It’s fascinating to reflect on the last 20+ years of competition between NetScaler and F5’s BIG-IP. Both products helped fuel the initial boom of the Internet by providing first of its kind scaling, high availability, security, and traffic intelligence for the new World Wide Web. In the early 2000s, the Internet was bursting at the seams, but because of F5’s and NetScalers technology, companies were able to scale their applications with little to no changes to their apps. Most folks don’t realize Citrix acquired NetScaler In 2005, which was a great fit at the time – as Citrix needed a proxy they could customize to provide visibility into their VDI solutions. They could continue to recommend F5 (yep at the time F5 was the preferred LB vendor for Citrix), or they could bring the functionality in house and have full control. Buying F5 at the time would have been tough, they had great momentum and no real motivation to be acquired. They also had a head start on NetScaler – F5’s first product shipped in 1997, vs NetScaler in 2000. NetScaler, likely feeling the pressure, was ripe for the picking. So what happened after that acquisition in 2005?
F5 & Citrix History – How did we get here?
How did we get to the point where the majority of Citrix customers are looking to migrate from Citrix NetScaler to F5 BIG-IP? I believe the crux of NetScalers’ demise, and why F5 has become the clear winner in the ADC space, is focus, innovation, and strategic acquisitions. Remember, F5 started as a load balancing company, focused on application delivery. While that focus has evolved to include more security, application delivery is still the main focus of the company. This focus has allowed F5 to keep innovating, evolving and acquiring companies that support their focused mission around application delivery and security. This was not the case for Citrix, NetScaler was an add-on acquisition and has always competed for attention with their main focus – Virtual Desktop Infrastructure (VDI).
Over the years Citrix has been severely distracted by the competitive pressure they’ve faced with their core VDI business and subsequently put very little focus on evolving NetScaler. Looking at their acquisition history, it tells a clear story where Citrixs’ focus has been. Outside of acquiring Teros for their WAF in 2005 a few short months after the Netscaler pickup, the acquisition list has had very little to do with advancing NetScaler. Citrix was happy to keep the status quo with NetScaler after adding the WAF, and position it within their VDI architecture to provide high availability for the servers that made up their solutions and extra visibility into those VDI traffic streams. But as cloud apps became more popular, and continue to, there are less apps on premise, making it hard to justify the price tag for Citrix to deliver the handful of apps on premise folks still need to access remotely. Additionally, there are now a multitude of alternatives for accessing apps on premise or hosted in the cloud, including offerings from heavy hitters like Microsoft, AWS, and VMware. To put it simply, since Citrix VDI has lost a lot of market share with their core solutions around VDI, there isn’t a good reason to stay on the NetScaler platform.
Interestingly enough, the covid-19 pandemic accelerated Citrix’s decline. One would think everyone in America forced to work from home would be good for Citrix’s remote app solutions, but that wasn’t the case. Overall Citrix didn’t do a good job of seizing the opportunity, and the situation fueled an appetite to try alternatives. During that time Citrix was busy focusing on the Wrike acquisition, what’s Wrike you ask? Wrike is project management software and was Citrix’s last acquisition in 2021 for 2.25 billion dollars – yes 2.25 with a B, before being acquired by private equity in 2022. Citrix’s intent with the acquisition is to bring project management features to the Citrix Workspace offering. I can see the potential with workspace, but I’m having a hard time making the connections between NetScaler and Wrike. It might open the doors to new customers, but I can’t see many benefits past that for Netscaler. Ironically, Wrike was a Vista Equity Partners portfolio company, who with Evergreen Coast Capital acquired Citrix in 2022 for 16.5 billion.
