-
Getting Started with NetScaler
-
Deploy a NetScaler VPX instance
-
Optimize NetScaler VPX performance on VMware ESX, Linux KVM, and Citrix Hypervisors
-
Apply NetScaler VPX configurations at the first boot of the NetScaler appliance in cloud
-
Configure simultaneous multithreading for NetScaler VPX on public clouds
-
Install a NetScaler VPX instance on Microsoft Hyper-V servers
-
Install a NetScaler VPX instance on Linux-KVM platform
-
Prerequisites for installing NetScaler VPX virtual appliances on Linux-KVM platform
-
Provisioning the NetScaler virtual appliance by using OpenStack
-
Provisioning the NetScaler virtual appliance by using the Virtual Machine Manager
-
Configuring NetScaler virtual appliances to use SR-IOV network interface
-
Configure a NetScaler VPX on KVM hypervisor to use Intel QAT for SSL acceleration in SR-IOV mode
-
Configuring NetScaler virtual appliances to use PCI Passthrough network interface
-
Provisioning the NetScaler virtual appliance by using the virsh Program
-
Provisioning the NetScaler virtual appliance with SR-IOV on OpenStack
-
Configuring a NetScaler VPX instance on KVM to use OVS DPDK-Based host interfaces
-
-
Deploy a NetScaler VPX instance on AWS
-
Deploy a VPX high-availability pair with elastic IP addresses across different AWS zones
-
Deploy a VPX high-availability pair with private IP addresses across different AWS zones
-
Protect AWS API Gateway using the NetScaler Web Application Firewall
-
Configure a NetScaler VPX instance to use SR-IOV network interface
-
Configure a NetScaler VPX instance to use Enhanced Networking with AWS ENA
-
Deploy a NetScaler VPX instance on Microsoft Azure
-
Network architecture for NetScaler VPX instances on Microsoft Azure
-
Configure multiple IP addresses for a NetScaler VPX standalone instance
-
Configure a high-availability setup with multiple IP addresses and NICs
-
Configure a high-availability setup with multiple IP addresses and NICs by using PowerShell commands
-
Deploy a NetScaler high-availability pair on Azure with ALB in the floating IP-disabled mode
-
Configure a NetScaler VPX instance to use Azure accelerated networking
-
Configure HA-INC nodes by using the NetScaler high availability template with Azure ILB
-
Configure a high-availability setup with Azure external and internal load balancers simultaneously
-
Configure a NetScaler VPX standalone instance on Azure VMware solution
-
Configure a NetScaler VPX high availability setup on Azure VMware solution
-
Configure address pools (IIP) for a NetScaler Gateway appliance
-
Deploy a NetScaler VPX instance on Google Cloud Platform
-
Deploy a VPX high-availability pair on Google Cloud Platform
-
Deploy a VPX high-availability pair with external static IP address on Google Cloud Platform
-
Deploy a single NIC VPX high-availability pair with private IP address on Google Cloud Platform
-
Deploy a VPX high-availability pair with private IP addresses on Google Cloud Platform
-
Install a NetScaler VPX instance on Google Cloud VMware Engine
-
-
Solutions for Telecom Service Providers
-
Load Balance Control-Plane Traffic that is based on Diameter, SIP, and SMPP Protocols
-
Provide Subscriber Load Distribution Using GSLB Across Core-Networks of a Telecom Service Provider
-
Authentication, authorization, and auditing application traffic
-
Basic components of authentication, authorization, and auditing configuration
-
Web Application Firewall protection for VPN virtual servers and authentication virtual servers
-
On-premises NetScaler Gateway as an identity provider to Citrix Cloud
-
Authentication, authorization, and auditing configuration for commonly used protocols
-
Troubleshoot authentication and authorization related issues
-
-
-
-
-
-
Configure DNS resource records
-
Configure NetScaler as a non-validating security aware stub-resolver
-
Jumbo frames support for DNS to handle responses of large sizes
-
Caching of EDNS0 client subnet data when the NetScaler appliance is in proxy mode
-
Use case - configure the automatic DNSSEC key management feature
-
Use Case - configure the automatic DNSSEC key management on GSLB deployment
-
-
-
Persistence and persistent connections
-
Advanced load balancing settings
-
Gradually stepping up the load on a new service with virtual server–level slow start
-
Protect applications on protected servers against traffic surges
-
Retrieve location details from user IP address using geolocation database
-
Use source IP address of the client when connecting to the server
-
Use client source IP address for backend communication in a v4-v6 load balancing configuration
-
Set a limit on number of requests per connection to the server
-
Configure automatic state transition based on percentage health of bound services
-
-
Use case 2: Configure rule based persistence based on a name-value pair in a TCP byte stream
-
Use case 3: Configure load balancing in direct server return mode
-
Use case 6: Configure load balancing in DSR mode for IPv6 networks by using the TOS field
-
Use case 7: Configure load balancing in DSR mode by using IP Over IP
-
Use case 10: Load balancing of intrusion detection system servers
-
Use case 11: Isolating network traffic using listen policies
-
Use case 12: Configure Citrix Virtual Desktops for load balancing
-
Use case 13: Configure Citrix Virtual Apps and Desktops for load balancing
-
Use case 14: ShareFile wizard for load balancing Citrix ShareFile
-
Use case 15: Configure layer 4 load balancing on the NetScaler appliance
-
-
-
-
-
