-specific configuration such as IP addresses, allowing the outputof this command to be used more conveniently for configuring multiple appliances.

-file “filename” specifies that the output should be saved to the specified file rather thandisplayed. No pathname components should be used.

list config-script-filesSyntax: list config-script-files

Displays a list of the saved configuration files on the appliance.

save settingsSyntax: save settings

-file “filename”

Saves all parameters to the file specified by “filename”. The file is saved in the “settings”folder on the unit.

restore settingsSyntax: restore settings


Restores all parameters from the file specified by “filename”. The file must be in the“settings” folder on the unit.

Caution: This command takes effect immediately and reboots the appliance, without an“are you sure?” verification.

list settings-filesSyntax: list settings-files

Displays a list of the saved settings files on the appliance.

reset settingsSyntax: reset settings

Equivalent to “Reset to Factory Defaults” in the UI. Sets all parameters except IP addressesand the license file to their factory settings.

Caution: This command takes effect immediately and reboots the appliance, without an“are you sure?” verification.

restartSyntax: restart

Reboots the appliance.

Caution: This command takes effect immediately, without an “are you sure?”verification.

whatSyntax: what

Reserved for use by Command Center.

show softwareSyntax: show software

Lists all of the versions of the software installed on the appliance. One of these will be therunning version, while the others are available through the “restore” command (or, on theWeb UI, the “Downgrade Release” feature).

verify softwareSyntax: verify software


Performs checks on file “filename” to see if it is a complete, uncorrupted software releasefile.

System Tools

856

Note: This command is intended for newly transferred files. Files listed via the “showsoftware” command are known-good files and cannot be checked by this command.

install softwareSyntax: install software

-file “filename” [-restart]

Installs the software file “filename” and optionally (with the -restart option) restarts theappliance.

Note: This command is intended for newly transferred files. Files listed via the “showsoftware” command are installed via the “restore software” command.

list software-filesSyntax: list software-files

Displays a list of software release files on the appliance.

restore softwareSyntax: restore software

-version “version”

Reinstalls a previously installed software version. “Version” is the software version string. Itmust be identical to one of the versions listed by the “show software” command.

Example: restore software -version 4.3.24.1014

set softwareSyntax: set software

-type {default, level1, level2, defaultmc, level1mc, level2mc}

Selects which version of the binary should be used. “Default” should be used unless CitrixSupport recommends otherwise.

System Tools

857

858

Licenses

add local-licenseSyntax: add local-license

[-name “license-name”]-file “filename”

Installs the license file 'filename.'

-name specifies the license name to be assigned on the system.

-file specifies a previously uploaded license file in the transfer account.

Example: add local-license -name 'new' -file newlicense.txt

list license-filesSyntax: list license-files

Displays a list of license files uploaded to the transfer account.

remove local-licenseSyntax: remove local-license

-name “license-name”

Removes an installed license.

rename local-licenseSyntax: rename local-license

-old “old-license-name”-new “new-license-name”

Changes an installed license name.

show license-modelsSyntax: show license-models

Displays the list of models which is needed to acquire license from the remote licenseserver.

show licenseSyntax: show license

Displays the current license server configuration and the licensed features.

show local-licenseSyntax: show local-license

Displays the name of all local licenses installed.

set license-serverSyntax: set license-server

-location local

Syntax: set license-server

-location remote[-model “model name”][-ip “ipaddr”][-port “port”]

Configures the system to use local or remote license server.

-model specifies the model name with which to acquire the license. Use showlicense-models command to display the list of models.

-ip is the IP address of the remote license server.

-port specifies the remote license server port (default 27000).

Example: set license-server -location remote -model v1000 -ip 192.168.0.1 -port 27000

Licenses

859

860

Security

show userSyntax: show user

[-name “username”]

Lists all the users defined on the appliance, and whether they are administrators orview-only users. If the -name option is specified, only the information about the specifieduser will be shown.

add userSyntax: add user

-name “username”-password “password”-privilege {admin, viewer}

Defines a new user with the specified username, password, and privilege.

set userSyntax: set user

-name “username”-password “password”-privilege {admin, viewer}

Alters the definition of an existing user with the specified username, allowing a change tothe password or privilege level.

remove userSyntax: remove user

-name “username”

Deletes user “username”

show accessSyntax: show access

[-type {radius, tacacs, web, transfer, support}]

Summarizes the settings for the Web UI, for Radius and TACACS+ authentication, fortransfer account, and for the support account, including the enabled ports and options. Bydefault, all five categories are displayed, but a single category can be selected with the-type option.

enable accessSyntax: enable access

-type {radius, tacacs, web}

Enables one of: Radius authentication, TACACS+ authentication, or access to the Web UI.Parameters for these features remain at their previous settings.

disable accessSyntax: disable access

-type {radius, tacacs, web}

Disables one of: Radius authentication, TACACS+ authentication, or access to the Web UI.Parameters for these features remain at their previous settings.

set accessSyntax: set access

-type radius[-ip “ipaddr”][-port “port”][-secret “secret”]

Syntax: set access

-type tacacs[-ip “ipaddr”][-port “port”][-secret “secret”][-encrypt {enable, disable}]

Syntax: set access

-type web[-protocol {http, https} -port “port”][-forwardhttp {enable, disable}][-ssl-cert “certfile” -ssl-key “keyfile”]

Syntax: set access

Security

861

-type transfer-password “password”

Syntax: set access

-type support-password “password”

Configures access parameters. The first two forms enable Radius and TACACS+authentication, respectively. The third form sets the Web UI parameters. The forth formsets a password for the “transfer” account, which is used for transferring files. The lastform sets a password for the “support” account.

list certificate-filesSyntax: list certificate-files

Displays any uploaded certificate files.

