CAPITULO III OTRAS INFRACCIONES. RESOLUCION DE LA MOTIVACION
3.1.1. INFRACCIONES EN LA IMPORTACIÓN Y EXPORTACIÓN
Preface ix
Audience
This guide is intended for system and network administrators who install and configure complex networking equipment. While sales and marketing
professionals might find the conceptual information useful, they are advised to refer to the white papers, product brochures, and other literature on our Web site for more details.
Formatting Conventions
This documentation uses the following formatting conventions.
Formatting Conventions
Convention Meaning
Boldface Information that you type exactly as shown (user input);
elements in the user interface.
Italics Placeholders for information or parameters that you provide. For example, FileName in a command means you type the actual name of a file. Also, new terms, and words referred to as words (which would otherwise be enclosed in quotation marks).
%SystemRoot% The Windows system directory, which can be WTSRV, WINNT, WINDOWS, or any other name you specify when you install Windows.
Monospace System output or characters in a command line. User input and placeholders also are formatted using monspace text.
{ braces } A series of items, one of which is required in command statements. For example, { yes | no } means you must type yes or no. Do not type the braces themselves.
[ brackets ] Optional items in command statements. For example, in the following command, [-range
positiveInteger] means that you have the option of entering a range, but it is not required:
add lb vserver name serviceType IPAddress port [-range positiveInteger]
Do not type the brackets themselves.
Related Documentation
A complete set of documentation is available on the Documentation tab of your NetScaler and from http://support.citrix.com/. (Most of the documents require Adobe Reader, available at http://adobe.com/.)
To view the documentation
1. From a Web browser, log on to the NetScaler.
2. Click the Documentation tab.
3. To view a short description of each document, hover your cursor over the title. To open a document, click the title.
Getting Service and Support
Citrix provides technical support primarily through the Citrix Solutions Network (CSN). Our CSN partners are trained and authorized to provide a high level of support to our customers. Contact your supplier for first-line support, or check for your nearest CSN partner at http://support.citrix.com/.
You can also get support from Citrix Customer Service at http://citrix.com/. On the Support menu, click Customer Service.
Knowledge Center
The Knowledge Center offers a variety of self-service, Web-based technical support tools at http://support.citrix.com/.
| (vertical bar) A separator between options in braces or brackets in command statements. For example, the following indicates that you choose one of the following load balancing methods:
lbMethod = ( ROUNDROBIN | LEASTCONNECTION | LEASTRESPONSETIME | URLHASH | DOMAINHASH | DESTINATIONIPHASH | SOURCEIPHASH |
SRCIPDESTIPHASH | LEASTBANDWIDTH |
LEASTPACKETS | TOKEN | SRCIPSRCPORTHASH | LRTM | CALLIDHASH | CUSTOMLOAD )
… (ellipsis) You can repeat the previous item or items in command statements. For example, /route:DeviceName[,…] means you can type additional DeviceNames separated by commas.
Formatting Conventions
Convention Meaning
Preface xi
Knowledge Center features include:
• A knowledge base containing thousands of technical solutions to support your Citrix environment
• An online product documentation library
• Interactive support forums for every Citrix product
• Access to the latest hotfixes and service packs
• Knowledge Center Alerts that notify you when a topic is updated
Note: To set up an alert, sign in at http://support.citrix.com/ and, under Products, select a specific product. In the upper-right section of the screen, under Tools, click Add to your Hotfix Alerts. To remove an alert, go to the Knowledge Center product and, under Tools, click Remove from your Hotfix Alerts.
• Security bulletins
• Online problem reporting and tracking (for organizations with valid support contracts)
Education and Training
Citrix offers a variety of instructor-led and Web-based training solutions.
Instructor-led courses are offered through Citrix Authorized Learning Centers (CALCs). CALCs provide high-quality classroom learning using professional courseware developed by Citrix. Many of these courses lead to certification.
Web-based training courses are available through CALCs, resellers, and from the Citrix Web site.
Information about programs and courseware for Citrix training and certification is available at http://www.citrixtraining.com.
