Debunking the Myths and Misconceptions of NetScaler ADC
Introduction
Welcome to our guide on common myths and misconceptions about NetScaler (briefly known as Citrix ADC). Whether an organization is exploring new options for network management or looking to switch from a competitor’s product, understanding the truths behind these misconceptions can significantly enhance the decision-making process.
After all, there are solid reasons NetScaler application delivery controllers (ADCs) handles over 75% of the Internet’s traffic and is entrusted by many of the world’s largest e-commerce, banking, and smartphone networks. NetScaler even underpins the architectures of the two largest public clouds.
In this article, we will debunk prevalent myths about NetScaler and provide clear, factual insights to help IT decision-makers discover how this powerful tool can meet their network optimization needs. Let us separate fact from fiction and unlock the true capabilities of NetScaler.
Myth: NetScaler isn’t enterprise class or widely used.
Reality: Large enterprises, including critical industries from energy to defence to healthcare, rely on NetScaler’s networking capabilities. NetScaler is used by 90% of the Fortune 500 and handles an estimated 75% of the world’s Internet traffic. NetScaler powers the world’s largest e-commerce, banking, and smartphone networks and popular gaming and video streaming platforms. In fact, two out of the three largest public clouds operate on NetScaler.
While NetScaler might not have aggressively targeted enterprise customers in every sector and industry and, therefore, in some, may be less recognized, this speaks more to its strategic focus than to its inherent capability within the enterprise market segment. When most of the Internet and our everyday online activities depend on NetScaler, it is difficult to assert that it is not, in fact, enterprise-class.
We would argue that NetScaler is the most battle-tested ADC appliance on the market, with decades of product development tailored to the world’s most demanding and mission-critical workloads.
Myth: NetScaler is a Citrix product, so it must run on Windows.
Reality: This has never been the case. NetScaler was one of the earliest web optimization & security appliances on the market, debuting in 1997 and releasing its first load balancer in 2001. NetScaler was acquired by Citrix in 2005 to help round out its access infrastructure ecosystem, and Citrix’s “Citrix Access Gateway” appliance was collapsed into the already feature-rich NetScaler as the “Citrix Gateway” or, in some iterations, “NetScaler Gateway” feature. Citrix maintained a Windows-based product known as “Citrix Secure Gateway” for some years, but this legacy platform was not related to NetScaler at all beyond sharing a few architectural similarities in handling ICA proxy and brokering connections.
Myth: NetScaler is hard to learn and manage.
Reality: Networking professionals, often with 10-20+ years of domain knowledge, already possess a strong foundation in networking that is largely transferable across different platforms, including NetScaler. While some concepts and interfaces may differ, these variations should not pose a significant learning curve. To facilitate the transition, NetScaler provides PluralSight licenses, which include comprehensive NetScaler courses. These courses are designed to help professionals new to NetScaler quickly learn where the buttons are and understand any differing concepts. With the right resources and existing domain expertise, mastering NetScaler can be straightforward and efficient.
Managing NetScalers is also much easier in contrast to competing platforms. NetScaler Console (formerly Citrix Application Delivery Management) integrates with all NetScalers regardless of their type and location from one pane of glass. This enables centralized monitoring, administration, and health reporting (infrastructure, SSL, security). NetScaler competition relies on different management consoles for Hardware, Containers, and even virtual devices. This is largely due to each type’s different firmware/OS, where NetScaler uses the same firmware or “code base” across all the platforms.
Myth: NetScaler doesn’t have all the features of F5. It lacks a scripting language, so it cannot manipulate traffic like F5 can.
Reality: This speaks more to a lack of understanding of platform architecture differences and similarities than a lack of feature parity. The vast majority of features and functions of F5 and NetScalers overlap. The names of most functions may be different but are, in many cases, merely a matter of semantics.
There are instances, however, where the implementation of certain functions differs between the platforms while achieving the same outcomes. This is most apparent with the iRules concept. While extensible, it does have a learning curve and support is largely community-based for them. NetScaler took a different approach and compartmentalized what iRules often do on F5 into three core intuitive features: Policies, Rewrite, and Responder. Policies employ an extensible expression architecture common to all NetScaler features and functions. NetScaler’s traffic manipulation features handle most, if not all, of F5’s iRules capability. NetScaler is so confident in this that they are willing to convert iRules for customers.