Security

862

863

System Status

enable unitSyntax: enable unit

Enables unit for traffic shaping and acceleration.

disable unitSyntax: disable unit

Put unit in passthrough mode. No traffic shaping nor acceleration.

enable accelerationSyntax: enable acceleration

Enables flow control and compression.

disable accelerationSyntax: disable acceleration

Disables flow control and compression.

enable traffic-shapingSyntax: enable traffic-shaping

Enables quality of service traffic shaping.

disable traffic-shapingSyntax: disable traffic-shaping

Disables quality of service traffic shaping.

enable ica-multi-streamSyntax: enable ica-multi-stream

Enables protocol acceleration for ICA multi-stream connections

disable ica-multi-streamSyntax: disable ica-multi-stream

Disables protocol acceleration for ICA multi-stream connections

show system-statusSyntax: show system-status

Displays the same information as the Web UI’s Status page.

System Status

864

865

Ethernet Configuration

set interfaceSyntax: set interface

-adapter {apa.1, apa.2, apb.1, apb.2, primary, aux1}-speed-duplex {auto, 1000full, 100full, 100half, 10full, 10half}

Sets the speed and duplex parameters for the specified Ethernet port.

show interfaceSyntax: show interface

[-adapter {apa.1, apa.2, apb.1, apb.2, primary, aux1}]

Displays the Ethernet speed and duplex settings of all Ethernet ports, or, optionally, asingle specified port.

866

Bandwidth Configuration

show bandwidthSyntax: show bandwidth

Displays the bandwidth limits and other information from the Web UI’s BandwidthManagement page.

set bandwidthSyntax: set bandwidth

[-mode {hardboost, softboost}][-send-limit “kbps”][-receive-limit “kbps”]

Sets the bandwidth limits and other bandwidth management settings. These parameters arethe same as those on the Web UI’s Bandwidth Management page. The -schedule and-per-remote-unit settings are meaningful only with hardboost. The -min-rate setting ismeaningful only with partial bandwidth.

867

Link Configuration

show linksSyntax: show links

[-verbose]

Displays all of the currently defined links. The verbose parameter if specified will output adetailed listing of the settings for each link being displayed.

show linkSyntax: show link

-name “name”

Displays a detailed listing of the settings for the link specified by the name parameter.

rename linkSyntax: rename link

-old “oldname”-new “newname”

Renames the specified link.

remove linkSyntax: remove link

{-all, -name “name”}

Deletes either the named link or all links.

remove link-filterSyntax: remove link-filter

-link “name”{-all, -filter-position “number”}

Removes either all link filters for the specified link or the filter at the position specified by'number'.

Valid filter positions range from 1 to N (where N is the number of filters in the current list).

move linkSyntax: move link

-name “name”{ -direction {up, down} -count “count”,-position {bottom, top, “number”} }

Moves the named link either relative to the current position (using the direction parameter)or absolutely (using the position parameter).

Valid integer positions range from 1 to N (where N is the number of links in the currentlist).

add linkSyntax: add link

[-position {bottom, top, “number”}]-name “name”-type {LAN, WAN}-max-in-bandwidth “rate” [{bps, kbps, mbps, gbps}]-max-out-bandwidth “rate” [{bps, kbps, mbps, gbps}]{-match-all-traffic, “filter-criteria-list”}

where “filter-criteria-list” is

[-adapters ([-exclude] “adapter-name”),...][-source-ips ([-exclude] “ip”),...][-destination-ips ([-exclude] “ip”),...][-vlans ([-exclude] “vlan”),...][-wccp-service-groups ([-exclude] “id”),...][-source-macs ([-exclude] “mac”),...][-destination-macs ([-exclude] “mac”),...]

Creates a new link with the specified name, type, bandwidth rates and a single filter rulewhich can be either a “match all traffic” type rule or a rule based upon the criteriaspecified for adapters, source-ips, destination-ips, VLANs, WCCP service groups, sourcemacs and destination macs. Double quotes can be used as delimiters for the link name(which may contain spaces).

If no position parameter is specified, the new link will be inserted at the top of the currentlist of links. Valid position arguments are “top”, “bottom” or a number in the range from 1to N (where N is the number of links in the current list). To add an entry to the bottom ofthe list specify “bottom”.

Link Configuration

868

The units for the bandwidth rate will default to mbps if nothing is specified. Bandwidthrates must be at least “56 kbps” and cannot exceed “1 Gbps”. If the “match all traffic”filter rule is not specified, then at least one filter criteria option must be specified.

VLANs are specified by VLAN group numbers which range from 1 to 4094. WCCP servicegroup values range from 51 to 99. MAC addresses should be entered as 2 digit hex termsseparated by “-”’s, for example, “00-0C-F1-56-98-AD”.

add link-filterSyntax: add link-filter

-link “name”[-filter-position {bottom, top, “number”}][-adapters ([-exclude] “adapter-name”),...][-source-ips ([-exclude] “ip”),...][-destination-ips ([-exclude] “ip”),...][-vlans ([-exclude] “vlan”),...][-wccp-service-groups ([-exclude] “id”),...][-source-macs ([-exclude] “mac”),...][-destination-macs ([-exclude] “mac”),...]

Creates a new link filter in the link specified by the name parameter. If no filter positionparameter is specified, the new filter will be inserted at the bottom of the current list offilters. If a filter position is specified, then the new filter will be inserted at that position inthe list. Valid integer positions range from 1 to N (where N is the number of filters in thelist).

