White paper

Advanced load balancing:

8 must-have features for today’s
network demands
Application availability and scalability are no longer
enough. Today’s enterprises require an integrated
solution that also delivers the highest levels of
security and performance for their business-critical
Web applications.
Table of contents
Overview

Core load-balancing capabilities still an essential starting point

1. Layer 4 load balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
2. Layer 7 load balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
3. Global server load balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5

Stepping up to application delivery

4. Application acceleration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
5. Comprehensive application security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6

Meeting and exceeding expectations

6. A purpose-built platform — the key to superior scalability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
7. An integrated, modular design — the key to superior agility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
8. Unified, simplified management — the key to superior usability . . . . . . . . . . . . . . . . . . . . . . . . . . . .8

Summary
 Overview
Early-generation server load-balancing technology has proven to be an invaluable asset, especially for
organizations hosting widely utilized Web applications. By operating as a virtual entry point to such
applications, load balancing provides an opportunity to execute a variety of algorithms for splitting the
processing load among back-end servers. In addition, periodic polling to establish the status of
participating nodes can be used not only to fine-tune the load distribution but also to avoid directing
traffic to servers that are actually offline. In other words, server load balancers (SLBs) are a simple yet
highly effective means to scale an application environment while simultaneously ensuring its availability.

Time marches on, however. Business requirements evolve, as do the processes and technologies
used to fulfill them. In fact, the following are just a handful of the key changes and trends that have
taken hold since SLBs were first introduced:

Citrix NetScaler in a nutshell • Organizations have become heavily reliant on ecommerce/ebusiness and the use of the Internet, in
general, as a legitimate business tool.
Citrix NetScaler is an • Traffic volumes have risen dramatically, often creating contention for constrained resources
enterprise-class solution for (e.g., network bandwidth, system capacity).
server and global server load • Applications have become more complex. Support for real-time interaction and multimedia content
balancing. However, it is has placed even greater demands on computing infrastructure at the same time that sensitivity to
actually much more than that. latency has become the status quo.
Because NetScaler also
• Computing resources have become increasingly centralized (e.g., due to datacenter consolidation)
incorporates comprehensive
at the same time that users have become increasingly decentralized (e.g., due to mobility,
application performance and
globalization and offshoring).
security functionality, it is
appropriately classified as • The proliferation of regulatory requirements has significantly elevated the business importance of
a full-featured Application ensuring data privacy and having a comprehensive information security program.
Delivery Controller. A • And a shift in hacker motivation has led to a significantly more dangerous threat landscape
market-proven solution, characterized by a growing percentage of highly elusive application-layer attacks.
NetScaler is used by 8 out
of the 10 largest Web sites, What these changes and trends expose, in particular, is the need for enterprises to step up from a
with an estimated 75 percent simple load-balancing solution to a more comprehensive application delivery solution — a solution that
of Internet users hitting a addresses not just scalability and availability of the application environment, but application performance
NetScaler daily. Moreover, and security as well. Accordingly, this paper is intended to serve as a guide for organizations looking
more than 2,000 enterprises to replace their early-generation SLBs. Details on the top eight criteria to use during an evaluation
use NetScaler for their process are provided, along with numerous examples of how Citrix® NetScaler® meets and often exceeds
public-facing and intranet Web the associated requirements (see sidebar).
application delivery needs.
8 must have features for today’s network demands
1 Layer 4 load balancing
2 Layer 7 load balancing
3 Global server load balancing
4 Application acceleration
5 Comprehensive application security
6 A purpose-built platform — the key to superior scalability
7 An integrated, modular design — the key to superior agility
8 Unified, simplified management — the key to superior usability

3
Core load-balancing capabilities
still an essential starting point
These days, placing greater emphasis on enhancing application performance and security is indeed
appropriate. By no means, however, does this obviate the need to address fundamental requirements
pertaining to application availability and scalability. To ensure these baseline objectives are met, it is
recommended that organizations begin their evaluation of an SLB replacement by considering the
presence and strength of the feature sets for layer 4 (L4) load balancing, layer 7 (L7) content switching
and other L7 traffic management functionality, and global server load balancing.

1. Layer 4 load balancing

The ability to direct traffic based on L2-L4 information (e.g., MAC/IP address and TCP port) should be
considered a prerequisite for all load-balancing solutions. Related functionality that should also be
present is concerned with health monitoring, session persistence and network integration.