Documentation Feedback
You are encouraged to provide feedback and suggestions so that we can enhance the documentation. You can send email to the following alias or aliases, as appropriate. In the subject line, specify “Documentation Feedback.” Be sure to include the document name, page number, and product release version.
• For NetScaler documentation, send email to [email protected].
• For Command Center documentation, send email to [email protected].
• For Access Gateway documentation, send email to [email protected].
You can also provide feedback from the Knowledge Center at http://
support.citrix.com/.
To provide feedback from the Knowledge Center home page
1. Go to the Knowledge Center home page at http://support.citrix.com/.
2. On the Knowledge Center home page, under Products, click NetScaler Application Delivery, and click NetScaler Application Delivery Software 9.0.
3. On the Documentation tab, click the guide name, and then click Article Feedback.
4. On the Documentation Feedback page, complete the form and click Submit.
C
HAPTER1
Understanding the Citrix NetScaler
This chapter provides a conceptual overview of the NetScaler. The main objective is to explain what a NetScaler is and how it works, providing a conceptual basis for all the chapters that follow. The chapter can also be read as a general technical overview.
In This Chapter
What Is a Citrix NetScaler?
Where Does a Citrix NetScaler Fit in the Network?
How a Citrix NetScaler Communicates with Clients and Servers Understanding Policies and Expressions
Processing Order of Features
What Is a Citrix NetScaler?
A Citrix NetScaler is an application switch that intelligently distributes, optimizes, and secures Layer 4-Layer 7 (L4-L7) network traffic for Web
applications. Features include load balancing, compression, Secure Sockets Layer (SSL) offload, a built-in application firewall, and dynamic content caching.
A NetScaler performs application-specific traffic analysis to provide a more effective implementation of the features. For example, a NetScaler makes load balancing decisions on individual HTTP requests rather than on the basis of long-lived TCP connections, so that the failure or slowdown of a server is managed much more quickly and with less disruption to clients. Other features can be used to reduce load and simplify server-farm management, and to accelerate end-user performance.
Switching Features
Its switching features enable a NetScaler to manage application traffic in an efficient manner. When deployed in front of application servers, a NetScaler ensures optimal distribution of traffic by the way in which it directs client requests. Administrators can segment application traffic according to information in the body of an HTTP or TCP request, and on the basis of L4-L7 header information such as URL, application data type, or cookie. Numerous load-balancing algorithms and extensive server health checks provide greater application availability by ensuring that client requests are directed to the appropriate servers.
Security and Protection Features
Security and protection features help block the theft and leakage of data by protecting Web applications from application-layer attacks. A NetScaler allows legitimate client requests and can block malicious requests. It provides built-in defenses against denial of service (DoS) attacks and supports features that protect the application against legitimate surges in application traffic that would
otherwise overwhelm the servers. An available built-in firewall protects Web applications from application-layer attacks, including buffer overflow exploits, SQL injection attempts, cross-site scripting attacks, and more. In addition, the firewall provides identity theft protection by securing confidential corporate information and sensitive customer data.
Optimization Features
Optimization features offload resource-intensive operations such as Secure Sockets Layer (SSL) processing, data compression, and the caching of static and dynamic content from servers. This improves the performance of the servers in the server farm and therefore speeds up applications. A NetScaler supports several transparent TCP optimizations, which mitigate problems caused by high latency and congested network links, accelerating the delivery of applications while requiring no configuration changes to clients or servers.
Where Does a Citrix NetScaler Fit in the Network?
A NetScaler resides between the clients and the servers, so that client requests and server responses pass through it. In a typical installation, virtual servers (vservers) configured on the NetScaler provide connection points that clients use to access the applications behind the NetScaler. In this case, the NetScaler owns public IP addresses that are associated with its vservers, while the real servers are isolated in a private network. It is also possible to operate the NetScaler in a transparent mode as an L2 bridge or L3 router, or even to combine aspects of these and other modes.
Chapter 1 Understanding the Citrix NetScaler 3
Physical Deployment Modes
A NetScaler logically residing between clients and servers can be deployed in either of two physical modes: inline and one-arm.
