Jump to content

Recommended Posts

Posted

 

This year has brought many changes for Citrix Service Providers (CSP). Since the program’s inception in 2008, the CSP program has allowed service providers globally to deliver value to their customers through service offerings built around Citrix and NetScaler technology. Having grown to 2 million active users serviced by our CSP partners in 2023, our CSP program was due for an update to help partners adapt to current market trends. Citrix Universal Hybrid Multi-Cloud for CSP is the next phase in the CSP program and includes NetScaler Flexed licensing to support existing and new partner use cases.

Focused on Service Providers

The CSP program was built to serve SMB and mid-market customers via Citrix Service Providers. Our CSP partners have the knowledge, skill set, and scale to empower customers with service offerings that cater to their business needs. With this in mind, our program teams developed Citrix Universal Hybrid Multi-Cloud for CSP to increase stability for partners through an annual commit model, simplify 1000s of SKUs to just 2 SKUs, and add value through an increase in capacity and capabilities. 

As part of this transformation, we learned that this model is not a good fit for some of our CSP partners. To account for this, we announced a new strategic partnership with Arrow that will allow those partners to take advantage of a program that is better adapted to their customer’s specific needs. For more information on this topic, please read this blog by Citrix VP of Channel Programs, Ethan Fitzsimons.

Thanks for the update, where’s the technical stuff? ;)

Citrix Universal for CSP entitlements

Let’s start by discussing the entitlements that are delivered to partners with Citrix Universal for CSP. 

AD_4nXfJ_48YnI7sFtnrQoeDbGwsmzPHk9D0BzUuCG79NgM-n7BXv6y6_g-4j1uLL0g_epnGzUYAMU6EQJIyZWhDpfUoSyxFfjArfk3o411a8EU1lzJRIhm9QUcGvj_Q9yUj1SCY66uMc5NRJN284TDbeeqJ2a0Z?key=UUfjwEJJXxHTJv07P-O5Fg

Alt text: Graphic showing what buyers get with the Citrix Universal for CSP. This includes Citrix DaaS, Citrix Virtual Apps and Desktops, Citrix Endpoint Management, NetScaler, XenServer, and quantity information. 

Your Citrix Universal for CSP licensing is divided into three main groups. Keep in mind that license Editions are no longer a concern since all of your Citrix, NetScaler, and XenServer licenses are now Premium Edition. Also, please note that the new licenses are backwards compatible across supported versions.

  • Citrix Licensing: This includes Citrix DaaS, Citrix Virtual Apps and Desktops, and Citrix Endpoint Management. A license entitles a user to those three products, meaning, they are not separate licensing buckets, they could be considered “features” included as part of Citrix Universal for CSP, similar to other features like Citrix Policies, Workspace Environment Manager, or App Protection. The number of licenses you receive in this bucket is determined by your contract, and remember that there is an additional 15% buffer included in the licenses.
  • XenServer Licensing: As of June 2024, XenServer is now included with Citrix UHMC for CSP. This will allow you to host all your Citrix workloads and prevent you from having to pay for yet another platform that becomes part of your COGS. XenServer is optimized for Citrix workloads and Citrix Universal for CSP provides you with more XenServer per socket licenses than you'll need for your Citrix environment, allowing it to be used elsewhere.
  • NetScaler Flexed Licensing: Here, things get interesting; Your NetScaler Flexed licensing is considered “a separate entitlement”. This means that regardless of the number of Citrix Universal licenses you purchased, you receive 999 instances for each form factor (VPX, VPX FIPS, SDX, and MPX) and 1 Tbps of bandwidth to power those instances. Additionally, NetScaler Console on-prem or as a service (formerly ADM) is now free for you to use to manage and monitor your NetScaler environments; NetScaler Console is a great resource that allows you to streamline management and analytics for your NetScaler portfolio. 

What’s new with NetScaler Flexed licensing?