Authentication and authorization for System Users
-
-
Configuring HTTP/2 on the NetScaler Appliance
-
-
-
-
Configuring a CloudBridge Connector Tunnel between two Datacenters
-
Configuring CloudBridge Connector between Datacenter and AWS Cloud
-
Configuring a CloudBridge Connector Tunnel Between a Datacenter and Azure Cloud
-
Configuring CloudBridge Connector Tunnel between Datacenter and SoftLayer Enterprise Cloud
-
Configuring a CloudBridge Connector Tunnel Between a NetScaler Appliance and Cisco IOS Device
-
CloudBridge Connector Tunnel Diagnostics and Troubleshooting
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已经过机器动态翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
Este texto foi traduzido automaticamente. (Aviso legal)
Questo contenuto è stato tradotto dinamicamente con traduzione automatica.(Esclusione di responsabilità))
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.(Aviso legal)
这篇文章已经过机器翻译.放弃
Questo articolo è stato tradotto automaticamente.(Esclusione di responsabilità))
Translation failed!
HTTP/2 configuration
Note: The HTTP/2 functionality is supported on the NetScaler MPX, VPX, and SDX models. In a NetScaler VPX appliance, the HTTP/2 functionality is supported from NetScaler version 11.0 onwards.
The problem with web application performance is directly related to the trend toward increasing the page size and the number of objects on the webpages. HTTP/1.1 was developed to support smaller webpages, slower Internet connections, and more limited server hardware than are common today. It is not suitable for new technologies such as JavaScript and cascading style sheets (CSS) or new media types such as Flash videos and graphics-rich images. This is because it can request only one resource per connection to the server. The limitation significantly increases the number of round trips, causing longer page-rendering and reduced network performance.
The HTTP/2 protocol addresses these limitations by allowing communication to occur with less data transmitted over the network, and providing the ability to send multiple requests and responses across a single connection. At its core, HTTP/2 addresses the key limitations of HTTP/1.1 by using the underlying network connections more efficiently. It changes the way requests and responses travel over the network.
HTTP/2 is a binary protocol. It is more efficient to parse, more compact on the wire, and most importantly, it is less error-prone, compared to textual protocols like HTTP/1.1. The HTTP/2 protocol uses a binary framing layer that defines the frame type and how HTTP messages are encapsulated and transferred between the client and server. The HTTP/2 functionality supports the use of the CONNECT method to establish a tunnel connection through a single HTTP/2 stream to a remote host.
The HTTP/2 protocol includes many performance-enhancing changes that significantly improve performance, particularly for clients connecting over a mobile network.
The following table lists the major improvements in HTTP/2 over HTTP/1.1:
| HTTP/2 features | Description |
|---|---|
| Header Compression | HTTP headers have much repetitive information and therefore consume unnecessary bandwidth during data transmission. HTTP/2 reduces bandwidth requirements by compressing the header and minimizing the requirement to transport HTTP headers with every request and response. |
| Connection Multiplexing | Latency can have a huge impact on page load times and the end user experience. Connection multiplexing overcomes this problem by sending multiple requests and responses across a single connection. |
| Server Push | Server push enables the server to proactively push content to the client browser, avoiding round trip delay. This feature caches the responses it thinks the client needs, reduces the number round trips, and improves the page rendering time. Important: The NetScaler appliance does not support the server push functionality. |
| No Head-of-line Blocking | Under HTTP 1.1, browsers can download one resource at a time per connection. When a browser has to download a large resource, it blocks all other resources from downloading until the first download is complete. HTTP/2 overcomes this problem with a multiplexing approach. It allows the client browser to download other web components in parallel over the same connection and display them as they become available. |
| Request Prioritization | Not all resources have equal priority when the browser renders a webpage. To accelerate the load time, all modern browsers prioritize requests by type of asset, their location on the page, and even by learned priority from previous visits. With HTTP/1.1, the browser has limited ability to use the priority data, because this protocol does not support multiplexing, and there is no way to communicate request prioritization by the server. The result is unnecessary network latency. HTTP/2 overcomes this problem by allowing the browser to dispatch all requests. The browser can communicate its stream prioritization preference via stream dependencies and weights, enabling the servers to optimize response delivery. Important: The NetScaler appliance does not support the request prioritization functionality. |
How HTTP/2 works
A NetScaler appliance supports HTTP/2 on the client side as well on the server side. On the client side, the NetScaler appliance acts as a server that hosts an HTTP/HTTPS virtual server for HTTP/2. On the back-end side, the NetScaler acts as a client to the servers that are bound to the virtual server.