For the adapters, source-ips, destination-ips, VLANs, WCCP-service-groups, source-macs,and destination-macs parameters, if a setting is not provided, then any value for thesefields will be considered a match. All of these parameters provide the ability to specify acomma separated list of items. Each item may indicate that instead of a match operationon the item being performed that an exclude operation is done instead.


set linkSyntax: set link

-name “name”[-type {LAN, WAN}][-max-in-bandwidth “rate” [{bps, kbps, mbps, gbps}]][-max-out-bandwidth “rate” [{bps, kbps, mbps, gbps}]]

Changes the definition of an existing link. Double quotes can be used as delimiters for thelink name (which may contain spaces). At least one of the link attributes must be set.

The units for the bandwidth rate will default to mbps if nothing is specified. Bandwidthrates must be at least “56 kbps” and cannot exceed “1 Gbps”.

Link Configuration

869

set link-filterSyntax: set link-filter

-link “name”-filter-position “number”{-match-all-traffic, “filter-criteria-list”}


[-adapters {match-all, ([-exclude] “adapter-name”),...]}[-source-ips {match-all, ([-exclude] “ip”),...]}[-destination-ips {match-all, ([-exclude] “ip”),...]}[-vlans {match-all, ([-exclude] “vlan”),...]}[-wccp-service-groups {match-all, ([-exclude] “id”),...]}[-source-macs {match-all, ([-exclude] “mac”),...]}[-destination-macs {match-all, ([-exclude] “mac”),...]}

Change the definition of the existing link filter specified by the name and filter-positionparameters. Multiple filter settings may be changed at once and the other settings will beleft unchanged. At least one of the link filter attributes must be set. Valid filter positionsrange from 1 to N (where N is the number of filters in the list).


Link Configuration

870

871

Service Class Configuration

show service-classesSyntax: show service-classes

[{-modified-only, -names “name”,...}][-verbose]

Displays either all the currently defined service classes, only the modified ones, or only theones with names that have been requested. The verbose parameter if specified will outputa detailed listing of the settings for each service class being displayed.

show service-classSyntax: show service-class

-name “name”

Displays a detailed listing of the settings for the service class specified by the nameparameter.

enable service-classSyntax: enable service-class

-name “name”

Enables the service class specified by the name parameter. By default newly createdservice classes are disabled so that filter rules can be added.

disable service-classSyntax: disable service-class

-name “name”

Disables the service class specified by the name parameter. Disabled service classes will notmatch any connections and therefore will not provide any acceleration.

rename service-classSyntax: rename service-class


Renames the specified service class.

remove service-classSyntax: remove service-class


Deletes either the named service class or all service classes.

remove service-class-filterSyntax: remove service-class-filter

-service-class “name”{-all, -filter-position “number”}

Removes either all filters for the specified service class or the filter at the positionspecified by “number”.

Valid filter positions range from 1 to N (where N is the number of filters in the list).

move service-classSyntax: move service-class

-name “name”{ -direction {up, down} -count “count”,-position {bottom, top, “number”} }

Moves the named service class either relative to the current position (using the directionparameter) or absolutely (using the position parameter).

Valid integer positions range from 1 to N (where N is the number of service classes in thelist).

add service-classSyntax: add service-class

[-position {bottom, top, “number”}]-name “name”-acceleration {disk, flow-control, memory, none}-traffic-shaping-policy {default, “policy-name”}[-per-link-policies (“link-name” “policy-name”),...]


872

Creates a new service class with the specified acceleration type and traffic shaping policy.Double quotes can be used as delimiters for the service class name (which may containspaces). A newly added service class will always be created in a disabled state and musthave at least one service class filter added to it before it can be enabled.

If no position parameter is specified, the new service class will be inserted at the top of thecurrent list of service classes. Valid integer positions range from 1 to N (where N is thenumber of service classes in the list).

The specified traffic shaping policy will be used for this service class on all links. Per-linktraffic shaping policies only need to be specified for links which have a traffic shapingpolicy that is different for this service class than the policy specified by the“-traffic-shaping-policy” setting.

add service-class-filterSyntax: add service-class-filter

-service-class “name”[-filter-position {bottom, top, “number”}][-bidirectional {enable, disable}][-applications ([-exclude] “name”),...][-source-ips ([-exclude] “ip”),...][-destination-ips ([-exclude] “ip”),...][-diffserv-dscps ([-exclude] “dscp”),...][-vlans ([-exclude] “vlan”),...][-ssl-profiles ([-exclude] “profile”),...]

Creates a new service class filter in the service class specified. If no filter positionparameter is specified, the new filter will be inserted at the bottom of the current list offilters. If a filter position is specified, then the new filter will be inserted at that position inthe list. Valid integer positions range from 1 to N (where N is the number of filters in thelist).

If the bi-directional parameter is enabled then the filter will also match connection setupmessages that have a source IP address that matches the filter’s destination-ips setting anda destination IP address that matches the filter’s source-ips setting. Please note that thissetting only applies to which connections can be accelerated, it does not apply to trafficshaping.

For the applications, source-ips, destination-ips, diffserv-dscps and vlans parameters, if asetting is not provided, then any value for these fields will be considered a match.

All of these parameters provide the ability to specify a comma separated list of items. Eachitem may indicate that instead of a match operation on the item being performed that anexclude operation is done instead.

Valid DiffServ DSCP values range from 0 to 63. VLANs are specified by VLAN group numberswhich range from 1 to 4094. SSL profile names which are specified must already beconfigured in the system or they will be rejected.