• Health monitoring entails using various mechanisms (e.g., ping, SNMP, scripts) to continuously
establish the availability and relative health — from a performance perspective — of virtually every
part of the application infrastructure: intermediate network links and devices, server hardware,
operating system services, and even individual modules of the application itself. The gathered
information can then be used to help distribute sessions in a manner that avoids bottlenecks
and/or downed components.
• Session persistence is necessary for designs where back-end state information is not being shared
and, therefore, any given user’s session needs to be handled by the same server from start to finish.
In this case, various options (e.g., source IP address, cookies, or hashing of various attributes)
should be available to ensure follow-on requests continue to be directed to the server node chosen
to process the initial request.
• Network integration and compatibility are easy to overlook, but equally important. Put succinctly,
the load-balancing platform should simply “fit in” to the existing environment without the need for
modifications. As a result, it should support a wide range of routing protocols (e.g., OSPF, RIP, BGP)
and common networking techniques (e.g., 802.3ad link aggregation, 802.1q VLAN tagging).

A leading solution such as NetScaler can be identified by its superior breadth of coverage, measured
in terms of the protocols that are supported (e.g., TCP, UDP, FTP, HTTP, HTTPS, and SIP), the load-
balancing options/algorithms that are available to choose from (e.g., round robin, least packets, least
bandwidth, least connections, response time, SNMP monitoring of back-end resources) and the scope
of health attributes that can be monitored.

2. Layer 7 load balancing

Also referred to as content switching, L7 load balancing is essentially an extension of the traffic
distribution, health monitoring and session persistence capabilities discussed above. The difference
is that routing decisions can also be based on application-layer data and attributes, such as HTTP
header, uniform resource identifier, SSL session ID and HTML form data. This difference enables

4
 more-efficient utilization of resources because all of the services and components that comprise an
application no longer need to be implemented on all of the server nodes. As a result, each physical
system can now be tailored to the functions it will be supporting.

When evaluating solutions against this criterion, emphasis should be placed on the breadth and depth
of L7 load-balancing/content-switching policies that can be established, as well as the ease with which
they can be constructed or configured. Organizations should also consider the value of a variety of
advanced L7 content features not strictly associated with distributing traffic. For example, NetScaler
enables content to be rewritten (e.g., to mask sensitive data) and includes a responder module for
configuring custom responses (e.g., redirects, error messages) to specified types of inbound requests.

3. Global server load balancing

The general concept of global server load balancing is to extend the core L4 and L7 capabilities so that
they are applicable across geographically distributed server farms. The primary objective is to provide an
additional degree of availability by accounting for site-level disruptions and outages. Secondary benefits
include: (a) being able to further enhance performance for remote users by routing their sessions to
the closest and/or best-performing datacenter; and (b) being able to balance and optimize resource
utilization on an enterprise-wide basis.

Unlike many other solutions on the market, NetScaler incorporates global server load balancing as an
optional feature. A separate, standalone device is not required. NetScaler’s other distinct advantage,
once again, is that it offers an extensive array of options when it comes to the site-level health
attributes that can be monitored, as well as the mechanisms and algorithms that can be used to
distribute sessions among an organization’s different datacenters.

Stepping up to application delivery

The point has already been made that simple, early-generation load balancers are not sufficient.
Overall, they leave organizations in the undesirable position of having to acquire and implement an
additional set of products to achieve adequate levels of application performance and security. The
deficiencies in these early load balancers also explain why leading industry analysts strongly encourage
organizations to embrace advanced Application Delivery Controllers (ADCs) when replacing their server
load balancers. The intent with ADCs in general, and Citrix NetScaler in particular, is to have a single
device that incorporates not just a core set of load-balancing capabilities but a comprehensive set of
application performance and security services as well. The next two sections elaborate on what this
means in terms of specific functionality.

4. Application acceleration
Compensating for obvious deficiencies and otherwise enhancing application performance can be a
tricky proposition. Sub-optimal application performance can be the result of resource constraints at
virtually any point in the path that a user’s session traverses. A few of the more likely bottlenecks are
inadequate client hardware, insufficient bandwidth at either the client or server end of the connection,
and overloaded server infrastructure. Alternately, there can be problems with the application itself. This
is frequently the case when the underlying protocols and/or application logic have not been optimized
for operation over a wide area network. The resulting condition, referred to as “chattiness,” is a highly
inefficient behavior whereby it takes numerous back-and-forth exchanges between client and server to
complete a single, user-level action.

5
In any event, the diversity of potential issues is why an ideal solution should incorporate an overlapping
set of features that enhance application performance. These include caching, compression, TCP
communications management and SSL offload.