In the normal inline mode, multiple network interfaces are connected to different Ethernet segments and the NetScaler is placed between the clients and the servers. The NetScaler has a separate network interface to each client network and a separate network interface to each server network. The NetScaler and the servers can exist on different subnets in this configuration. It is possible for the servers to be in a public network and the clients to directly access the servers through the NetScaler, with the NetScaler transparently applying the L4-L7 features. Usually, vservers (described later) are configured to provide an abstraction of the real servers. The following diagram illustrates a typical inline deployment.
Inline Deployment
In a less common version of one-arm mode, only one network interface of the NetScaler is connected to an Ethernet segment. The NetScaler in this case does not isolate the client and server sides of the network, but provides access to applications through configured vservers. This version of one-arm mode can simplify network changes needed for NetScaler installation in some
environments.
Citrix NetScaler as an L2 Device
A NetScaler functioning as an L2 device is said to operate in L2 mode. In L2 mode, the NetScaler forwards packets between network interfaces when all of the following conditions are met:
• The packets are destined to another device's media access control (MAC) address.
• The destination MAC address is on a different network interface.
• The network interface is a member of the same virtual LAN (VLAN).
By default all network interfaces are members of a pre-defined VLAN, VLAN 1.
Address Resolution Protocol (ARP) requests and responses are forwarded to all network interfaces that are members of the same VLAN. To avoid bridging loops, L2 mode must be disabled if another L2 device is working in parallel with the NetScaler.
Citrix NetScaler as a Packet Forwarding Device
A NetScaler can function as a packet forwarding device, and this mode of operation is called L3 mode. When a NetScaler in L3 mode receives, on its MAC address, unicast packets that are destined for an unknown IP address, it forwards them if there is a proper route to the destination. A NetScaler can also route packets between VLANs.
In both modes of operation, L2 and L3, a NetScaler generally drops packets that are in:
• Multicast frames
• Unknown protocol frames destined for a NetScaler's MAC address (non-IP and non-ARP)
• Spanning Tree protocol
Chapter 1 Understanding the Citrix NetScaler 5
How a Citrix NetScaler Communicates with Clients and Servers
A NetScaler is usually deployed in front of a server farm and functions as a transparent TCP proxy between clients and servers, without requiring any client-side configuration. This basic mode of operation is called Request Switching technology and is the core of NetScaler functionality. Request Switching enables a NetScaler to multiplex and offload the TCP connections, maintain persistent connections, and manage traffic at the request (application layer) level. This is possible because the NetScaler can separate the HTTP request from the TCP connection on which the request is delivered.
Depending on the configuration, a NetScaler may process the traffic before forwarding the request to a server. For example, if the client attempts to access a secure application on the server, the NetScaler might perform the necessary SSL processing before sending traffic to the server. To facilitate efficient and secure access to server resources, a NetScaler uses a set of IP addresses collectively known as NetScaler-owned IP addresses.
Understanding NetScaler-owned IP Addresses
To function as a proxy, a NetScaler a uses a variety of IP addresses. The key NetScaler-owned IP addresses are:
• Mapped IP address (MIP). The MIP is used for server-side connections. It is not the IP address of the NetScaler. In most cases, when the NetScaler receives a packet, it replaces the source IP address with the MIP before sending the packet to the server. With the servers abstracted from the clients, the NetScaler manages connections more efficiently.
• Virtual server IP address (VIP). A VIP is the IP address associated with a vserver. It is the public IP address to which clients connect. A NetScaler managing a wide range of traffic may have many VIPs configured.
• NetScaler IP address (NSIP). The NSIP is the IP address for general system and management access to the NetScaler itself.
• Subnet IP address (SNIP). When the NetScaler is attached to multiple subnets, SNIPs may be configured for use as MIPs providing access to those subnets.
How Traffic Flows Are Managed
Because a NetScaler functions as a TCP proxy, it translates IP addresses before sending packets to a server. When you configure a vserver, clients connect to a VIP on the NetScaler instead of directly connecting to a server. Based on the settings on the vserver, the NetScaler selects an appropriate server and sends the client's request to that server. By default, the NetScaler uses the MIP to establish connections with the server, as illustrated in the following diagram.