At least one ssl profile name must be configured in the ssl-profiles parameter for SSLconnections to be matched.


873

set service-classSyntax: set service-class

-name “name”[-acceleration {disk, flow-control, memory, none}][-traffic-shaping-policy {default, “policy”}][-per-link-policies (“link-name” “policy-name”),...]

Changes the definition of an existing service class. Double quotes can be used as delimitersfor the service class name (which may contain spaces). At least one of the service classattributes must be set.

The specified traffic shaping policy will be used for this service class on all links. Per-linktraffic shaping policies only need to be specified for links which have a traffic shapingpolicy that is different for this service class than the policy specified by the“-traffic-shaping-policy” setting.

set service-class-filterSyntax: set service-class-filter

-service-class “name”-filter-position “number”{-match-all-traffic, “filter-criteria-list”}


[-bidirectional {enable, disable}][-applications {match-all, ([-exclude] “name”),...}][-source-ips {match-all, ([-exclude] “ip”),...}][-destination-ips {match-all, ([-exclude] “ip”),...}][-diffserv-dscps {{match-all, ([-exclude] “dscp”),...}][-vlans {match-all, ([-exclude] “vlan”),...}][-ssl-profiles {disable, ([-exclude] “profile”),...}]

Change the definition of the existing service class filter rule specified by the name andfilter-position parameters. Valid filter positions range from 1 to N (where N is the numberof filters in the current list).

Multiple filter settings may be changed at once and the other settings will be leftunchanged. At least one of the service class filter attributes must be set.

If the bi-directional parameter is enabled then the filter will also match connection setupmessages that have a source IP address that matches the filter’s destination-ips setting anda destination IP address that matches the filter’s source-ips setting. Please note that thissetting only applies to which connections can be accelerated, it does not apply to trafficshaping.

Valid DiffServ DSCP values range from 0 to 63. VLANs are specified by VLAN group numberswhich range from 1 to 4094. SSL profile names which are specified must already beconfigured in the system or they will be rejected.


874

875

Traffic Shaping Configuration

show traffic-shaping-policiesSyntax: show traffic-shaping-policies

Displays the summary list of traffic shaping policies.

show traffic-shaping-policySyntax: show traffic-shaping-policy

{-all, -id “id”, -name “name”}

Displays the detail information of one or all traffic shaping policies.

add traffic-shaping-policySyntax: add traffic-shaping-policy

-name “name”-priority “integer”[-ica-realtime-priority “integer”][-ica-interactive-priority “integer”][-ica-bulk-transfer-priority “integer”][-ica-background-priority “integer”][-optimize-voice {enable, disable}][-diffserv {“integer”, disabled}][-ica-realtime-diffserv {“integer”, disabled}][-ica-interactive-diffserv {“integer”, disabled}][-ica-bulk-transfer-diffserv {“integer”, disabled}][-ica-background-diffserv {“integer”, disabled}][-limit-bandwidth {by-percent, by-rate} -max-in “integer” -max-out “integer”]

Add a new traffic shaping policy. Double quotes can be used as delimiters for the name(which may contain spaces).

Valid priority values range from 1 to 256. DiffServ values are specified by DSCP codes whichrange from 0 to 63. Bandwidth may be limited by percent which can range from 1 to 99 orby kbps rate which can range from 56 to 1000000.

set traffic-shaping-policySyntax: set traffic-shaping-policy

-name “name”-priority “integer”[-ica-priorities {enable, disable}][-ica-realtime-priority “integer”][-ica-interactive-priority “integer”][-ica-bulk-transfer-priority “integer”][-ica-background-priority “integer”][-optimize-voice {enable, disable}][-diffserv {“integer”, disabled}][-ica-diffserv {enable, disable}][-ica-realtime-diffserv {“integer”, disabled}][-ica-interactive-diffserv {“integer”, disabled}][-ica-bulk-transfer-diffserv {“integer”, disabled}][-ica-background-diffserv {“integer”, disabled}][-limit-bandwidth {by-percent, by-rate} -max-in “integer” -max-out “integer”]

Modify an existing traffic shaping policy. Double quotes can be used as delimiters for thename (which may contain spaces).

Valid priority values range from 1 to 256. DiffServ values are specified by DSCP codes whichrange from 0 to 63. Bandwidth may be limited by percent which can range from 1 to 99 orby kbps rate which can range from 56 to 1000000.

rename traffic-shaping-policySyntax: rename traffic-shaping-policy


Renames the specified traffic shaping policy.

remove traffic-shaping-policySyntax: remove traffic-shaping-policy


Remove one or all traffic shaping policies. Some traffic shaping policies (e.g. Default TrafficShaping Policy) are not permitted to be removed.

clear traffic-shaping-policy-statsSyntax: clear traffic-shaping-policy-stats

Resets all traffic shaping policy performance counters.

