What’s new with CitrixADC/ADM?NOVEMBER 16, 2018 2018 Citrix Confidential

AgendaADM What’s NewTLS/SSL UpdateTraffic ManagementCitrix GatewayGateway Service2 2018 Citrix Confidential

ADMWhat’s New

ADM Service Pooled Licensing Provisioning VPX on AWS Customizing User Experience– Search & Tagging enhancements Slack Notifications Release notes here:– html4 2018 Citrix Confidential

ADM Service - Advanced AnalyticsAdvanced Analytics Assess App Infra anomalies and getto the root case of performanceissues.Tech Preview: Advanced analytics based on Citrix Analytics–Learning baseline against customers actual traffic enables more accurate andrelevant anomaly detection Handles normal traffic variance compared to static course grained static thresholds that needmanually set up–Initial Use Cases Anomaly Detection–Slowness in Server Response Time–Uneven Load Balancing Detection–DNS Flood Attacks Plus5–Service Flaps/Suboptimal Virtual Server Health–Server Errors 2018 Citrix ConfidentialIn TechPreview

Data Center A (Primary)Infra ImprovementsClient Improved HA Disaster Recovery support Multi Site Agent SupportOn FailoverHeartbeatHA-M&MRecovery SiteMASPrimaryReplicationMASRecoveryNS1’DB6 2018 Citrix ConfidentialReplicationDBCompresseddata over WANData center BNetScaler XMASSecondaryFIPNSn’ .NetScaler 1HA-M&MAgent 1 .Agent 2NetScaler 1NetScaler 2NetScaler n-1NetScaler n

ADM 12.1 HA Deployment - Increased Supported ScaleListed Features Enabled Together: 8vCPU; 32GB; SSDs NetScaler : 300 Vservers :40,000 SNMP :300 Syslog: 300 HDX insight :40,000 CCU Gateway insight :40,000 CCU Security insight :7500 violations/sec Webinsight : 40K transactions/sec, URL – 280K, Client – 300K, Domain - 1, Server – 150, App -1Note: Above results are without remote agent. Use of remote agents will improve scale7 2018 Citrix Confidential

Custom Network Reporting Dashboard Network Reporting now supports Customized Dashboards & much moreCustomize duration SelectionAdd Multiple InstancesAdd New ReportsCreate Multiple Dashboards8 2018 Citrix Confidential

Various Forms of LicensingClassic, CICO, Pooled, vCPUNameDimension TermPlatform(s)License HostClassicBandwidthPerpetualMPX, SDX, VPXLocal-CICOBandwidthPerpetualVPXMAS n* Roadmap - MA ServiceNEW9 2018 Citrix ConfidentialSubscriptionMPX, SDX, VPX, CPXMAS On-premTraffic shift* Roadmap - MA ServiceSubscriptionVPX, CPXMAS On-prem* Roadmap - MA ServiceLots of Little Things


DTLS support on Coleto platformsEnd-to-end DTLS (EDT) support on Coleto MPX/SDX models is coming in 12.1 50.xColeto models are 59xx, 89xx, 15xxx, 26xxxDTLS already supported on Cavium MPX/SDX, VPX and FIPS11 2018 Citrix Confidential

New SSL action - PickCACert Use case: Strict client cert validation in multitenantenvironments. Problem: In case of SNI enabled multitenant VIPs, multipleCA certs are bound where client validation can becompromised. Solution: Policy driven CA cert selection as per client helloSNI information. Example: Gateway service is multitenant and needs to sendonly a fixed set of CA certs in Client certificate request.12 2018 Citrix ConfidentialADCabc.comSNI abc.comSNI def.comCA listCA Cert List1 CA1, CA2, CA3CA Cert List2 CA4, CA5, CA6Send a CA list based on SNI

Traffic Management

Getting User Location from Geolocation DatabaseCurrently one can get only Boolean response about location Use case: Customer wants to log the countryfrom which users are coming Use case: Customer wants to insert the userlocation information in HTTP header when therequest is sent to the backend server Features supporting this function:–Responder–Rewrite–Audit logging14 2018 Citrix ConfidentialGeoDBInput: Asia.India.KA.Bangalore314MPX VPX SDX FIPS

Citrix Gateway

Citrix Gateway – Enhancements SummaryEnd UserExperienceExperienceAdministratorSaaS App CatalogueSAML SimplificationRDP Auto population of linksPassword Expiry NotificationOpenID Connect - Use Gmail/facebookcredentialsSecurityAlwaysOn Captive PortalOPSWATv4 - Better support for LatestAV Products and upgrade OPSWATlibrary independent of NetScalerChoicenFactor for Windows PluginOpenID Connect - oAuth ProviderExperience16 2018 Citrix ConfidentialChoiceSecurity

Current CVPN implementationWhat is CVPN:Used to publish web apps and enable access from web clients instead of VPN pluginCurrent Implementation:Citrix Gateway rewrites the original url to CVPN url. Below is one .htmlChallenge : Finding the relative urls in HTTP Body/JavaScript and doing rewrite17 2018 Citrix ConfidentialIndicates toGateway thatit is CVPN

