Highlights of NetScaler 14.1 release features and enhancements.

NetScaler is excited to announce that the recently launched NetScaler version 14.1 is packed with many new features and enhancements that will be highly beneficial.

Take a look at some of the key highlights.

Security

• Improved protection against TCP spoofing attacks - To strengthen the protection against TCP spoofing attacks, NetScaler is compliant with RFC-5961. With this compliance, NetScaler provides the following capabilities in addition to RST window attenuation and SYN spoof protection:
  • Reduces the probability of invalid data injection.
  • Allows imposing a limit on the number of challenge ACK responses per second sent by the NetScaler.
• Rate limiting SSL renegotiations - Limits the number of renegotiation requests received on an SSL entity in one second.
• Store Authentication Context Class Reference values - NetScaler configured as an on-premises IdP can store Authentication Context Class Reference (ACR) values provided by Citrix Workspace to support the Citrix multi-domain login feature of Citrix Workspace Platform. When Citrix Workspace sends the ACR values to the OAuth authorization endpoint of the NetScaler IdP, NetScaler stores the ACR values. You can use ACR values to determine the next factor in the nFactor flow.

Observability

• Splunk integration - Export the events generated on NetScaler to Splunk, and use the Splunk dashboard to visualize the exported data to get meaningful insights.
• Compressed core dumps for NetScaler BLX - NetScaler BLX generates compressed core dumps if the core-dumps parameter is enabled in the NetScaler BLX configuration file (blx.conf).
• Support for an extended StoreFront monitor - Supports extended StoreFront monitor that can simulate the authentication and app enumeration on the Citrix StoreFront store on behalf of a test user account. This account is pre-cofigured and enabled for the purpose of monitoring.

Performance

• Backup VPX partitions - You can now back up and restore the following properties of VPX partitions during the backup and restore of NetScaler SDX.
  • Responder file
  • Partition MACs
• TLS 1.3 protocol support on back-end services, service groups, and monitors - Back-end services, service groups, and monitors now support the TLS 1.3 protocol when connecting to back-end servers.

Versatility

• View SSL rating of an application - You can review SSL issues and upgrade the application to obtain an A+ rating.
• Web Insights
  • You can now understand the percentage distribution received based on the total requests for the selected duration for the following metrics:
    • Clients
    • Servers
    • Geo Locations
    • URLs
  • You can drill down any metric and also export the required data from any widget.
  • An administrator can view the complete graph, including the nil values. Earlier nil values were skipped in the graph.
• Stylebooks
  • The "replace ()" built-in function can also accept the list of the following built-in types:
    • "String"
    • "ipaddress"
    • "tcp-port"
    • "number"
    • "boolean"
  • The built-in functions support the multiple () function.
  • As an administrator, you can restrict user groups from accessing configuration packs created by other user groups.

Infrastructure

• NetScaler SDX 9100 license enhancements
  • A new license limit of 60G.
  • The license limit is increased from 30G to 95G.

To know more about the NetScaler 14.1-4.x release enhancements, see ADC Release Notes and ADM Release Notes. 

Overview of the new features that were delivered as part of NetScaler 14.1

1. TLS Enhancements: 

TLS Handshakes are computationally expensive. 

TLS Handshake Renegotiation occurs when:

A session has expired. 

Long life session key is renewed. 

Client certificate mutual authentication

Bad actors can overwhelm the infrastructure by sending a high volume of renegotiations requests. Prior to the 14.1 version, option exists to only turn renegotiation on and off, but with the enhancement, renegotiations can be rate limited, without limiting any other part of the TLS transaction.

 2. TLS 1.3 Backend Support Across All Platforms: 

TLS is a cryptographic protocol that provides end-to-end security of data, sent between applications over the internet. It is used for secure web browsing, email, file transfers, video/audio conferencing, instant messaging, DNS, etc. 

Before the 14.1 release, NetScaler supported TLS1.3 only on the frontend, but with 14.1 release, there will be backend support as well. Thus, making it end to end. 

3. Improved TCP’s Robustness to Blind In-Window Attacks 

In addition to TCP spoofing attacks such as TCP Reset Attack, TCP SYN Flood Attack, 14.1 is RFC 5961 compliant, which gives NetScaler the following capabilities: 

Reduces the probability of false data injection attacks. 

Allows imposing a limit on the number of challenge ACK responses sent per second (/s) by the NetScaler. 

4. One-touch SSL A+ rating workflow in ADM On-Prem: 

With this, customers can upgrade non-A+ rated apps to A+ with a single touch and 

Meet organizational compliance.

Reduce time and operational overhead to fix SSL.

Profile deviations.

Excel at Scale - Upgrade A+ profiles of apps at scale in minutes and not hours.

5. Single Pane Overview Dashboard for ADM On Prem: 

This Dashboard hosts all key metrics and golden signals across:

Applications

Infrastructure 

Security 

Gateway 

Segue into drill down dashboards is available. Filters can be applied by admins to narrow the scope to entities or apps of criticality. This dashboard is very popular in ADM Service and now available in ADM on Prem.

6. Export ADM On Prem events and system metrics to Splunk with Dashboard:

 NetScaler admins can take the advantage of this feature and view:

Trend of System performance over time History of events with severity like Critical, Major, Warning Critical and Major events that are currently active.

 For more information, please refer to the 14.1 release notes and latest 13.1 release notes.