Traffic Shaping Configuration

876

877

SNMP Configuration

show snmpSyntax: show snmp

Reports then enabled/disabled status of the SNMP feature.

enable snmpSyntax: enable snmp

Enables the SNMP feature.

disable snmpSyntax: disable snmp

Disables the SNMP feature.

show snmp-system-mibSyntax: show snmp-system-mib

Displays the current name, location, contact, and authentication failure trap settings.

set snmp-system-mibSyntax: set snmp-system-mib

[-name “name”][-location “location”][-contact “name”][-auth-fail-trap {enable, disable}]

Sets the SNMP name of the appliance, its location, the contact person’s name, and whetherto enable authentication failure traps. Double quotes can be used as delimiters for stringfields (which may contain spaces).

show snmp-managerSyntax: show snmp-manager

[-id “id”]

Displays the current SNMP manager entries. If -id is specified, only that SNMP manager isdisplayed.

add snmp-managerSyntax: add snmp-manager

-community “name”-ip “addr”[-netmask {0, 4, 8, 12, 16, 20, 24, 28, 32}]

Enables access to SNMP functions by remote systems on the specified subnets and with thespecified community name. Double quotes can be used as delimiters for string fields (whichmay contain spaces).

remove snmp-managerSyntax: remove snmp-manager

{-all, -id “number”}

Syntax: remove snmp-manager

-community “name”-ip “addr”[-netmask {0, 4, 8, 12, 16, 20, 24, 28, 32}]

Removes the specified SNMP manager entry, or all SNMP manager entries. Double quotescan be used as delimiters for string fields (which may contain spaces).

show snmp-trapdestSyntax: show snmp-trapdest

-id “id”

Displays the SNMP trap destination entry at position “id.”

add snmp-trapdestSyntax: add snmp-trapdest

-name “name”-ip “addr”[-port “port”][-version {v1, v2c}]

SNMP Configuration

878

Adds a new SNMP trap destination. Double quotes can be used as delimiters for string fields(which may contain spaces).

remove snmp-trapdestSyntax: remove snmp-trapdest

{-all, -name “name”, -id “id”}

Removes the SNMP trap destination define by name or ID, or all SNMP trap destinations.Double quotes can be used as delimiters for string fields (which may contain spaces).

SNMP Configuration

879

880

Alert Configuration

show alert-configurationSyntax: show alert-configuration

[-name “alertname”]

Syntax: show alert-configuration

-retention

Displays the settings of the Alert system, or optionally of a single, named Alert. Equivalentto the information on the Alert Configuration page. With -retention, the Alert RetentionTime is displayed.

set alert-configurationSyntax: set alert-configuration

{-retention “seconds” , -verbose {enable, disable}}

Syntax: set alert-configuration

-name “name”-level {alerted, logged, disable, default}[-threshold “integer”]

Sets parameters for individual, named Alerts, or sets global parameters. Equivalent to theAlert Configuration page. The -retention option sets the alert timeout value in seconds,while the -verbose option allows verbose or non-verbose reporting to be selected. The-threshold option is used to specify alerting thresholds. Not all alerts support a threshold.

reset alert-configurationSyntax: reset alert-configuration

Sets all Alerts to factory defaults.

clear application-countersSyntax: clear application-counters

Resets all application performance counters.

show applicationsSyntax: show applications

This command shows the list of configured applications

show applicationSyntax: show application

This command shows the configuration information of the selected application. Theparameter -id selects the application listed on the show applications output.

add applicationSyntax: add application

-name “name”[-description “description”][-group “application group”][-classification-type “ethertype, ica-published-app, ip, tcp, udp, web-address”][-classification-parameters “classification parameters”]

This command creates a new application.

rename applicationSyntax: rename application

-old “old-application-name”-new “new-application-name”

This command changes the application name.

remove applicationSyntax: remove application


This command removes the configured application.

set applicationSyntax: set application

Alert Configuration

881

-name “name”[-description “description”][-group “application group”][-classification-type “ethertype, ica-published-app, ip, tcp, udp, web-address”][-classification-parameters “classification paramenters”]

This command changes the configuration of an application.

Alert Configuration

882

883

WCCP Configuration

show wccpSyntax: show wccp

[-id “id”]

Displays the current settings for all WCCP service groups, or optionally only for the servicegroup specified with -id.

enable wccpSyntax: enable wccp

Global WCCP enable. Not effective unless acceleration is enabled and at least one WCCPservice group is defined.

disable wccpSyntax: disable wccp

Global WCCP disable.

add wccpAdds a new WCCP service-group definition. The parameters are the same as those on theWCCP Configuration page on the Web UI.

Syntax: add wccp

-id “id”[-accelerated-pair {apa, apb}]-router-communication unicast-address “addr1[,...,addrN]”[-router-assignment {hash, mask, auto}][-router-forwarding {auto, gre, level-2}][-state {enable, disable}][-priority “number”][-protocol {tcp, udp}]

Syntax: add wccp

-id “id”[-accelerated-pair {apa, apb}]-router-communication multicast

-address “addr”[-router-assignment {hash, mask, auto}][-router-forwarding {auto, gre, level-2}][-router-return {auto, gre, level-2}][-time-to-live “number”][-state {enable, disable}][-priority “number”][-protocol {tcp, udp}]

Default values for the optional parameters are as follows:

-accelerated-pair = apa-router-assignment = hash-router-forwarding = auto-router-return = auto-time-to-live = 1-state = enable-priority = 0-protocol = tcp

set wccpSyntax: set wccp

-id “id”[-accelerated-pair {apa, apb}][-router-communication unicast-address “addr1[,...,addrN]”][-router-assignment {hash, mask, auto}][-router-forwarding {auto, gre, level-2}][-state {enable, disable}][-priority “number”][-protocol {tcp, udp}]

Syntax: set wccp

-id “id”[-accelerated-pair {apa, apb}][-router-communication multicast-address “addr”][-router-assignment {hash, mask, auto}][-router-forwarding {auto, gre, level-2}][-router-return {auto, gre, level-2}][-time-to-live “number”][-state {enable, disable}][-priority “number”][-protocol {tcp, udp}]

WCCP Configuration

884

Alters an existing WCCP service-group definition. The parameters are the same as those onthe WCCP Configuration page on the Web UI.

remove wccpSyntax: remove wccp

{-all , -id “num”}

Deletes all WCCP service groups or (with -id) only the specified service group number.