With the new NetScaler Flexed licensing, all licenses are now Premium across the board, so you no longer have to worry about license editions and features when provisioning licensing for your customer environments. With the legacy CSP licensing, NetScaler licensing was managed directly on the VPX appliance, and the license file included both the Edition - Standard, Advanced, and Premium - and a fixed bandwidth. With NetScaler Flexed licensing, not only are all VPX instances Premium Edition, but you can also configure that amount of bandwidth needed in 10 Mbps increments, allowing you to right-size NS VPX to the bandwidth needed and not an arbitrary bandwidth limit.

The introduction of NetScaler Flexed changes the way NetScaler in CSP environments are licensed. In order for you to license your NetScaler deployments, you will need to deploy NetScaler Console, either the Citrix Cloud service, or the on-premises NetScaler Console server if you prefer self-managed. This means NetScaler licensing is no longer installed directly on the VPX appliances. Instead, NetScaler Console becomes your NetScaler license server. NetScaler Console is a value-packed management and analytics console that can help you perform daily administrative tasks, troubleshoot problems, identify security vulnerabilities and attacks, and track usage and utilization of NetScaler devices and their services. Check out the NetScaler Console and Flexed Licensing documentation for more information. 

If your customer wants to replace perpetual hardware with a newer appliance that is CSP licensed, they have a very cost effective way to do this. They can purchase a zero-capacity appliance, which now comes with a lifetime RMA included, and the zero-capacity hardware appliance can now be licensed via NetScaler Flexed licenses. Here’s a quick summary of the NetScaler specific license files that will be delivered to your CSP partner account with Citrix Universal Hybrid Multi-Cloud for CSP.

  • SW Instance license files: You will receive four (4) separate SW instance license files (999 instances each) for each form factor: VPX, VPX FIPS, MPX, and SDX. All of these licenses must be allocated and uploaded to NetScaler Console. Each device will be assigned an instance license at boot, and the instances available will automatically reflect the amount of instances in use. All of this is reported in your NetScaler Console licensing dashboard.
  • Bandwidth license file: This file holds your 1Tbps of bandwidth that you can allocate to a single or multiple NetScaler Console, both on-prem and cloud service. This license represents the total bandwidth available for allocation to a single or multiple NetScaler Consoles. Please note that NetScaler appliance bandwidth can now be allocated in 10Mb increments via NetScaler Console. Gone are the arbitrary bandwidth limited licenses - now you apply the bandwidth needed without restrictions. 
  • Zero Capacity license files: Yes, you can now license NetScaler hardware with your Flexed licensing. You will see two (2) zero capacity platform license files, which are intended to be used with SDX and MPX zero-capacity physical appliances only. These licenses are installed on the appliances and not the NetScaler Console, and enable the hardware platform to be used with NetScaler Flexed licensing.

Note: Our licensing documentation does a great job at explaining NetScaler Flexed licensing and how the various license files are applied. While we understand this is a change to your current NetScaler architecture, transitioning to NetScaler Console will allow you to unlock the true potential of NetScaler Flexed licensing, and greatly simplify how licenses are applied; No more generating license files to individual appliances. I encourage you to engage your CSP Account Technology Strategist (ATS) if you need assistance with the transition to NetScaler Flexed.

Adoption is the key to growing your managed business

One of the goals for NetScaler Flexed licensing is to add value by providing increased capacity and capabilities so that you can grow beyond the Citrix Gateway use case. The feature set included in NetScaler Premium Edition allows our CSP partners to build a variety of load-balancing, secure access, and managed security offerings that can easily adapt to customer requirements, while also providing the flexibility to drive increased adoption at scale.

NetScaler Flexed was created with the intention to allow our CSP partners to go beyond the Citrix Gateway use case. The goal is to allow you to create new use cases and increase adoption by solving new problems, and exploring new solutions that you can offer to your customers. There is no additional cost when adding NetScaler services in your environment because with NetScaler Flexed you already have all the features and functionality, you just need to enabled and configure them for your customer use cases.