• Caching techniques enable frequently requested content to be served from the load-balancer platform.
This technology accelerates delivery to the end user while relieving some of the processing demand
placed on back-end servers. These gains are maximized with NetScaler, based on the fact that its
AppCache™ functionality provides in-memory caching not just for static data, but for dynamically
generated HTTP application content as well.
• Compression is all about reducing the amount of data that must traverse the connection in the
first place — even for encrypted sessions. The next generation of Web 2.0 applications frequently
includes large numbers of cascading style sheets and JavaScript, making compression even more
important. Compression helps alleviate network congestion and can accelerate transactions by 3X-5X.
• TCP communications management covers two major items. At the front end (i.e., between the client
and ADC), TCP optimization techniques — such as forward-error correction, window scaling and
buffering — help make more efficient use of available bandwidth and reduce the amount of chattiness.
At the back end (i.e., between the ADC and server nodes), TCP multiplexing enables the aggregation
of a large number of HTTP requests over a much smaller number of long-lived TCP connections.
The impact on server load and response time can be quite dramatic, as this significantly reduces
the processing demand associated with connection setup and teardown.
• SSL offload similarly relieves back-end servers by performing compute-intensive encryption and
decryption processes on their behalf — ideally, by taking advantage of hardware that is specialized
to the task.

Of course, having a comprehensive set of application acceleration features is really just table stakes. With
NetScaler, organizations also benefit from having highly granular control over the configuration of these
capabilities. This control is particularly important for caching and compression mechanisms since there
are often scenarios where: (a) it is preferable to not cache certain content; or (b) the use of compression
incurs a greater penalty than the benefit it provides (e.g., for low-latency, high-bandwidth connections).

Pulling double duty

All of the application acceleration capabilities discussed above contribute to a significant,
secondary benefit. Specifically, by offloading network and server infrastructure these
capabilities often enable organizations to make do with fewer resources, delaying the
need for further investments in network bandwidth, routing/switching platforms and
server hardware.

5. Comprehensive application security

As an intermediary between users and back-end resources, the SLB/ADC is also an ideal place to
implement much-needed security measures. Recalling the trends highlighted earlier — especially those
pertaining to the evolution of threats, user mobility, and inter-connectivity — it should be clear that
SSL VPNs and application firewalls are two countermeasures, in particular, that deserve attention.

6
 Aside from facilitating remote access, the benefit of having SSL VPN technology as an integral component
of an ADC is that it provides fine-grained control over which users have access to which functions in
which applications, and under which conditions (e.g., based on type and configuration status of the
client device). When properly utilized, this capability can substantially reduce the risk of providing
application access to a vast population of remote, mobile and third-party users.

The shortcomings of network firewalls, which concern themselves primarily with network addresses and
port-level information, are well documented. In general, they do not “understand” the inner workings
of protocols/languages such as HTML and XML; they do not understand HTTP sessions; they cannot
validate user inputs to an HTML application; they cannot filter or obfuscate sensitive data included in
server responses; they cannot detect maliciously modified parameters in a URL request; and they are
incapable of inspecting SSL-encrypted traffic. In contrast, it is specifically this depth of visibility and
control that enables an application firewall to protect Web applications against a wide range of both
known and unknown attacks.

Of course, having robust, application-layer controls does not obviate the need to provide protection at
other layers of the stack. This is another area where NetScaler outshines the competition. For example,
NetScaler features a customized TCP/IP stack that: (a) enforces a positive security model, dropping all
traffic that deviates from common guidelines for packet formation and content; and (b) prevents leakage
of low-level information by zeroing the unused portions of reused packets. In addition, NetScaler provides
robust connection handling routines to automatically thwart many types of DDoS/flood attacks.

Meeting and exceeding

expectations
The final three criteria are what set superior application delivery solutions such as NetScaler apart.
Although many solutions may, in fact, incorporate all of the aforementioned functional capabilities,
those that fail to thoroughly address the need for a purpose-built platform, an integrated, modular
design and unified management will not be nearly as effective and efficient as those that do.

6. A purpose-built platform — the key to superior scalability

Application delivery is substantially more compute-intensive than ordinary load balancing. Not only is
the scope of functionality greater, but so is the depth of processing that needs to be conducted to
provide the requisite level of application visibility and control. Less clear, though, is how to account for
this difference, especially in ensuring the solution is able to scale appropriately.

The key is having a purpose-built platform: one whose hardware — and more importantly, the system-
level software — has been constructed and optimized explicitly for the higher-level services that define
an ADC. Some of the more significant, representative features of a purpose-built platform are:

• a customized hardware design. This does not imply that custom silicon (i.e., ASICs) should be used
for everything. Indeed, when it comes to L7 operations, general-purpose hardware (e.g., the Intel
x86 platform) has proven to be more efficient, adaptable, and therefore economical. However, it is
appropriate for solutions to incorporate ASICs for accelerating lower-layer processes that are highly
deterministic and repetitive (e.g., cryptographic functions or flow control).

7
• a customized operating system. General purpose-operating systems are interrupt-driven and designed
to provide equitable treatment for the widest possible set of applications. However, because it has
complete control over functions such as process timing, memory management and network access,
the customized system in NetScaler is able to optimize resource allocation for the tasks at hand. The
result is a far more deterministic processing model with lower latency and greater overall scalability.
• a customized TCP/IP stack. A logical extension of the previous item, this one ensures even greater
processing efficiency, and also provides an opportunity to implement the aforementioned stack-level
security mechanisms.
• an intelligent HTTP parsing engine. Ideally, packet-processing tasks should not need to be repeated
for each individual function (e.g., caching, compression).