F5 on the other hand stayed focused, evolving BIG-IP far past the Local Traffic Manager (LTM) module, and has had a history of solid acquisitions. Including most recently, SHAPE & NGINX in 2019 and Volterra in 2021 – all playing a pivotal role in evolving F5. SHAPE, now Bot Defense, was and continues to be the #1 bot defense mitigation solution for account takeovers. The Shape acquisition also came with some serious AI & ML IP before AI & ML were sexy. Similarly, NGINX was and is the #1 web server and ingress controller for Kubernetes. Volterra was also a very strategic addition; it instantly enabled F5 to become a major player in the cloud space and uniquely positioned them to become the “cloud for clouds”. Volterra is now dubbed F5 Distributed Cloud. While those are the most notable recent acquisitions, there were plenty of other examples of acquisitions that lead directly to advancing their application delivery & security position. For example, Aspen Mesh, built on istio for the service mesh space – while not mainstream today, could prove to be in the future.
Citrix NetScalers – What’s Going to Happen With The Technology?
Since being acquired by private equity in 2022, it’s been clear the new Citrix is continuing to focus on other parts of the business. In March 2023 Citrix ended the sale of NetScaler perpetual hardware & software licenses, and moved to a subscription only model. They also invented a new acronym in the process – “Notice of Change”, which combines End of Sale & End of Maintenance – this was a major breaking point for a lot of NetScaler customers. While this is nice for Citrix’s recurring revenue, a lot of companies still want to account for technology as CapEx vs OpEx.
New licensing limitations aside, and questions if hardware will continue, support has had major issues as of late. I’ve had multiple colleagues in the industry who use NetScalers tell me about the struggles they’ve had dealing with support. Check out this reddit post from a couple months ago that highlights their website was down when a critical patch was released. I’ve also seen folks online say their sales reps are telling them to get off the platform. See this public LinkedIn post from a frustrated NetScaler customer, “Citrix sales said that we should move to F5 for load balancing. They have officially given up” – and that’s not the first time I’ve heard that.
From the outside looking in, it seems Citrix is going in the same direction as Cisco did with the Content Services Switches & Global Site Selectors CSS/GSS technologies and will eventually sunset the solution completely to focus on their core solutions. Being private equity, there’s also a good chance NetScaler will be sold off soon.
Moving on from Citrix NetScaler
For engineers, managers, and lines of businesses that relied on Citrix NetScaler, there’s a distinct feeling of being left holding the bag. The current situation marks a significant turning point for teams that relied heavily on the product, some folks even shaping much of their careers around it. Because of that, the decision around which technology to migrate your NetScalers not only affects your organization, it affects you personally – this is how some of us put food on the table.
I’m here to tell you don’t worry, there’s a silver lining to all of this! F5, the technology that leads the application delivery space, has done all the right things around acquisitions and innovations. Managers and lines businesses at companies can rest easy knowing:
- F5 has no plans of removing perpetual licensing options and gives customers the choice of perpetual, subscriptions, and flexible consumption plans that support hardware, software, and their cloud offerings.
- The company financials are very healthy. F5 has long been profitable and has close to 1 billion of cash in the bank.
- Today F5’s BIG-IP powers the majority of leading companies
- There is parity with feature sets of the NetScalers, and more advanced optimizations will be available to you
- There are tried and true migration strategies to minimize risk
- F5 has a clear roadmap for the future of BIG-IP and their cloud offerings, and is investing heavily in their distributed cloud
- BIG-IP’s successor dubbed “NEXT” has been released and embraces modern and future technology
- F5 has recently released their new hardware platforms, the rSeries and Velos – and they are blazing fast. If you prefer HW, you won’t have to worry about your future with F5.
If you’re an engineer, you should be excited! Not only for the reasons above, but because:
- Your past knowledge will not be lost! While the terminology can be different from NetScaler to BIG-IP a lot of the core concepts stay the same, and your foundational networking knowledge will still apply.
- F5 BIG-IP LTM has a ton more features and ways to solve common application delivery problems – more tools in your toolbelt!
- F5 LTM is just the base module! Did you know F5 has the #1 Web Application Firewall? This is a perfect entry into getting serious about boning up on HTTP & API security – extending your skill set more into the security space.