  • Secure access
    • Handle all of your customer’s secure remote access requirements through a single access solution, delivered via NetScaler. Whether it’s access to Citrix Virtual Apps and Desktops, RDP, and even PCoIP, NetScaler Gateway can provide a secure access solution on a single platform. 
    • NetScaler allows you to build a multi-IDP solution with support for Single Sign-On (SSO), so that regardless of the IdP your customer is using, you can seamlessly integrate their authentication methods into your solution.
    • nFactor brings a powerful authentication engine for complex authentication scenarios. You can provide different auth flows for different personas (employee vs contractor). You can quickly integrate multiple authentication flows from multiple companies to facilitate M&A activity. You can provide a fallback authentication mechanism in the event that a customer loses a token. These are just a few of the many scenarios where nFactor can deliver a single solution for complex authentication requirements. 
  • Highly available workloads
    • The NetScaler load-balancing solution is used by some of the largest sites on the internet; Now you can leverage this same technology to make your customer’s applications highly available, and ensure availability and performance at scale. 
    • You can leverage the power of Global Server Load Balancing (GSLB) to deliver business continuity and increase application performance across regions for all your customers regardless of their location. GSLB can be leveraged in active/passive for DR-only locations. Also, you can leverage GSLB in active/active mode to ensure the best experience for customers across regions and provide an always-on experience even in the event of an outage or planned maintenance.
    • NetScaler Console includes StyleBooks, which are a powerful set of API-driven configurations for applications that ensure consistent configurations across your managed NetScaler portfolio. You can use the built-in StyleBooks, or create your own StyleBooks customized for you and your customers’ use cases. There are StyleBooks to configure Office 365 SSO and Google Apps SSO, Web Application Firewall (WAF), Bot Management, API Protection, and Oracle e-business suite, just to name a few of the 48 built-in StyleBooks. And there are many more community-built StyleBooks on GitHub. 
  • Secure services 
    • Managed security offerings are no longer an option for businesses of all sizes; NetScaler allows you to build and enhance your managed security services for your customers and helps you capture market share and retain customers. You can leverage some or all of the security features to add managed security to your current offerings.
    • Secure customer web applications and your remote access gateways with NetScaler Web App Firewall (WAF), IP Reputation, and Bot Management. WAF helps you defend against both known attacks with signatures and unknown attacks with behavioral protection. 
    • Block countries and entire regions that are outside of your service area to reduce your attack surface.
    • Protect against SQL injection and cross-sites scripting.
    • Secure DNS services and protect against DoS attacks. 
    • Keep your NetScaler appliances safe with NetScaler File Integrity Monitoring and Security Advisory.

Additionally, NetScaler Console is a value-packed management and analytics console that can help you perform daily administrative tasks, troubleshoot problems, identify security vulnerabilities and attacks, and track usage and utilization of NetScaler devices and their services, among many other features. Here is an abbreviated list of NetScaler Console features.

One of the features that I believe is very valuable for all NetScaler environments is the Security Advisory feature. The Security Advisory feature in the NetScaler Console serves as a powerful tool for bolstering the security of your NetScaler infrastructure. It streamlines the process of identifying and mitigating vulnerabilities, centralizes vulnerability notifications, and facilitates proactive security management. Let’s take a closer look at the benefits of using Security Advisory.

  • Vulnerability Assessment and Mitigation: Security Advisory acts as your vigilant guardian, continuously scanning your NetScaler instances for known Common Vulnerabilities and Exposures (CVEs). It doesn't merely point out the issues, but also offers step-by-step guidance on how to remediate them, thus empowering you to proactively address potential threats before they escalate.
  • Centralized Security Hub: Think of the Security Advisory dashboard as your security command center. It presents a unified view of all identified CVEs across your NetScaler deployment, irrespective of their number or location. You can readily prioritize vulnerabilities based on their severity and potential impact, ensuring the most critical ones get addressed first.
  • Historical Tracking and Knowledge Base: Security Advisory maintains a detailed scan log, allowing you to review past scans and their findings. In addition, it features a built-in CVE repository, acting as your go-to knowledge base for information on known NetScaler vulnerabilities. You can consult it to understand the specifics of each CVE, including its potential consequences and recommended mitigation strategies.
  • Proactive Security Posture: By continuously monitoring for and addressing known CVEs, Security Advisory enables you to maintain a proactive security posture. It helps you stay ahead of potential threats and minimize the risk of exploitation, thereby safeguarding your applications and data.