From a core technologies standpoint, NetScaler and F5 have nearly the same feature parity in load balancing, SSL/TLS, protocols and algorithms, DNS, and network.
Another common topic of interest on this subject is F5 Big-IP’s SSL Orchestrator. While NetScaler does not have a singular-focused solution that directly matches it, the majority of its capabilities are found in several NetScaler features and NetScaler Console that effectively accomplish the same objectives.
Some readers may find the following nomenclature comparison table useful. Please note that it is not comprehensive and does not cover all NetScaler application manipulation features (AppExpert section of the admin console) or application optimization features (Optimization section of the admin console).
Myth: NetScaler isn’t as fast as other solutions.
Reality: NetScaler vastly outperforms competitor platforms such as F5 in third-party testing, in particular for SSL/TLS offloading. While many ADC platforms now provide a single-pass architecture, many do not do so in all traffic management situations due to their underlying architecture. In contrast, NetScaler is a single-pass design for effectively all features one may enable on the traffic from SSL/TLS offload to traffic inspection with WAF and more. This holds true whether using hardware or software editions of NetScaler – it is all the same code base.
In 2024, Tolly Group repeated their NetScaler vs. F5 performance testing, which was last conducted in 2021, and again illustrated a large disparity in performance between the platforms. Tolly Group reported F5 introduced up to 9x the latency and significantly higher resource consumption compared to similar conditions on NetScaler, positioning NetScaler as the higher performance, lower TCO option. NetScaler’s performance edge is one of the key reasons e-commerce platforms and other mission-critical services rely on NetScaler over competing solutions.
Myth: NetScaler does not provide full data and management plane separation.
Reality: While it’s true that NetScaler does not offer complete separation of data and management planes at present, NetScaler’s admin partitions provide robust and flexible traffic isolation capabilities, ensuring secure and efficient management of network resources.
Myth: NetScaler lacks DNS security capabilities.
Reality: NetScaler offers robust DNS security capabilities and continues to evolve with emerging technology trends. As of August 2024, NetScaler supports DNSSEC, DNS over TLS (DoT), prevents subdomain attacks, and mitigates DNS cache poisoning. DNS over HTTPS (DoH) is on the roadmap for implementation in 2024.
Myth: NetScaler is more expensive than other solutions.
Reality: Based on our extensive experience with customers of all sizes, we’ve consistently found that NetScaler is both less expensive and has a lower total cost of ownership than F5. While NetScaler is often more expensive than offerings from A10, Kemp, and other smaller players in the ADC space, it is a premium platform. When comparing costs, it’s crucial to consider various factors for a fair evaluation between vendors, such as:
- Hardware form factors with similar specifications and license editions (features and throughput)
- Virtual form factors with similar specifications and license editions (features and throughput)
- Support (technical support, RMA, and service contracts)
- Bundled licensing and license models
In 2024, the last point is particularly significant. In March, Cloud Software Group introduced major changes to the license subscription models for Citrix and NetScaler products. Customers on the Citrix Universal Hybrid Multi-Cloud (UHMC) or Citrix Platform License models now receive unlimited NetScaler instances* and either 1Tb (UHMC) or unlimited (Platform) throughput, both with the Premium Edition feature set. These changes allow customers to replace their existing ADC platforms** with NetScaler, potentially saving tens of thousands to millions in OPEX and CAPEX or to scale out new services with NetScaler.
*Instances can be physical or virtual. While physical hardware appliances still require purchase, NetScaler’s pricing model now includes lower hardware costs and lifetime RMA, further reducing TCO.
**For customers using NetScalers for revenue-generating purposes (e.g., e-commerce) or those without a Citrix footprint, the NetScaler Flexed license model offers compelling, competitive value.
What about cloud? Many customers initially plan to switch to native cloud services when moving to the cloud, intending to move away from their ADC vendor. However, those who don’t conduct thorough cost modelling and feature comparison often find that native cloud services perform slower (no single pass), resulting in higher operating costs than retaining an ADC like NetScaler. As throughput scales on native cloud services, so do consumption costs, and additional features further increase them as well. Our guidance here is to do the necessary homework and projections.