WCCP Configuration

885

886

Logging

show syslogSyntax: show syslog

Displays the current syslog parameters.

set syslogSyntax: set syslog

-ip “addr”[-port “port”]

Sets the IP address of the syslog server, and optionally the port number.

enable syslogSyntax: enable syslog

Enables syslog logging.

disable syslogSyntax: disable syslog

Disable syslog logging.

show logSyntax: show log

[-stats][-options]

Shows the current logfile configurations and disk usage statistics. With -stats, only theusage statistics are shown. With -options, only the configuration is shown. The informationhere is equivalent to the Log Configuration page in the Web UI.

set logSyntax: set log

[-max-size “megabytes”][-display-lines “lines”][-max-export-lines “lines”][-system {enable, disable}][-adapter {enable, disable}][-flow {enable, disable}][-connection {enable, disable}][-openclose {enable, disable}][-text {enable, disable}][-alert {enable, disable}]

Sets the display parameters for the View Logs page. The settings here correspond to thoseon the Configure Logs page.

extract logSyntax: extract log

-by-record-from “number”-to “number”-records “number”-format {text, xml}-type {system, adapter, slow-flow, fast-flow, flow, connection,open, close, open-close, text, alert, all}-eol {lf, crlf, cr}[-file filename]

Syntax: extract log

-by-datetime-from “yyyy-mm-dd” [“hh:mm[:ss]”]-to “yyyy-mm-dd” [“hh:mm[:ss]”]-records “number”-format {text, xml}-type {system, adapter, slow-flow, fast-flow, flow, connection,open, close, open-close, text, alert, all}-eol {lf, crlf, cr}[-file “filename”]

Extracts the selected records to file “filename.” This command has the same parameters asthat on the View Logs page on the Web UI.

clear logsSyntax: clear logs

Removes all log records, similar to the “Remove All Log Records” button in the Web UI.

Logging

887

list log-extracted-filesSyntax: list log-extracted-files

Displays a list of log files saved by the “extract log” command.

Logging

888

889

Proxy Configuration

show proxySyntax: show proxy

Displays the current proxy definitions.

add proxySyntax: add proxy

-local “local vipaddr”-target {“target ipaddr”, “host”)[-description “description”]

Adds a new proxy definition. This command has the same parameters as that on the Proxypage on the Web UI.

remove proxySyntax: remove proxy

{-all, -local “vipaddr”}

Removes a proxy definition. -local specifies which proxy definition to remove. -all specifiesthat all proxy definitions should be removed.

890

Client Configuration

show client-ruleSyntax: show client-rule

[-id “id”]

Displays a client acceleration rule. If -id is omitted, all client rules are displayed.

add client-ruleSyntax: add client-rule

-type {accelerate, exclude}-subnet {*, “subnet”}-ports {*, “port-range”}

Adds a client acceleration rule. This command has the same parameters as those on theClient Acceleration Rules page of the Web UI.

remove client-ruleSyntax: {-all, -id “id”}

Removes a client acceleration rule. -id specifies which rule to remove. -all specifies that allrules should be removed.

show signaling-channelSyntax: show signaling-channel

Displays the Client Signaling Channel options.

enable signaling-channelSyntax: enable signaling-channel

Enables the Client Signaling Channel.

disable signaling-channelSyntax: disable signaling-channel

Disables the Client Signaling Channel.

set signaling-channelSyntax: set signaling-channel

[-ip “ipaddr”][-port “port”][-mode {redirector, transparent}]

Sets the Client Signaling Channel options. This command has the same parameters as thoseon the Client Signaling Channel Configuration page of the Web UI.

show client-settingsSyntax: show client-settings

Displays the Client General Configuration options.

set client-settingsSyntax: set client-settings

[-upgrade-notify {enable, disable}][-upgrade-url “url”][-diag-ftp-server “server”][-diag-ftp-port “port”][-diag-ftp-user “user”][-diag-ftp-password “password”][-diag-ftp-directory “directory”][-diag-email “email”][-diag-popups {enable, disable}][-diag-uploads {enable, disable}]

Sets the Client General Configuration options. This command has the same parameters asthose on the Client General Configuration page of the Web UI.

Client Configuration

891

892

Group Mode Configuration

show group-modeSyntax: show group-mode

[-type {local, peers, rules}]

Displays the group mode configuration.

enable group-modeSyntax: enable group-mode

Enables group mode.

Syntax: enable group-mode

-type peer-member-ip “ipaddr”

Enables a group mode peer. -member-ip specifies which peer to enable.

Syntax: enable group-mode

-type rule{-all, -id “id”}

Enables a group forwarding rule. -id specifies which rule to enable. -all specifies that allrules should be enabled.

disable group-modeSyntax: disable group-mode

Disables group mode.

Syntax: disable group-mode

-type peer-member-ip “ipaddr”

Disables a group mode peer. -member-ip specifies which peer to disable.

Syntax: disable group-mode

-type rule{-all, -id “id” }

Disables a group forwarding rule. -id specifies which rule to disable. -all specifies that allrules should be disabled.

set group-modeSyntax: set group-mode

[-accelerate-with-failure {enable, disable}][-forward-loop-prevention {enable, disable}]

Enables or disables group mode options. This command has the same parameters as that onthe Group Mode page on the Web UI.