Vserver-based connections
In the absence of a vserver, when a NetScaler receives a request, it transparently forwards the request to the server. This is called the transparent mode of
operation. When operating in transparent mode, a NetScaler translates the source IP addresses of incoming client requests to the MIP but does not change the destination IP address. For this mode to work, L2 or L3 mode needs to be configured appropriately.
For cases in which the servers need the actual client IP address, the NetScaler can be configured to modify the HTTP header by inserting the client IP address as an additional field, or configured to use the client IP address instead of the MIP for connections to the servers.
Chapter 1 Understanding the Citrix NetScaler 7
Traffic Management Building Blocks
The configuration of a NetScaleris typically built up with a series of virtual entities that serve as building blocks for traffic management. The building block approach helps separate traffic flows. Virtual entities are abstractions, typically representing IP addresses, ports, and protocol handlers for processing traffic.
Clients access applications and resources through these virtual entities. The most commonly used entities are vservers and services. Vservers represent groups of servers in a server farm or remote network, and services represent specific applications on each server.
Most features and traffic settings are enabled through virtual entities. For example, you can configure a NetScaler to compress all server responses to a client that is connected to the server farm through a particular vserver. To configure the NetScaler for a particular environment, you need to identify the appropriate features and then choose the right mix of virtual entities to deliver them. Most features are delivered through a cascade of virtual entities that are bound to each other. In this case, the virtual entities are like blocks being assembled into the final structure of a delivered application. You can add, remove, modify, bind, enable, and disable the virtual entities to configure the features.The following diagram illustrates the concepts covered in this section.
How traffic management building blocks work
A Simple Load Balancing Configuration
In the example shown in the diagram, the NetScaler is configured to function as a load balancer. For this configuration, you need to configure virtual entities specific to load balancing and bind them in a specific order. As a load balancer, a NetScaler distributes client requests across several servers and thus optimizes the utilization of resources.
The basic building blocks of a typical load balancing configuration are services and load balancing vservers. The services represent the applications on the servers. The vservers abstract the servers by providing a single IP address to which the clients connect. To ensure that client requests are sent to a server, you need to bind each service to the vserver. That is, you must create services for every server and bind the services to the vserver. Clients use the VIP to connect to a NetScaler. When the NetScaler receives client requests on the VIP, it sends them to a server determined by the load balancing algorithm. Load balancing uses a virtual entity called a monitor to track whether a specific configured service (server plus application) is available to receive requests.
Load Balancing vserver, services, and monitor
In addition to configuring the load balancing algorithm, you can configure several parameters that affect the behavior and performance of the load balancing configuration. For example, you can configure the vserver to maintain persistence based on source IP address. The NetScaler then directs all requests from any specific client to the same server.
Chapter 1 Understanding the Citrix NetScaler 9
Understanding Virtual Servers
A vserver represents one or more applications in a server farm. The vserver is a named NetScaler entity that external clients can use to access applications hosted on the servers. It is represented by an alphanumeric name, virtual IP address (VIP), port, and protocol. The name of the vserver is only of local significance and is designed to make the vserver easier to identify. When a client attempts to access applications on a server, it sends a request to the VIP instead of the IP address of the physical server. When the NetScaler receives a request on the VIP, it terminates the connection at the vserver and uses its own connection with the server on behalf of the client. The port and protocol settings of the vserver determine the applications that the vserver represents. For example, a Web server can be represented by a vserver and a service whose port and protocol are set to 80 and HTTP, respectively. Multiple vservers can use the same VIP but different protocols and ports.
Vservers are points for delivering features. Most features, like compression, caching, and SSL offload, are normally enabled on a vserver. When the NetScaler receives a request on a VIP, it chooses the appropriate vserver by the port on which the request was received and its protocol. The NetScaler then processes the request as appropriate for the features configured on the vserver.
In most cases, vservers work in tandem with services. You can bind multiple services to a vserver. These services represent the applications running on physical servers in a server farm. After the NetScaler processes requests received on a VIP, it forwards them to the servers as determined by the load balancing algorithm configured on the vserver. The following diagram illustrates these concepts.
Multiple vservers on a single VIP
The preceding diagram illustrates a configuration consisting of two vservers with
The preceding diagram illustrates a configuration consisting of two vservers with