Therefore, the NetScaler appliance maintains separate connections on the client side as well on the server side. The NetScaler appliance has separate HTTP/2 configurations for the client side and the server side.
HTTP/2 for HTTPS (SSL) load balancing configuration
For an HTTPS load balancing configuration, the NetScaler appliance uses the TLS ALPN extension (RFC 7301) to determine whether the client/server supports HTTP/2. If it does, the appliance chooses HTTP/2 as the application-layer protocol to transmit data (as described in RFC 7540 - Section 3.3) on the client/server side. The appliance uses the following order of preference when choosing the application-layer protocol through the TLS ALPN extension:
- HTTP/2 (if enabled in the HTTP profile)
- HTTP/1.1
HTTP/2 for HTTP load balancing configuration
For an HTTP load balancing configuration, the NetScaler appliance uses one of the following methods to start communicating with the client/server using HTTP/2.
Note
In the following method descriptions, client and server are generals terms for an HTTP/2 connection. For example, for a load balancing setup of a NetScaler appliance using HTTP/2, the NetScaler appliance acts as a server on the client side and acts as a client to the server side.
-
HTTP/2 Upgrade. A client sends an HTTP/1.1 request to a server. The request includes an upgrade header, which asks the server for upgrading the connection to HTTP/2. If the server supports HTTP/2, the server accepts the upgrade request and notifies it in its response. The client and the server start communicating using HTTP/2 after the client receives the upgrade confirmation response.
-
Direct HTTP/2. A client directly starts communicating to a server in HTTP/2 instead of using the HTTP/2 upgrade method. If the server does not support HTTP/2 or is not configured to directly accept HTTP/2 requests, it drops the HTTP/2 packets from the client. This method is helpful if the admin of the client device already knows that the server supports HTTP/2.
-
Direct HTTP/2 using Alternative Service (ALT-SVC). A server advertises that it supports HTTP/2 to a client by including an Alternative Service (ALT-SVC) field in its HTTP/1.1 response. If the client is configured to understand the ALT-SVC field, the client and the server start directly communicating using HTTP/2 after the client receives the response.
The NetScaler appliance provides configurable options in an HTTP profile for the HTTP/2 methods. These HTTP/2 options can be applied to the client side as well to the server side of an HTTPS or HTTP load balancing setup. For more information for HTTP/2 methods and options, refer to the HTTP/2 options PDF.
Before you Begin
Before you begin configuring HTTP/2 on a NetScaler appliance, note the following points:
- The NetScaler appliance supports HTTP/2 on the client side as well on the server side.
- The NetScaler appliance does not support the HTTP/2 server push functionality.
- The NetScaler appliance does not support the HTTP/2 request prioritization functionality.
- The NetScaler appliance does not support HTTP/2 SSL renegotiation for HTTPS load balancing setups.
- The NetScaler appliance does not support HTTP/2 NTLM authentication.
- With HTTP/2 enabled, connection multiplexing disabled (like USIP enabled) and one to one mapping of client and server TCP connections, close events such as FIN, reset (RST) are forwarded from the client or server connection to the linked peer connection.
Configuring HTTP/2
Configuring HTTP/2 for a load balancing setup (HTTPS or HTTP) consists of the following tasks:
-
Enable HTTP/2 and set optional HTTP/2 parameters in an HTTP Profile. Enable HTTP/2 in an HTTP profile. When you only enable HTTP/2 in an HTTP profile, the NetScaler appliance uses only the upgrade method (for HTTP) or TLS ALPN method (for HTTPS) for communicating in HTTP/2.
For the NetScaler appliance to use the direct HTTP/2 method, the Direct HTTP/2 option must be enabled in the HTTP profile. For the NetScaler appliance to use the direct HTTP/2 using the alternative service method, the Alternative Service (altsvc) option must be enabled in the HTTP profile.