- It doesn’t stop there, additional modules include – DNS for Intelligent name resolution, APM to augment and enforce authentication any which way you can dream up, and AFM – a full-fledged firewall w/added DoS capabilities. All those modules are part of the Good (LTM), Better(LTM + DNS & AFM) , and Best(Better + APM & AWAF) bundles. There’s actually even more modules and add-ons, like the Shape technology that is now integrated bot defense, SSLO for SSL/TLS intelligent air gaps, and CGNAT that most of the ISP’s and big carriers use. And that list is not even an exhaustive list!
- The door is now open to NGINX! NGINX works in concert with F5 BIG-IP and is the #1 Ingress Controller for Kubernetes (K8)s – you know your butt needs to get up to speed on K8s 😉
- F5 Engineers are some of the most sought-after engineers – you’re not going to have any issues finding work once you progress your skill set.
- F5 is an awesome company, with a great culture that is constantly innovating and staying ahead of technology. The community is strong – head over to DevCentral to start interacting with your new peers.
Migration Strategies
Planning a migration for critical network infrastructure can be intimidating, but it doesn’t have to be. One of the best things I’ve ever heard is “We don’t plan to fail, we fail to plan” – there are no truer words when it comes to migrating your load balancer. With a proper plan in place, you can reduce risk, ensure success, all while raising stakeholders’ confidence in you and your new solution. There are pros and cons to all strategies, and what’s going to be best for you and your org depends on so many factors it’s impossible to give you static advice. With that in mind, I’ll cover two of the most common migration strategies and highlight pros and cons for each:
Forklift Migration
In this strategy you cutover all of your traffic in one night and preserve all layer 3 IP addressing. On the surface forklift migrations can seem very risky, but when planned out well, are actually quite risk averse and can save you a ton of time. Here’s a quick list of some of the most common and critical pros & cons:
Pros:
- Re-using all layer 3 addressing & keeping layer 2 as similar as possible avoids issues with firewalls, and issues with hard coded IPs for server-to-server communication – Yes, I know you told them to use the hostnames, they still didn’t listen to you :-).
- Since the cutover is typically completed in one night, it drastically cuts down on the time of completion.
- You can further ensure your success by testing the layer 2 & 3 configurations you’re going to use in a separate change window before the cut with temporary addressing – proving out layer 2 and layer 3 works so you’re not chasing it the night of the big migration.
- The back out strategy is clean and fast. Facing an issue once cut-over? Shut down the new devices, bring the old ones back up, encourage the surrounding devices to associate the old macs with the IPs and you’re back in business.
Cons:
- By re-using all the layer 3 IP addresses you lose out on some of the opportunities to clean things up in firewalls, and the opportunity to rearchitect some aspects of the environment.
- Since the cut-over is in one night you don’t get the chance to slowly build up confidence in the new environment. Even a single hiccup with the cutover can result in a cut-back, which will lower confidence in the organization around the solution, putting the pressure on you for round 2.
- If you don’t have your act together around testing, and it takes a long time, it could be challenging to complete the cut in one window.
Piecemeal Migration Strategy
In this strategy you stage the new devices with new addressing, typically in the same vlans/subnets, but not always, app teams test with host files, and cut over an app at a time or batches of apps. While this is often the preference of the risk adverse, it could present more risk, as more is changing, and it’s a much slower process. List of some of the most common and critical pros & cons:
Pros:
- By using all new IPs you get to clean up firewall rules, documentation, and have an opportunity to revisit the l2 & l3 architecture in general.
- Allows ample time for testing via host files. This forces you and your co-workers to clean up hard-coded server to server communication by enforcing the use of DNS. This can be very important in identifying weak spots for high availability – for example, unless you’re using anycast, it’s very hard to provide high availability with one IP ;-).
- You can spend more time improving each application and really diving deep into optimizations the F5 BIG-IP can offer.
- Cutovers & cutbacks are simple DNS changes
- Every successful application / batch cutover raises the confidence for stakeholders and app owners – making it easier / faster as you get further along.
Cons:
- Changing IPs creates a lot of work around firewall rules and possibly routing changes. You’ll need to work hard to ensure you identify all the rules that need to be duplicated and deprecated, while ensuring l3 is going to function as expected.