CVPN 2.0 – Uniquely rewriting the hostnameInternally mapped .citrix.comPre-requisties :1. Wildcard DNS2. Wildcard SSL Certificates.18 2018 Citrix Confidentialabcd1234’.Only Hostname is changed and not the relative url

EPA - OPSWATv4 OPSWAT 3rd party vendor provides library with support for latest version of AV/Securityproducts–De-coupled NetScaler release and EPA library update. No need to Upgrade NetScaler for EPA updatesNS 12.0.56.xOPSWAT - EPA libraryavailable 12.0.56.x4.0.0.1600OPSWAT - 2018 Citrix ConfidentialNS 12.0.57.xOPSWAT -

AlwaysOn - SSLVPN - Tunnel establishment without userinterventionSeamless LaunchAuthentication Active Directoryor User CertUser Logs intodeviceTunnelEstablishmentOtherManual intervention authenticationFeatureUser ExperiencemethodsConnect to Internet in case Yesgateway connectivityfailureOption for user to changethe gateway URL20 2018 Citrix ConfidentialYesSecurityNoNo

nFactor and EPA EnhancementsnFactor for Plugin / ReceiverEPA for AAA-TMUse Case Plugin/Receiver for nFactor flow SAML Authentication/Native OTPusing Plugin/ReceiverFeature Description: Authv3 is added for plugin/Receiver. Authv3 is new forms protocol byCitrix and it supports webview.Gateway forces webview for nFactor Will be available from 12.1 FR1(Expected in August)21 2018 Citrix Confidential EPA policies can be applied to Web-appswithout the requirement of SSLVPNclient/Gateway client–Differentiator for NetScaler in Microsoft WAPreplacement use cases. In addition to load balancingOutlook etc NetScaler can pre-checks before allowingconnection to outlook server EPA part of nFactor–Provides the flexibility to the administrator in having EPAin both post and pre-auth flow–Conditional access can be provided based EPA results

Password expiry notification Provides the administrator an option to notify the enduser about password expiry Based on the time left for the password to expire, anexpiry notification is displayed on the portal page onCitrix Gateway. User then takes appropriate action toupdate the password set aaa parameter -pwdExpiryNotificationDays 1422 2018 Citrix Confidential

SAML Simplification – App Catalogue SupportUse Case Simplify configuring and publishing a SaaSapp for Single Sign OnFeature Description: Built-in catalogues of commonly used SaaSapps Both SP and IDP initiated flow as long the appsupports the same NetScaler metadata can be imported if theapp supports meta data import Available from NetScaler 12.1 GA release23 2018 Citrix Confidential

SAML Metadata Import/Export supportImport SAML IdP MetadataExport Metadata from Citrix Gateway wizardImport SAML SP Metadata24 2018 Citrix Confidential

Advanced Threshold Management for HDX Insight With Advanced Threshold Management for HDX Insight, NetScaler MAS provides proactivealerting mechanism via SMS/e-mail, incase threshold(s) set in an threshold group arebreached. What is a threshold Group?–A threshold group is comprised of one or more user defined threshold rules for metrics chosen fromentities such as users, apps & desktops against an expected value.o An example of a threshold rule1: ICA RTT(metric) for users(entity) should be 100 mso An example of a threshold rule2: WAN Latency (metric) for users(entity) should be 100 mso An example of threshold group can be : {Threshold rule 1 Threshold rule 2}–An interval for monitoring & the notification mechanism incase of breach (SMS, e-mail) needs to beselected Threshold groups can be bound to Geo locations for geo specific monitoring Navigate to System- Analytics Settings- Thresholds25 2018 Citrix Confidential

Gateway Insight now supports SAML Gateway Insight support for SAML is now available on MAS Please note:–Incorrect credentials when entered at 3rd party IdP cannot be captured by NetScaler26 2018 Citrix Confidential

Current Implementation:PROBLEM STATEMENT:New Solution: CPU/Memoryintensivecomponentsin ICA sessionsData is availablesupportedin a single Virtual Channel!ToscaleupthenumberofHDXonthestack- Task of Compression and EncryptionNetScaler when HDX Insight is enabledNew channel data is not compressed or multiplexed Data is scattered over Multiple Virtual Channels Data is available only after Decryption andDecompression27 2018 Citrix Confidentialwith other virtual channels NetScaler to ignore all the remaining virtualchannels

Citrix Gateway Service

Gateway Service - OverviewSecure access as a cloud service Fully secure & highly availableseamless access to all appsConsumptionpricing Simplified out-of-the-box setup Fully Managed by CitrixNGS No firewall changes requiredDataUsers Global Presence (12 POPs) Optimal end-user traffic routing29 2018 Citrix ConfidentialAppsCitrix CloudNetwork

