F5 to NetScaler Migration

-

I recently had the opportunity to participate from start to finish as the primary technical resource in a project with the goal of completely phasing out a physical F5 solution, migrating the entire configuration and all applications to a NetScaler solution.

I was also expected to design and implement the solution and to improve and modernize the configuration. The customer requested a fully virtual solution that they could implement in their global VMware-based hypervisor environment. A much more flexible deployment of load balancers could be easily achieved, since the customer had recently acquired a Universal Hybrid Multi Cloud (UHMC) license which entitled them to 1000 units of NetScaler and a terabit of bandwidth throughput.

There were approximately 300 unique applications that needed to be managed in some way in the project. In the F5 solution, there was an externally accessible instance and a completely internal instance to be able to distinguish between external traffic from the internet versus internal load balancing that was only reachable via the internal network.

Given the size of the company with about 13,000+ employees globally and X number of external partners, I decided to keep the concept of external and internal load balancing segregated in different logical units.

So instead of having just two physical units in Sweden, I could now deploy virtual appliances suited for Production or QA/Test, external or internal connectivity and in all three geographically dispersed datacentres.

In the F5 solution, 15 public IP addresses were used in the external instance. In the internal instance, 41 IP addresses were used.

However, NetScaler is much more flexible than F5 when it comes to consolidating web applications. In the NetScaler solution, we were then able to use 6 public IP addresses and only 10 internal IP addresses. It could have been even less if I didn’t choose to segregate Production from QA/Test. How did that happen? Let me explain some vital differences in F5 compared to NetScaler.

In F5, there is no real equivalent to NetScaler's Content Switching, which is a very popular and useful feature. There are also no completely logical virtual load balancers in F5 that does not need an IP address, but there are in NetScaler, i.e. non-addressable load balancing virtual servers.

So, when you create a standard https VIP in F5, and in the same time planning to use this same VIP for multiple applications available at https, you will need to create an iRule which is basically a script, containing a lot of code.




 

On top of this, if you then also need to redirect certain requests, rewrite headers or URL: s, all that config needs to be coded into that same iRule. So, let’s say you have around 100 applications with individual needs for rewrites, redirects and different persistence configurations. This will become a very long iRule, which becomes hard to overview and difficult to maintain. You are likely to need around 700 rows long script.

This is not at all the same challenge with NetScaler.

We can create a content switching virtual server for https protocol. We can link separate policies identifying mainly the host headers to route traffic to the applications. 




So, all applications can have its own logical non-addressable load balancing server. In every one of these we can granularly configure redirects, rewrites, persistence settings and load balancing methods.



You can also attach content switching policy labels to each and one of these policy's for even more advanced traffic management.

So, with that said, all of this can be easily configured and managed through the GUI or CLI. There is no need to manage a very long script to achieve the same thing. We can also configure specific authentication and SSO methods as well, in the exact same level of granularity, even though it was not needed in this project.

So, as I see it, when migrating from F5 to NetScaler, one of the low hanging fruits, is that you can improve and end up with a much more consolidated configuration. This will help you in being more agile, simplifies automation, simplifies the security part, enables you to create tighter firewall rules and could also enable an effective large-scale integration with CDN services...

On top of that, NetScaler has very good support for all common hypervisors and all major public clouds. All the appliances can be monitored, managed and centrally licensed from the NetScaler Console.


Some people say NetScaler is more difficult to learn than F5, I say that is not at all true and the GUI in the NetScaler is a lot more intuitive, helping you to do the right thing. One helpful companion is the Expression Editor which can be reached from most parts of the GUI and will help you creating the expressions that is needed in a simple drop-down menu. There is no built-in equivalent to this in F5.



Maybe you want to migrate your F5 solution to a modern and consolidated NetScaler solution, as well? At the same time with the right license there is big cost-savings to do.


Location: Stockholm, Sweden

Comments

Post a Comment

Popular posts from this blog

Universal Hybrid Multi Cloud License – Unlimited NetScaler’s

-
There is a new license model from Citrix  that will  let you run NetScaler and Citrix in both cloud  and  on-premises  environments using the same license. In this license there  is a generous  entitlement to 1000 software instances of NetScaler in  the  form factors  of  VPX, CPX  and  BLX . I n other words ,  all the virtual  NetScaler’s .   You will need a NetScaler Console setup where you can then distribute 1 terabit of bandwidth throughput , granularly configured,   the way you need it,  to these appliances .   Which is  very good  since  NetScaler is  now  supported on all major delivery platforms: On-premises :  VMware ,  Nutanix,   XenServer ,  Hyper-V   Cloud:  Azure, AWS, Google  C loud, Oracle Cloud, IBM Cloud What can we do with all this capacity suddenly offered to us?   I have identified  a few   common s...
Read more

Verify JWT token with NetScaler unauthenticated

-
So lets say you have tried the wonderful feature with 401 based oauth action to verify JWT tokens. It works great when it works, but there could also be other situations where it does not fulfil the need. Sometimes tokens are not passed in the standard authorization header, correct attributes might not be there or there could be challenges with cookies at client side. JWT_VERIFY_CERTKEY can be used to verify signature with locally installed certs. This is an example of how you can verify multiple cert keys. HTTP.REQ.HEADER("Authorization").AFTER_STR("Bearer ").JWT_VERIFY_CERTKEY("cert-1").NOT && HTTP.REQ.HEADER("Authorization").AFTER_STR("Bearer ").JWT_VERIFY_CERTKEY("cert-2").NOT && HTTP.REQ.HEADER("Authorization").AFTER_STR("Bearer ").JWT_VERIFY_CERTKEY("cert-3).NOT How will you know if these tokens are not too old and expired? This is an example which you can use where the NS would v...
Read more