-
Bind the HTTP profile to a virtual server or a service. Bind the HTTP profile to a virtual server to configure HTTP/2 for the client side of the load balancing setup. Bind the HTTP profile to a service to configure HTTP2 for the server side of the load balancing setup.
Note
Citrix recommends binding separate HTTP profiles for the client side and the server side.
-
Enable the global parameter for HTTP/2 server side support. Enable the HTTP/2 Service Side (HTTP2Serverside) global HTTP parameter for enabling the HTTP/2 support on the server side of all the load balancing setups that has HTTP/2 configured.
HTTP/2 does not work on the server side of any load balancing setups if HTTP/2 Service Side is disabled even if the HTTP/2 is enabled on the HTTP profile bound to the related load balancing services.
NetScaler Command Line procedures:
To enable HTTP/2 and set HTTP/2 parameters by using the NetScaler command line
- To enable HTTP/2 and set HTTP/2 parameters while adding an HTTP profile, at the command prompt, type:
add ns httpProfile <name> - http2 ( ENABLED | DISABLED ) [-http2Direct ( ENABLED | DISABLED )] [-altsvc ( ENABLED | DISABLED )]
show ns httpProfile <name>
- To enable HTTP/2 and set HTTP/2 parameters while modifying an HTTP profile, at the command prompt, type:
set ns httpProfile <name> -http2 ( ENABLED | DISABLED ) [-http2Direct ( ENABLED | DISABLED)] [-altsvc (ENABLED | DISABLED )]
show ns httpProfile <name>
To bind the HTTP profile to a virtual server by using the NetScaler command line
At the command prompt, type:
set lb vserver <name> - httpProfileName <string>
show lb vserver <name>
To bind the HTTP profile to a load balancing service by using the NetScaler command line
At the command prompt, type:
set service <name> -httpProfileName <string>
show service <name>
To enable HTTP/2 support globally on the server side by using the NetScaler command line
At the command prompt, type:
set ns httpParam -HTTP2Serverside( ENABLED | DISABLED )
show ns httpParam
To enable HTTP/2 and set HTTP/2 parameters by using the NetScaler GUI
- Navigate to System > Profiles, and click HTTP Profiles tab.
- Enable HTTP/2 while adding an HTTP profile or modifying an existing HTTP profile.
To bind the HTTP profile to a virtual server by using the NetScaler GUI
- Navigate to Traffic Management > Load Balancing > Virtual Servers, and open the virtual server.
- In Advanced Settings, click + HTTP Profile to bind the created HTTP profile to the virtual server.
To bind the HTTP profile to a load balancing service by using the NetScaler GUI
- Navigate to Traffic Management > Load Balancing > Service, and open the service.
- In Advanced Settings, click + HTTP Profile to bind the created HTTP profile to the service.
To enable HTTP/2 support globally on the server side by using the GUI
Navigate to System > Settings, click Change HTTP parameters and enable HTTP/2 Server Side.
Sample configurations
In the following sample configuration, HTTP/2 and direct HTTP/2 is enabled on HTTP profile HTTP-PROFILE-HTTP2-CLIENT-SIDE. The profile is bound to virtual server LB-VS-1.
set ns httpProfile HTTP-PROFILE-HTTP2-CLIENT-SIDE -http2 enabled -http2Direct enabled
Done
set lb vserver LB-VS-1 -httpProfileName HTTP-PROFILE-HTTP2-CLIENT-SIDE
Done
<!--NeedCopy-->
In the following sample configuration, HTTP/2 and alternative service (ALT-SVC) is enabled on HTTP profile HTTP-PROFILE-HTTP2-SERVER-SIDE. The profile is bound to service LB-SERVICE-1.
set ns httpparam -HTTP2Serverside ENABLED
Done
set ns httpProfile HTTP-PROFILE-HTTP2-SERVER-SIDE -http2 ENABLED -altsvc ENABLED
Done
set service LB-SERVICE-1 -httpProfileName HTTP-PROFILE-HTTP2-SERVER-SIDE
Done
<!--NeedCopy-->
Configure HTTP/2 initial connection window size
As per RFC 7540, the flow-control window for HTTP2 stream and connection must be set to 64 K (65535) octets, and any change made to this value must be communicated to the peer. The ADC appliance communicates the change in flow-control window size as follows:
- Using the
SETTINGSframe for the stream. - Using the
WINDOW_UPDATEframe for the connection.
In an HTTP profile, you must configure the http2InitialWindowSize parameter to set the initial window size at the stream level. Because of an internal system error, the ADC appliance initializes the flow-control window for the connection also. When there is a change in the configured flow-control window for the stream, the ADC appliance communicates to the peer using the SETTINGS frame. But the ADC appliance fails to communicate the change in flow-control window for the connection using the WINDOW_UPDATE frame. This leads to a connection freeze.
