One of the key value propositions of XenClient is the remote image and device management capabilities of XenClient Synchronizer– the management server for XenClient devices. Synchronizer enables customers to centrally create, manage and update images for delivery to endpoints where the image executes locally. Synchronizer also enables administrators to specify client side policies and for users to back up their images.
A key use case for these capabilities is centralized image management for mobile users. A common question customers pose when dealing with the issue of mobile users that travel or those that are not located in the office is: what is the best way to expose the Synchronizer to the public Internet? Our response to date has been to offer three options:
Option A: Port Forwarding or forward requests (port 443) from the edge (firewall) to the Synchronizer.
Option B: Put the Synchronizer in the DMZ.
Option C: No access to the Synchronizer outside the corporate network or require users to be in the office in order to get image updates, new images and upload user backups.
Each of these options has pros and cons, but we will save that detail for another blog post. The biggest issue that comes to mind for the port forwarding or DMZ scenario is that you need to ensure you have some sort of network intrusion detection/prevention system.
Conveniently, Citrix NetScaler coupled with Synchronizer can offer up a nice solution as well. Many customers have asked: “Can I leverage my NetScaler implementation with Synchronizer?” The simple answer is: “Yes!”
Now you ask how?
Leveraging NetScaler SSL Offloading with End-to-End Encryption or NetScaler SSL Bridging will give you the ability to expose a Synchronizer to the public internet with a little peace of mind. With NetScaler in the fold, you now have a few more options to consider:
Option D: NetScaler SSL Offloading with End-to-End Encryption ensures the communication from the XenClient Engine to the Synchronizer is encrypted. By configuring SSL Offloading with End-to-End security by re-encrypting the clear text data and using secure SSL sessions to communicate with the Synchronizer, you can ensure the traffic is secured. In parallel, you will gain some enhanced scalability due in part to the NetScaler offloading the SSL encryption/decryption traffic.
Option E: NetScaler SSL Bridging enables the appliance to bridge all secure traffic directly to the web server. In this scenario NetScaler does not offload or accelerate the bridged traffic whereas SSL Offloading with End-to-End Encryption does. This option is simple and just offers another layer of security for those who do not feel the need to leverage the offload feature but want another layer of network security.
Both scenarios can protect you against network level attacks such as SYN attacks and HTTP DOS attacks. You can also leverage NetScaler Access Control Lists (ACLs) to secure the traffic further. Finally, you can leverage features like Surge Protection and Rate Limiting to control inbound connections and prevent overloading the Synchronizer.
Next you ask: “How do you configure these various NetScaler options with a Synchronizer?”
Over the next few weeks, I will write a series of blogs as well as launch two Technotes to the XenClient Support Site highlighting each of the configurations mentioned above and how to configure them. In the meanwhile here is a support forum post to get you started.
Stay tune and watch for more Synchronizer and NetScaler fun. If you want to learn more about NetScaler with Synchronizer, give XenClient 4.5 Technology Preview a try. The Technology Preview is now available to existing XenClient, XenDesktop Enterprise and XenDesktop Platinum customers who are current on their Software Assurance contracts. For those of you who are not existing customers, you can try XenClient 4.1 here.
Join the conversation by connecting with the Citrix XenClient team online!