What’s New with Gateway Service (GA launch in Q3)New enhancements to Gateway Service for SaaS app delivery alongside Web and Windows appsSaaS and Web appsXenApp & XenDesktopon-premises supportEnhanced experienceNew Single Sign-On to SaaS & Enterprise WebappsNew Support for Storefront and Auth storeon-premisesNew Expanded global presence with 12 dataPoints of Presence Pre-defined SaaS template library Enables hybrid deployments throughWorkspace site aggregation Stand-alone trials and new Citrix Cloudtile Access to SaaS & Enterprise Web AppsAvailable in productionComing Soon Two-factor authentication via nativeOne Time Password (OTP) Citrix – CONFIDENTIAL – The development, release and timing of any features or functionality described for our products remains at our sole discretion and are subject to change without noticeor consultation.The information provided is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be30 2018 Citrix Confidentialrelied upon in making purchasing decisions or incorporated into any contract.

Two-Factor Authentication (2FA) Natively generated One-TimePassword (OTP) Supports on-premises AD User device / app needs to beregistered with Citrix Cloud OTP token generation and login–Self-service–Citrix SSO app–Public authenticator apps e.g. Googleauthenticator, Microsoft authenticatorapp*Support for RADIUS & 3rd party IdP to follow Citrix – CONFIDENTIAL – The development, release and timing of any features or functionality described for our products remains at our sole discretion and are subject to change withoutnoticeconsultation.The information provided is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and shouldCitrix Confidential31 or2018not be relied upon in making purchasing decisions or incorporated into any contract.

New Tile on Citrix Cloud New Gateway Service tile on launchpad SaaS/Web apps support configurable byadmin using NGS tile/ Admin UI32 2018 Citrix Confidential

Gateway Service – Global POP NetworkClient findsthe closestPOPClient findsthe closestPOPConnectorand clientrendezvousConnectorfinds theclosest POPPOP pervisorsACME Resource Location 133 2018 Citrix ConfidentialClient findsthe closestPOP

InternetInternetSSO to SaaS34 2018 Citrix Confidential

Single-Sign On (SSO) to SaaS Apps SaaS App delivery using NGS End-user access from Citrix Workspace SAML 2.0 based Single Sign On to SaaS App Simpler App publishing Pre-defined SaaS app templatesSaaS AppsNetScaler GatewayService35 2018 Citrix Confidential

App Catalog for SaaS Apps Simpler & faster way of onboarding ofSaaS apps Template for popular SaaS apps Minimal configuration Initial launch with 29 templates Constantly expanding the catalog Option to configure any SaaS app, iftemplate not available36 2018 Citrix Confidential

SSO to SaaSConfiguration NetScaler Gateway Service SaaS Template(or custom) Organization-specific SaaSconfiguration SSO37 2018 Citrix Confidential

SSO Configuration38 2018 Citrix Confidential

InternetInternetWeb Apps Access39 2018 Citrix Confidential

Secure Access to on-premises Web Apps On-Prem Web App delivery using Gateway Service End-user access from Citrix Workspace Single Sign On to Web App Data Centre needs to have Gateway Connector and Web App Server Web App can be configured using NGS tile & Admin UIWeb ServerGatewayConnectorNetScaler GatewayService40 2018 Citrix ConfidentialCustomer on-Prem

How to Publish WebApp Admin View 41 2018 Citrix ConfidentialCreate a new Resource Location and install a Gateway Connector

How to Publish WebApp Admin View Installing a Gateway Connector42 2018 Citrix Confidential Copy and Paste the Activation Code on Connector UI

Monitoring the Gateway Connector43 2018 Citrix Confidential

NGS Web App flowGateway Connector(On-Prem)NGSWeb Server(On-Prem)LoginLoginApp EnumerationWeb App EnumerationAggregated AppsLaunch WebAppssoConnect to Web ServerConnect to Web ServerSSL44 2018 Citrix ConfidentialSSLWeb app traffic flow

Branding and name changesCurrent NameNew NameNetScaler ADCCitrix ADCNetScaler App SecurityCitrix Web App FirewallNetScaler AppFirewallCitrix Web App FirewallNetScaler GatewayCitrix Gateway(NetScaler Gateway and NetScaler Unified Gateway merge)NetScaler Unified GatewayCitrix Gateway(NetScaler Gateway and NetScaler Unified Gateway merge)NetScaler Management and AnalyticsSystemCitrix Application Delivery ManagementNetScaler SD-WANCitrix SD-WANNetScaler Secure Web GatewayCitrix Secure Web GatewayNetScaler Web App SecurityCitrix Web App Firewall45 2018 Citrix Confidential

46 2018 Citrix Confidential

Various Forms of Licensing Classic, CICO, Pooled, vCPU Dimension Term Platform(s) License Host Application Bandwidth Perpetual MPX, SDX, VPX Local - Name Classic Bandwidth Perpetual VPX MAS On-prem * Roadmap - MA Service CICO Automation Bandwidth Subscription MPX, SDX, VPX, CP