To overcome the issue, the http2InitialConnWindowSize parameter (in bytes) is now added to control the flow-control window for connection. By using separate configurable parameters, you can now enable the appliance to send updates for changed window size at both stream and connection levels.
Configure the HTTP/2 initial connection window size parameter by using the CLI
At the command prompt, type:
set http profile p1 -http2InitialConnWindowSize 8290
Initial window size for stream level flow control, in bytes.
Default value: 65535
Minimum value: 8192
Maximum value: 20971520
<!--NeedCopy-->
Note: When HTTP/2 is enabled, Citrix recommends you to disable TCP Dynamic Receive Buffering parameter in the TCP profile.
WebSocket over HTTP/2 configuration
The NetScaler appliance supports WebSocket connections over HTTP/2. You can enable the WebSocket connections using CLI or GUI interface. The WebSocket HTTP/2 connection can be multiplexed.
Configure the WebSocket connections over HTTP/2 by using the CLI
By default, the WebSocket Connections parameter is disabled. You can enable the WebSocket connections using the CLI interface.
Enable Frontend HTTP/2 WebSocket connections:
At the command prompt, type:
For SSL configuration:
add httpprofile <http_profile_name> -http2 enabled -websocket enabled
<!--NeedCopy-->
For Plain text configuration:
add httpprofile <http_profile_name> -http2 enabled -http2direct enabled -websocket enabled
<!--NeedCopy-->
Enable Backend HTTP/2 WebSocket connections:
At the command prompt, type:
For SSL configuration:
add httpprofile <http_profile_name> -http2 enabled
set httpparam -http2serverside ON
<!--NeedCopy-->
For Plain text configuration:
add httpprofile <http_profile_name> -http2 enabled -http2direct enabled
set httpparam -http2serverside ON
<!--NeedCopy-->
Configure the WebSocket connections over HTTP/2 by using the GUI
You can use the following procedure to enable the WebSocket connections using the GUI interface.
Edit the existing Profiles:
- Navigate to System>Profiles>HTTP Profiles.
- Select the required profile from the Profiles and click Edit.
- In the Configure HTTP Profile, enable HTTP2 or DirectHTTP2 check boxes.
- Enable the WebSocket connections by selecting the Enable WebSocket connections check box.
Add new Profiles:
- Navigate to System>Profiles>HTTP Profiles.
- You can add a new HTTP2 profile by clicking Add.
- In the Create HTTP Profile, enable HTTP2 or DirectHTTP2 check boxes.
- Select the Enable WebSocket Connections check box.
The following table describes the WebSocket connection behavior when the backend multiplexing is disabled:
| HTTP packet version | WebSocket in HTTP profile | Request action | Backend HTTP/1.1 | Backend HTTP/2 |
|---|---|---|---|---|
| HTTP/1.1 | Disabled | dropped | NA | NA |
| HTTP/1.1 | Enabled | HTTP/1.1 | Each HTTP/1.1 connection is mapped to a dedicated HTTP/1.1 connection on the backend | Dedicated HTTP/2 connection on the backend for each HTTP/1.1 connection |
| HTTP/2 | Enabled | HTTP/2 | Each stream on the front end is mapped to a dedicated HTTP/1.1 connection | All front end streams can be mapped to a single HTTP/2 connection or maximum of three HTTP/2 connections on the backend. |
| HTTP/2 | Disabled | dropped | NA | NA |
The following table describes the WebSocket connection behavior when the backend multiplexing is enabled:
| HTTP packet version | WebSocket in HTTP profile | Request action | Backend HTTP/1.1 | Backend HTTP/2 |
|---|---|---|---|---|
| HTTP/1.1 | Disabled | dropped | NA | NA |
| HTTP/1.1 | Enabled | HTTP/1.1 | Each HTTP/1.1 connection is mapped to a dedicated HTTP/1.1 connection on the backend | Multiple Http/1.1 clients can be multiplexed to a single HTTP/2 connection or multiple HTTP/2 connections |
| HTTP/2 | Enabled | HTTP/2 | Each stream on the front end is mapped to a dedicated HTTP/1.1 connection | All front end streams can be mapped to a single HTTP/2 connection or multiple HTTP/2 connections on the backend |
| HTTP/2 | Disabled | dropped | NA | NA |
Share
Share
This Preview product documentation is Cloud Software Group Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Cloud Software Group Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Cloud Software Group product purchase decisions.
If you do not agree, select I DO NOT AGREE to exit.