Myth: It will be very costly to switch to NetScaler.
Reality: While time, effort, and financial investment are inherent to any IT migration, the transition to NetScaler is often more streamlined and cost-effective than expected. NetScaler provides tools to partners to assist with iRules and configuration conversion, and we also offer migration assistance from other platforms at no additional cost. Ferroque Systems has extensive experience orchestrating migrations of ADC fleets to NetScaler across various industries, leveraging a mature and proven delivery methodology that minimizes business impact. Contact us to learn how we can facilitate a smooth and cost-effective transition to NetScaler.
Myth: NetScaler is not a networking product. At best, it is a basic L4 load balancer.
Reality: NetScaler originated as and continues to be, above all else, an ADC. It is, by definition, a networking platform and one of the most advanced load balancers on the market, handling L4 through L7. In fact, it started life as a network platform fronting major web search platforms. One of its key features is NetScaler’s capability in both load balancing and manipulating multi-protocol traffic at the application level (L7).
Myth: NetScaler has a lot of security issues.
Reality: While NetScaler has experienced its share of CVEs over the years, it’s important to contextualize this statement by considering several key points. First, the majority of these CVEs are related to specific features like AAA-TM and Citrix Gateway, which are inherently more exposed to external threats due to their nature. This context is crucial because it highlights that the presence of CVEs does not necessarily indicate a fundamental weakness in NetScaler’s overall security posture.
Second, when comparing NetScaler to its nearest competitor, F5, the difference in CVE counts is striking. Over the course of both products’ lifespans up to August 2024, NetScaler (including unique entries for Citrix ADC and excluding SD-WAN) accumulated 92 CVEs, while F5 Big-IP recorded 616—over six times more. It’s important to note that CVE counts alone don’t tell the whole story, as different products have varying architectures, attack surfaces, and complexities that can influence the number of vulnerabilities reported.
However, looking beyond the sheer number of CVEs, it’s essential to consider the severity of these vulnerabilities. NetScaler has had 8 CVEs rated as critical, while F5 Big-IP has had 38. This disparity further emphasizes that the quantity of CVEs is only one piece of the puzzle—what truly matters is the impact and how these vulnerabilities are managed.
It’s also worth considering how these vulnerabilities were addressed. NetScaler’s track record in responsibly disclosing, promptly patching, and communicating these issues to its users plays a significant role in maintaining a strong security posture. CVEs are an inevitable reality for almost any computer solution, software, or hardware. However, the manner in which a company responds to and mitigates these vulnerabilities is a critical factor in assessing its overall security.
Finally, to provide a balanced view, readers are encouraged to validate this information themselves via trusted sources such as cve.mitre.org or nvd.nist.gov. Examining the details of these CVEs—such as their impact, exploitability, and how quickly they were resolved—will provide a more complete picture. While NetScaler has had its share of vulnerabilities, the data suggests that claims of it having significant security issues are not fully aligned with historical reality.
One last thought on the subject—it is also worth highlighting that NetScaler has a 15+ year history of fronting remote access platforms for major defence agencies—organizations that typically do not throw caution to the wind in their security posture. This long-standing trust from some of the most security-conscious institutions further reinforces the argument that NetScaler’s security record is robust and reliable.
Myth: NetScaler is for Citrix only.
Reality: This has never been the case. NetScaler was one of the earliest web optimization & security appliances on the market, debuting in 1997 and releasing its first load balancer in 2001. NetScaler was acquired by Citrix in 2005 to help round out its access infrastructure ecosystem, and Citrix’s “Citrix Access Gateway” appliance was collapsed into the already feature-rich NetScaler as the “Citrix Gateway” or, in some iterations, “NetScaler Gateway” feature. While NetScaler is prominently found in many enterprises where Citrix is used as a result, NetScaler has, and continues to be used heavily in non-Citrix use cases, including powering the world’s largest e-commerce sites and Internet-based services. For this reason, NetScaler is known to handle approximately 75% of the Internet’s traffic, and Citrix traffic would make up a negligible percentage of that NetScaler load.
Myth: NetScaler’s Web App Firewall (WAF) is complex.