7. An integrated, modular design — the key to superior agility

For most organizations, having options is a firm requirement. So is having a solution that is adaptable
and, therefore, future-proof. Consequently, a top consideration for an SLB replacement is that it feature
a modular design. This way individual capabilities (e.g., application firewall, SSL VPN) can be added as
needed when the organization is ready to take the next step in the evolution of its application delivery
infrastructure. Furthermore, new modules that account for ever-changing conditions can be developed
and implemented over time without having to resort to deploying a fleet of additional, standalone devices.

Equally important is that the modules be truly integrated components of the overall system. For instance:

• each module should take full advantage of the embedded scalability, performance and security
features of the purpose-built platform;
• the presence of any given module should not prevent other functional modules from taking
advantage of the system’s features (e.g., support for multi-core processing);
• modules should be intelligent and selective — for example, if the application firewall requires full,
deep-packet inspection of specific traffic flows, then it should not automatically force all other flows
to be handled this way; and
• individual modules should not require their own, separate management consoles.

NetScaler fully meets these requirements. Its design is highly modular, yet the individual functional
capabilities are tightly integrated and completely compatible. Furthermore, all features are available on
all units/models all of the time.

8. Unified, simplified management — the key to superior usability

Ultimately, the ability to unleash the full power of an ADC depends quite heavily on the strength and
usability of the associated management capabilities. Three elements of the NetScaler solution are
particularly helpful in identifying the specific features to look for when considering management capabilities.

• The intuitive AppExpert Visual Policy Builder enables application delivery policies to be created
without having to code complex programs or scripts. In addition, the unification and consolidation
of multiple capabilities in a single solution keep administrators from having to “jump” between
different consoles and policy models.

8
 • Citrix EdgeSight™ transparently instruments HTML pages, providing granular visibility into how Web
applications are behaving from the end user’s perspective. Detailed results can then be used to
fine-tune individual policies and take further advantage of the system’s acceleration capabilities to
ensure a superior application experience.
• NetScaler Command Center enables efficient, centralized administration of system configuration,
event management and performance management for organizations that elect to operate multiple
NetScaler appliances.

Summary
Early-generation server load balancers are tried and true solutions for improving the availability and
scalability of an organization’s application infrastructure. Nonetheless, enterprises that persist in using
such products run the risk of exposing themselves and their customers to increasingly poor application
performance and a seemingly endless stream of application-layer security threats.

One option to overcome these shortcomings would be to implement additional, standalone devices that
address each of the underlying issues. However, a much more efficient and effective approach is to
replace old server load balancers with new Application Delivery Controllers. These tightly integrated
appliances not only provide core load-balancing capabilities, but also deliver the highest levels of security
and performance for today’s business-critical Web applications. Furthermore, the eight criteria detailed
in this paper can be used to help ensure that enterprises select a solution that is truly best of breed.

9
 Citrix Worldwide
Worldwide headquarters

Citrix Systems, Inc.

851 West Cypress Creek Road
Fort Lauderdale, FL 33309
USA
T +1 800 393 1888
T +1 954 267 3000

Regional headquarters

Americas
Citrix Silicon Valley
4988 Great America Parkway
Santa Clara, CA 95054
USA
T +1 408 790 8000

Europe
Citrix Systems International GmbH
Rheinweg 9
8200 Schaffhausen
Switzerland
T +41 52 635 7700

Asia Pacific
Citrix Systems Hong Kong Ltd.
Suite 3201, 32nd Floor
One International Finance Centre
1 Harbour View Street
Central
Hong Kong
T +852 2100 5000

Citrix Online division

6500 Hollister Avenue
Goleta, CA 93117
USA
T +1 805 690 6400

www.citrix.com

About Citrix

Citrix Systems, Inc. (Nasdaq:CTXS) is the global leader and the most trusted name in application delivery infrastructure. More than
200,000 organizations worldwide rely on Citrix to deliver any application to users anywhere with the best performance, highest
security and lowest cost. Citrix customers include 100% of the Fortune 100 companies and 99% of the Fortune Global 500, as well
as hundreds of thousands of small businesses and prosumers. Citrix has approximately 6,200 channel and alliance partners in
more than 100 countries. Annual revenue in 2007 was $1.4 billion.

©2008 Citrix Systems, Inc. All rights reserved. Citrix®, AppCache™, Citrix EdgeSight™ and Citrix NetScaler® are trademarks of Citrix Systems, Inc. and/or one or more of
its subsidiaries, and may be registered in the United States Patent and Trademark Office and in other countries. All other trademarks and registered trademarks are
property of their respective owners.

0508/PDF

www.citrix.com