Scope and Limitations: It's crucial to recognize that Security Advisory's current focus is solely on identifying and addressing CVEs. While it excels at this, it doesn't currently extend its purview to detect misconfigurations or broader security issues. Additionally, its current support is limited to main builds and doesn't cover special builds or Admin partitions.

Security Advisory offers a powerful and efficient way to enhance your security. By proactively identifying and addressing vulnerabilities, it empowers you to maintain a robust security posture, protect your critical assets, and streamline your security management efforts.

Another powerful item in NetScaler Console is the Actionable Tasks and Recommendations feature. The Actionable Tasks and Recommendations feature within the NetScaler Console serves as a proactive assistant for network administrators, offering intelligent insights and guidance to optimize NetScaler configurations and operations. It does so by analyzing various aspects of your NetScaler deployment, including:

  • Configuration Settings: It evaluates your existing configuration settings against established best practices and industry standards. It identifies potential misconfigurations, security risks, or performance bottlenecks that might be lurking in your setup and provides suggestions to optimize your NetScaler configurations for maximum efficiency and responsiveness
  • Usage Patterns: It observes how your NetScaler instances are being utilized. It identifies underutilized resources, traffic patterns that might indicate suboptimal routing, or potential capacity constraints that could impact performance and helps you address potential issues before they impact your users or applications
  • Security Posture: It assesses the overall security of your NetScaler deployment and identifies potential vulnerabilities, outdated software versions, or weak configurations that might expose you to security risks. The console will then give you suggestions to improve your security posture and reduce the risk of breaches.

Scope and Limitations: While the feature covers a wide range of potential issues, it's not exhaustive. There might be some edge cases or specific scenarios that it doesn't address. Please make sure to complete your due diligence to avoid exposure. While the recommendations are designed to be actionable, implementing some of them might require a certain level of technical expertise.

Overall, the Actionable Tasks and Recommendations feature is a valuable tool for any NetScaler administrator. It provides intelligent insights and guidance that can help you optimize your NetScaler deployment, enhance security, and improve performance.

Another valuable feature of NetScaler Console is the SSL Dashboard. The NetScaler Console SSL Dashboard offers a centralized view and comprehensive insights into the SSL/TLS environment of a Citrix NetScaler deployment. Key benefits include:

  • Real-time visibility into SSL/TLS traffic:
    • Active SSL connections, throughput, errors, and SSL handshake failures are shown in real-time
    • Helps identify bottlenecks and potential security issues quickly
  • SSL certificate and key management:
    • View certificate details, expiration dates, and associated virtual servers
    • Proactive alerts for certificate expiration prevents downtime
    • Centralized key management simplifies administrative tasks
  • SSL cipher suite and protocol insights:
    • Lists supported ciphers and protocols on your NetScaler
    • Helps ensure compliance with industry best practices and regulatory standards
    • Enables quick adaptation to new vulnerabilities or changes in standards
  • SSL offloading and hardware acceleration statistics:
    • Track SSL offloading performance for different virtual servers
    • Validate the effectiveness of hardware acceleration in reducing server load
    • Optimizes resource allocation for better performance
  • Troubleshooting and performance optimization:
    • Historical trends of SSL-related metrics for root cause analysis
    • Identification of high error rates or performance issues
    • Enables proactive resolution and performance tuning

By offering a consolidated view of critical SSL/TLS metrics and configuration details, the dashboard simplifies management and enhances the security and performance of SSL/TLS-enabled services on Citrix NetScaler.