Reality: All enterprise WAFs are inherently complex by their nature. They must accommodate the protection of thousands of applications and thousands more exploit vectors. Complexity is exacerbated by network admins typically not being application developers and relying on the application owners to provide guidance in the nature of their web apps in order to apply the appropriate protections. That said, this does not mean NetScaler’s WAF is more complex than other vendors. In fact, NetScaler has placed significant development focus in bridging the divide between network admins and app owners to streamline learning and deployment of WAF configurations.
Let’s quickly break down NetScaler’s WAF at a high level. NetScaler’s WAF began life as Teros’ Application Firewall platform, which Citrix acquired in 2005 and consolidated into the NetScaler platform. Architecturally, it protects web apps from known and unknown attacks. Known attacks are handled through a continuously updated signatures database and are enabled based on the type of web app in use. Unknown attacks, including zero-day mitigation capabilities, are handled by “learning” accepted operations and data types and then enforcing them as rules while blocking actions that deviate from the norm as “violations”.
When administrators combine NetScaler WAF with NetScaler Console (formerly Application Delivery Management, or ADM), not only do they gain observability into the number and types of attacks being blocked via Security Insights, but guidance in optimal protections to implement based on what NetScaler learns about the applications. This takes more guesswork out of the WAF configuration and tuning process and expedites reaching an ideal end-state that optimizes protections and performance.
As of 2024, NetScaler’s WAF is considered to be the fastest on the market, in no small part thanks to the single-pass architecture achieved when WAF is enabled on web apps fronted by NetScaler. It is rich in capabilities, including bot management and API gateway functions, and pairs well with NetScaler’s numerous other security features, including but not limited to IP reputation, rate limiting, DDoS protection, and more.
Myth: NetScaler lacks a broad ecosystem for third-party integrations.
Reality: When comparing NetScaler to F5 and A10, who each publish their technology integrations, NetScaler may appear to be behind F5 at first glance. While there is significant overlap with key technology vendors, the NetScaler technology integrations page, based on field experience and broader NetScaler documentation, is incomplete and has notable omissions, such as Nutanix, OPSWAT, and Webroot. In contrast, F5’s technology integrations list includes technologies that have been “approved” or “validated” for use with F5, such as Epic, giving an impression of a broader ecosystem.
NetScaler’s integration list, on the other hand, focuses specifically on product-specific integrations with NetScaler. NetScaler is vetted for many mission-critical applications and technology platforms, but these generally do not appear on its integration list as its criteria are narrower in contrast to F5. While F5 undoubtedly boasts a significant and robust technology integration ecosystem, it’s important to recognize that the two vendors have different interpretations of what constitutes a technology integration partner.
For customers, the key consideration should be whether the platform has the necessary integrations to meet their specific operational needs. In this context, having a longer list of integrations is not inherently better, nor is a shorter list necessarily lacking. What truly matters is whether the available integrations are relevant and useful in the customer’s unique environment.
Myth: NetScaler does not support the cloud.
Reality: NetScaler is fully compatible with all major public clouds and is, in fact, a critical component in the architecture of two out of the three largest public cloud providers. It quite literally supports the cloud. It supports a wide range of deployment models, from virtual instances to bare-metal hardware (BLX), ensuring flexibility in various cloud environments. Compared to native load balancing, performance optimization, and security solutions offered by public cloud platforms, NetScaler delivers superior performance, enhanced traffic observability, and cost efficiency at scale.
NetScaler CPX, designed for containerized microservices, further extends its value proposition by catering to modern, cloud-native use cases. The NetScaler Console’s auto-scale function allows instances to scale dynamically, adapting to changing demands with ease.
Moreover, whether a customer’s NetScaler fleet includes on-premises MPX, SDX, or VPX, alongside VPX, CPX, or BLX in public clouds, they can centrally manage their entire infrastructure from a single pane of glass. This unified management approach ensures seamless operation across different form factors and locations, providing unparalleled control and efficiency.
Myth: You cannot easily migrate NetScaler configurations between form factors.
Reality: This is very much true of competing ADC platforms both in form factor migration as well as hardware generation migration, but not of NetScaler. NetScaler uses the same code base regardless of its form factor (MPX, VPX, CPX, BLX). Thanks to its software-defined architecture, configurations are very much portable between form factors, with the exception of a more limited feature set on the containerized CPX platform. Migrating between platforms (on-premises or public clouds) or form factors (such as MPX to VPX) is simple and fairly straightforward, and the portability of configurations is one of NetScaler’s key features.