Syntax: set group-mode

-type local-adapter {apa, apb, primary}

Sets the adapter parameter of the local group mode. This command has the sameparameters as that on the Group Mode page on the Web UI.

add group-modeSyntax: add group-mode

-type peer-member-ip “ipaddr”-state {enable, disable}-common-name “name”[-ha-common-name “name”]

Adds a group mode peer. This command has the same parameters as that on the GroupMode page on the Web UI.

Syntax: add group-mode

-type rule-member-ip “ipaddr”-subnet “subnet”-ports “port-range”[-forwarded-if {match, not-match}][-state {enable, disable}]

Adds a group forwarding rule. This command has the same parameters as that on the GroupMode page on the Web UI.


893

remove group-modeSyntax: remove group-mode

-type peer{-all, -member-ip “ipaddr”}

Removes a group mode peer. -member-ip specifies which peer to remove. -all specifies thatall peers should be removed.

Syntax: remove group-mode

-type rule{-all, -id “id”}

Removes a group forwarding rule. -id specifies which rule to remove. -all specifies that allrules should be removed.


894

895

SSL Configuration

add ssl-profileSyntax: add ssl-profile

-name “profile-name”[-state {enable, disable}]-proxy-type transparent[-virtual-hostname “hostname”]-private-key “private-key-name”

Adds an SSL profile for transparent proxy mode. This command has the same parameters asthat on the Profile tab of the SSL Settings page on the Web UI.

Syntax: add ssl-profile

-name “profile-name”[-state {enable, disable}]-proxy-type split[-virtual-hostname “hostname”]-cert-key “cert-key-pair-name”[-build-cert-chain {enable, disable}][-cert-chain-store {use-all-configured-CA-stores, “store-name”}][-cert-verification {none, Signature/Expiration, Signature/Expiration/Common-Name-White-List, Signature/Expiration/Common-Name-Black-List}][-verification-store {use-all-configured-CA-stores, “store-name”}][-server-side-protocol {SSL-version-2, SSL-version-3,SSL-version-2-3-OR-TLS-1.0, TLS-1.0}][-server-side-ciphers “ciphers”][-server-side-authentication {enable, disable}][-server-side-cert-key “cert-key-pair-name”][-server-side-build-cert-chain {enable, disable}][-server-side-renegotiation {disable-old-style, enable-old-style, new-style,compatible}][-client-side-protocol-version {SSL-version-2, SSL-version-3,SSL-version-2-3-OR-TLS-1.0, TLS-1.0}][-client-side-ciphers “ciphers”][-client-side-renegotiation {disable-old-style, enable-old-style, new-style,compatible}]

Adds an SSL profile for split proxy mode. This command has the same parameters as that onthe Profile tab of the SSL Settings page on the Web UI.

set ssl-profileSyntax: set ssl-profile

-name “profile-name”[-state {enable, disable}][-proxy-type transparent][-virtual-hostname “hostname”][-private-key “private-key-name”]

Modifies an SSL profile created for transparent proxy mode.

Syntax: set ssl-profile

-name “profile-name”[-state {enable, disable}][-proxy-type split][-virtual-hostname “hostname”][-cert-key “cert-key-pair-name”][-build-cert-chain {enable, disable}][-cert-chain-store {use-all-configured-CA-stores, “store-name”}][-cert-verification {none, Signature/Expiration, Signature/Expiration/Common-Name-White-List, Signature/Expiration/Common-Name-Black-List}][-verification-store {use-all-configured-CA-stores, “store-name”}][-server-side-protocol {SSL-version-2, SSL-version-3,SSL-version-2-3-OR-TLS-1.0, TLS-1.0}][-server-side-ciphers “ciphers”][-server-side-authentication {enable, disable}][-server-side-cert-key “cert-key-pair-name”][-server-side-build-cert-chain {enable, disable}][-server-side-renegotiation {disable-old-style, enable-old-style, new-style,compatible}][-client-side-protocol-version {SSL-version-2, SSL-version-3,SSL-version-2-3-OR-TLS-1.0, TLS-1.0}][-client-side-ciphers “ciphers”][-client-side-renegotiation {disable-old-style, enable-old-style, new-style,compatible}]

Modifies an SSL profile created for split proxy mode.

show ssl-profilesSyntax: show ssl-profiles

Shows name, profile type, and state of all SSL profiles created.

show ssl-profileSyntax: show ssl-profile

{-id “id”, -name “profile-name”}

Show profile detail by id or profile name.

SSL Configuration

896

remove ssl-profileSyntax: remove ssl-profile

{-all, -id “id”, -name “profile-name”}

Removes SSL profile. -id and -name specifies which profile to remove. -all specifies that allprofiles are to be removed.

rename ssl-profileSyntax: rename ssl-profile

-old “old-profile-name”-new “new-profile-name”

Changes an SSL profile name.

show ssl-optimizationSyntax: show ssl-optimization

Shows SSL optimization status.

enable ssl-optimizationSyntax: enable ssl-optimization

Enables SSL optimization feature.

disable ssl-optimizationSyntax: disable ssl-optimization

Disables SSL optimization feature.

show ssl-secure-peer-connectionsSyntax: show ssl-secure-peer-connections

Shows SSL peer configuration.

show ssl-ca-storeSyntax: show ssl-ca-store

SSL Configuration

897

-name “ca-store-name”

Shows detail information on the SSL CA certificate.

show ssl-ca-storesSyntax: show ssl-ca-stores

Shows summary information (name, expiration date, certificate count) on all SSL CertificateAuthority certificates.

show ssl-cert-key-pairSyntax: show ssl-cert-key-pair

-name “cert-key-pair-name”

Shows detail information on the SSL certificate/key pair.

show ssl-cert-key-pairsSyntax: show ssl-cert-key-pairs

Shows summary information (name, expiration date, certificate count, key type) on allconfigured SSL certificate/key pairs.

show ssl-disk-encryptionSyntax: show ssl-disk-encryption

Shows user data store encryption status

show ssl-keystoreSyntax: show ssl-keystore

Shows encryption key store status.

show ssl-peer-auto-discoverySyntax: show ssl-peer-auto-discovery

Shows SSL peer auto-discovery configuration.