In summary, the NetScaler Console streamlines the management of your entire NetScaler portfolio through a single, unified interface. It simplifies complex tasks like configuring load balancing, troubleshooting Citrix connections, and ensuring a secure NetScaler environment. The console's real-time monitoring and analytics capabilities offer visibility into the health and performance of your applications, enabling you to proactively identify and address issues before they impact users.  Troubleshooting is also enhanced with historical data and detailed logs, allowing for quicker root cause analysis. Additionally, the NetScaler Console empowers you to strengthen security with features like Web Application Firewall management and SSL certificate tracking. This helps safeguard your applications from threats and vulnerabilities, and improves your security posture.

Commitment to innovation

NetScaler is committed to innovation that improves security, performance, and observability. The NetScaler Product Management teams have been working hard to innovate so that CSP partners can build flexible, scalable solutions with features and functionality that offer extraordinary value to customers. Aside from the two (2) NetScaler Console examples given above, Here are some of the new features delivered in NetScaler 14.1 firmware.

  • Security
    • Improved protection against TCP spoofing attacks: To strengthen the protection against TCP spoofing attacks, NetScaler is compliant with RFC-5961. With this compliance, NetScaler provides the following capabilities in addition to RST window attenuation and SYN spoof protection:
      • Reduces the probability of invalid data injection.
      • Allows imposing a limit on the number of challenge ACK responses per second sent by the NetScaler.
    • Rate limiting SSL renegotiations: Limits the number of renegotiation requests received on an SSL entity in one second.
    • Store Authentication Context Class Reference values: NetScaler configured as an on-premises IdP can store Authentication Context Class Reference (ACR) values provided by Citrix Workspace to support the Citrix multi-domain login feature of Citrix Workspace Platform. When Citrix Workspace sends the ACR values to the OAuth authorization endpoint of the NetScaler IdP, NetScaler stores the ACR values. You can use ACR values to determine the next factor in the nFactor flow.
  • Performance
    • TLS 1.3 protocol support on back-end services, service groups, and monitors:  Back-end services, service groups, and monitors now support the TLS 1.3 protocol when connecting to back-end servers making it possible to provide end-to-end TLS 1.3 connections.
    • Backup VPX partitions: You can now back up and restore the following properties of VPX partitions during the backup and restore of NetScaler SDX: 
      • Responder file
      • Partition MACs
  • Observability
    • Splunk integration: Export the events generated on NetScaler to Splunk, and use the Splunk dashboard to visualize the exported data to get meaningful insights.
    • Compressed core dumps for NetScaler BLX: NetScaler BLX generates compressed core dumps if the core-dumps parameter is enabled in the NetScaler BLX configuration file (blx.conf).
    • Support for an extended StoreFront monitor: Supports extended StoreFront monitor that can simulate the authentication and app enumeration on the Citrix StoreFront store on behalf of a test user account. This account is pre-configured and enabled for the purpose of monitoring.

Learn more about the enhancements delivered with NetScaler 14.1 firmware in our community article

Commitment to CSP partners

As we move forward, the transition to NetScaler Flexed licensing empowers partners to deliver even greater value to their customers with the enhanced capacity and capabilities included in NetScaler Flexed licensing. By expanding the number of possible service offerings with NetScaler, CSP partners are now better positioned to deliver availability, access, and security services to businesses in the rapidly evolving service provider space. NetScaler Console makes it easier than ever to streamline operations, shorten the time to resolve problems, and provide a robust and secure environment for you and your customers. 

Please reach out to your Account Technology Strategist and the account team today to start a conversation on how we can help you create new services and grow your business with NetScaler.

Key takeaways:

Licensing Update: Citrix launched Universal Hybrid Multi-Cloud for Citrix Service Providers, simplifying licensing and boosting stability with an annual commit model.

NetScaler Flexed Licensing: Offers 999 instances per form factor, 1 Tbps bandwidth, and centralized management via NetScaler Console for easier license application.

Service Provider Solutions: CSPs can offer scalable services tailored to customers, including secure access, multi-IDP integration, and advanced load balancing features.

Security & Performance: NetScaler Console enhances security and performance with proactive vulnerability management and new features in version 14.1 firmware.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...