What is the point of the Netscaler appliance?
We run XenDesktop 7.16 and have 30 servers endusers are able to access to do daily tasks. They are primarily all in offices connected via our WAN. The receiver is configured to connect to the storefront server to broker the desktop session. We have some remote users who do not sit on the WAN nor VPN and so we have setup a Netscaler appliance to allow them access via a web facing portal. Should all users (those on WAN, VPN and remote) be connected through the Netscaler? Is there any benefit to this? or to connecting directly to the SF server?
Presumably your storefront server is domain joined.
A domain joined machine that is public facing out to everyone should start ringing alarm bells.
Are your session hosts also accessible externally?
We use it for Load balancing of all XenApp servers and also use it for determining if we present a 2FA or 1FA login screen depending on the client machine’s network location/address. We use it mainly for security and the load balancing and also have Xenmobile tied to it too.
Our XA/XD setup is mainly used by external users who want to work from a home pc be it a mac or linux or windows.
Primary use case is external access. But you have additional options, portal customization, EPA scans, load balancing StoreFront + XML, and just handing SSL transactions better to say a few
External users are not able to connect directly to a StoreFront server externally. NetScaler allows for remote connections. You utilize the ICA proxy for remote access. This limits users to only specific desktops and/or resources (it is possible to configure similar policies on a VPN too).
A NetScaler can also be used to intelligently load balance StoreFront, XML, PVS, and other traffic (smarter than DNS round robin).
Thanks for the info, all. Appreciate it.
Right, I guess I was more asking if it was necessary to use Netscaler within the network or if connected directly to StoreFront was a better option.
Externally I understand that Netscaler is required.
Storefront nor hosts are accessible externally.
Ah well - internally - you don’t need one. Yes, you could use one but not required.
The value I’ve realised fronting everything with the Netscaler is that
-
Its able to remove script comments and clean up HTML. This is handy if you’ve heavily modified storefront.
-
Adaptive delivery. Netscaler has a bunch of ICA delivery optimizations like adaptive transport. F5s will also perform this functionality as an alternative.
If you have VPN with DNS setup properly, you don’t technically need a Netscaler, if you need remote access. You can use most any loadbalancer in front of multiple Storefront servers, if you need redundancy.
If you want access outside the network without your own VPN, you’ll need a Netscaler.
It does give you the ability to collect more network data from those sessions. For example, if you have a lot of ‘internal’ users (To your network) but they are spread out in branch locations. It might be useful to monitor their connection latency, and other information. Since the NS is able to crack open and examine ICA data it could help to give you better analytics. Usually it isn’t needed though.
Or, if you need to break off a part of your internal network for PCI compliance. You can use the NS as a point of entry into that environment.
Completely agree. Combine it with a MAS or ADM as we now need to know it and lots of good data to be had.
Thats actually what prompted this question. We have 50-75 users who connect externally through the Netscaler. Today I started looking into setting up MAS as a way to collect more data on the remote users. A lot of the comments and articles seems to refer to the Netscaler being used internally as well. That makes sense if MAS is the only way to collect that data then you need to use NS.