Myth: NetScaler provides limited traffic visibility.
Reality: Traffic visibility—or as NetScaler refers to it, observability—is one of NetScaler’s core strengths and a key reason why many customers choose NetScaler over competing vendors or public cloud offerings. Like all enterprise platforms, NetScaler supports SYSLOG and SNMP, but it’s the advanced Analytics engine that sets it apart. This engine allows customers to deeply analyze and identify bottlenecks in the performance of Web, TCP, and Citrix traffic and security analytics from its WAF.
NetScaler achieves this depth of analysis through its AppFlow technology, which is comparable to Cisco’s NetFlow, providing detailed insights into network and application performance. The NetScaler Console’s dashboard reporting and alerting capabilities further enhance visibility, enabling customers to monitor their NetScaler and web app portfolio and focus on the metrics critical to their operational health and performance.
What truly distinguishes NetScaler is its ability to manage and monitor all these aspects from a single, centralized platform—NetScaler Console—regardless of the form factors deployed. In contrast, other vendors often rely on multiple, disjointed monitoring solutions that still fall short of the comprehensive analytics that NetScaler provides natively.
Myth: SSL is not scalable on NetScaler VPX.
Reality: This is a misconception. NetScaler VPX utilizes its packet-processing engines (PPEs) to handle SSL/TLS offload and acceleration, as opposed to hardware appliances that rely on cryptographic hardware acceleration. While it’s true that NetScaler VPX may not match the SSL/TLS transaction throughput of a similarly sized hardware appliance on its own, customers have the flexibility to scale out or scale in their load as needed. This scaling can be automated, allowing them to meet demand without being constrained by a physical appliance—a limitation for some.
Moreover, as of late 2023, NetScaler VPX can indeed benefit from hardware acceleration. Thanks to NetScaler 14.1’s added support for Intel QAT presented via SR-IOV on VMware and KVM hypervisor hosts, the SSL/TLS throughput of NetScaler VPX is significantly enhanced, closing the performance gap with its hardware counterparts.
Myth: NetScaler is end-of-life (EOL).
Reality: This is entirely untrue, and there has never been any risk of NetScaler being discontinued, given the global reliance on its technology. What may have caused confusion is the decision to sunset the sale of perpetual product licenses in 2023. While customers still purchase and own the hardware (MPX/SDX), the software running on that hardware—or on virtual instances (CPX, VPX, BLX)—is now offered exclusively through subscription, aligning with industry trends.
Myth: NetScaler skills are difficult to find in the field.
Reality: Perceptions may vary on this topic, but from our own field experience with customers who migrated to NetScaler or current customers of F5 we have dealt with, the sentiment has been the opposite—that F5 expertise in the field has been difficult to come by.
With that said, from professional services to managed services and staff augmentation, the world-class team of certified NetScaler experts at Ferroque are always at your disposal and have a track record of designing and deploying hundreds if not thousands of NetScalers for customers as diverse as federal agencies to healthcare and gaming industries. Reach out to learn more.
Myth: NetScaler has no containerized microservices capabilities.
Reality: NetScaler CPX is the containerized form factor of the NetScaler, capable of operating on Docker, Kubernetes, RedHat OpenShift, Amazon Elastic Kubernetes Service (EKS), Azure Kubernetes Service (AKS), Google Kubernetes Engine (GKE), Rancher, and Pivotal Container Service (PKS). Designed for microservices and DevOps, NetScaler CPX provides traffic routing, load balancing, SSL/TLS offload, and numerous other capabilities. NetScaler Console can assist in auto-scaling, centrally administering, and upgrading CPX containers, in stark contrast to Nginx, which has little to no central management platform and requires individual management of instances in many cases.
-
Ferroque Systems
Ferroque Systems is a technology consulting, IT advisory, and managed services firm specialized in virtualization and digital workspaces. Recognized internationally for our Citrix expertise, we focus on delivering innovative solutions to meet the needs and strategic goals of growing enterprise and mid-market businesses across the globe.