SSL Configuration

898

show ssl-peer-connect-toSyntax: show ssl-peer-connect-to

Shows SSL peer connect to configuration.

show ssl-peer-listen-onSyntax: show ssl-peer-listen-on

Shows SSL peer listen on configuration.

add ssl-ca-storeSyntax: add ssl-ca-store

[-name “name”]-file “ca-certificate-filename”

Adds an SSL CA certificate store.

remove ssl-ca-storeSyntax: remove ssl-ca-store

-name “name”

Removes an SSL CA certificate store.

add ssl-cert-key-pairSyntax: add ssl-cert-key-pair

-name “certificate/key-pair-name”{(-type combined-file “certificate/key-pair-filename”),(-type separate-key-file “key-filename”-cert-file “cert-filename”)}[-key-password “password”][-file-password “password”]

Adds an SSL certificate authority certificate store.

remove ssl-cert-key-pairSyntax: remove ssl-cert-key-pair

SSL Configuration

899

-name “certificate/key-pair-name”

Removes an SSL certificate authority certificate store.

add ssl-peer-auto-discovery-publish-itemSyntax: add ssl-peer-auto-discovery-publish-item

-ip-port “ipaddr:port”

Publishes a NAT IP address/port entry.

remove ssl-peer-auto-discovery-publish-itemSyntax: remove ssl-peer-auto-discovery-publish-item

{-all, -ip-port “ipaddr:port”}

Removes one or all NAT IP address/port entries.

add ssl-peer-connect-to-itemSyntax: add ssl-peer-connect-to-item


Adds an SSL peer IP address/port to be connected to.

remove ssl-peer-connect-to-itemSyntax: remove ssl-peer-connect-to-item


Removes one or all SSL peer IP address/port entries.

add ssl-peer-listen-on-itemSyntax: add ssl-peer-listen-on-item


Adds an SSL peer listen on CloudBridge IP address/port.

SSL Configuration

900

remove ssl-peer-listen-on-itemSyntax: remove ssl-peer-listen-on-item


Removes one or all SSL peer listen on CloudBridge IP address/port entries.

add ssl-secure-peer-connections-itemSyntax: add ssl-secure-peer-connections-item

-cert-verification Signature/Expiration/Common-Name-Black-List-item “black-list-item”

Adds an additional SSL peer security black list item. The first black list item was configuredwith the ‘set ssl-secure-peer-connections’ command.

Syntax: add ssl-secure-peer-connections-item

-cert-verification Signature/Expiration/Common-Name-White-List-item “white-list-item”

Adds an additional SSL peer security white list item. The first white list item was configuredwith the ‘set ssl-secure-peer-connections’ command.

remove ssl-secure-peer-connections-itemSyntax: remove ssl-secure-peer-connections-item

{-all, -item “list-item”}

Removes one or all SSL peer security white list or black list entries.

set ssl-cert-key-pairSyntax: set ssl-cert-key-pair

-name “certificate/key-pair-name”-action {add|replace}-cert-key {DSA|RSA}{(-type combined-file “certificate/key-pair-filename”),(-type separate-key-file “key-filename”-cert-file “cert-filename”)}[-key-password “password”][-file-password “password”]

Adds or replaces a DSA/RSA certificate/key.

SSL Configuration

901

set ssl-keystoreSyntax: set ssl-keystore

-password “new-password”-old-password “old-password”

set ssl-secure-peer-connectionsSyntax: set ssl-secure-peer-connections

-cert-key-name “cert-key-name”-ca-cert-store “ca-cert-store-name”-cert-verification {None,Signature}-cipher “ssl-cipher-specification”

Specifies the SSL peer configuration.

Syntax: set ssl-secure-peer-connections

-cert-key-name “cert-key-name”-ca-cert-store “ca-cert-store-name”-cert-verification Signature/Expiration/Common-Name-Black-List-item “black-list-item-1”-cipher “ssl-cipher-specification”

Specifies the SSL peer configuration, where peer security certificate verification is a blacklist. The first black list entry is specified here, additional entries may be added using the‘add ssl-secure-peer-connections-item’ command.

Syntax: set ssl-secure-peer-connections

-cert-key-name “cert-key-name”-ca-cert-store “ca-cert-store-name”-cert-verification Signature/Expiration/Common-Name-White-List-item “white-list-item-1”-cipher “ssl-cipher-specification”

Specifies the SSL peer configuration, where peer security certificate verification is a whitelist. The first white list entry is specified here, additional entries may be added using the‘add ssl-secure-peer-connections-item’ command.

SSL Configuration

902

903

Test Mode Commands

clear compression-statsSyntax: clear compression-stats

This command will clear the compression statistics, similar to the “Clear” button in the“Compression Status” section of the Web UI.

clear compression-historySyntax: clear compression-history

This command will reset the compression history content, similar to a “Compression historycontent_reset” command given to console.php.

show objectSyntax: show object -class “class” [-name “name”]

This command shows the current value of a parameter or system object.

set objectSyntax: set object -class “class” -name “name” -value “value”

This command sets the value of a parameter or system object.

CloudBridge 7.0 - Citrix Product Documentation

Documents