- Because you’ve allowed each line of business to cutover their apps one at a time or in batches it can quickly turn into death by committee, crippling progress. This happens especially when your early cut-overs are unsuccessful, then everyone gets gun-shy.
- How do you think you’re going find out about those hard coded IPs?? Lol unfortunately for you, it’s typically going to be the hard way! i.e. during the cutover. These types of issues can encourage cutbacks if you’re not given ample time to track down the offending services – make a plan on how you’re going to track them down like sniffing for traffic at the old devices VIPs that were cut over.
- Your efforts to optimize applications if not tested thoroughly could cause problems in production, force cutbacks, and lower confidence in your efforts
- While it offers the opportunity for testing, it’s hard to test the server to server communication traffic, so if there’s a lot of that type of traffic, true testing might have to wait until the prod cutover.
Oh boy can this drag on! Coordinating testing between many groups for a large number of apps can take a lot of work and ultimately time. If you’re not going to be changing a lot in terms of optimizations or architecture, this might be a lot of unneeded busy work that accomplishes the exact opposite of what it was meant to.
How do the Citrix NetScaler and F5 BIG-IP license bundles compare to each other?
Some key differences between the Citrix NetScaler and F5 BIG-IP license bundles are important for you to understand.
NetScaler used to have 3 different license bundles – Standard, Advanced, and Premium. They did away with the less expensive standard edition, as well as perpetual licensing – now only subscriptions are available. They’ve now combined Standard into Advanced and reserved the below “Premium features” for the Premium Edition, which also included everything in Advanced. The Premium features are:
- AppCache
- NetScaler Web App Firewall (WAF)
- Bot management
- IP reputation
- SSL forward proxy
You can see the comparison of features between Citrix Nestacaller’s Advanced vs Premium editions here: – https://www.netscaler.com/content/dam/netscaler/documents/data-sheet/netscaler-edition-comparison-matrix.pdf
F5 BIG-IP on the other hand is marketed as suite of modules, with the Local Traffic Manager (LTM) being the base module that is included in what F5 refers to as the “Good” bundle. F5 bundles BIG-IP into Good, Better, and Best. Better = (LTM + DNS & AFM) , and Best = (Better + APM & AWAF) . You can read more about BIG-IP and all the modules in this article – Understanding F5 BIG-IP.
Citrix NetScaler to F5 BIG-IP LTM Comparable Object & Feature Matrix
While there are differences in the concepts and terminology between F5 BIG-IP and the Citrix Netscaler, there are plenty of similarities. Below you’ll find an object naming matrix between the NetScaler vs BIG-IP LTM.
Citrix NetScaler Term | F5 BIG-IP LTM Equivalent – If not LTM, the relevant BIG-IP module is noted. |
Subnet IP (SNIP) | Self-IP |
SNIP + USNIP enabled | Floating Self-IP (confusing I know – as USNIPs are also used for SNATs, but cover the same functionality as a Floating Self-IP – think in the context of “what do I point my apps to that require me to preserve the source IP? You would point them to the SNIP of choice” ). |
USIP | Default behavior for an VIP on an F5, ie no SNAT |
USNIP | SNAT |
Virtual Server (VS) aka Virtual IP (VIP) | Virtual Server (VS) aka Virtual IP (VIP) |
Service Group | Pool |
Services | Pool Members |
Content Switching | Local Traffic Policies |
Application Firewall | Advanced Web Application Firewall WAF module (legacy name ASM) |
Responder Policy | Local Traffic Policies and/or iRules |
Rewrite Policy | Local Traffic Policies and/or iRules |
AppFlow | sFlow, IPFIX On-Box Analytics AVR Module – Included with LTM module by default |
NetScaler Application Delivery Management (ADM) and Netscaler Management Analytics System (MAS) | BIG-IQ Centralized Management or Cloud.Red from WTIT |
GSLB (Global Server Load Balancing) | DNS module (renamed from GTM – Global Traffic Manager) – Much more robust offering vs legacy Netscaler GSLB |
AAA for traffic management | Access Policy Manager (APM) module |
IP Reputation | IP Intelligence |
SSL Forward Proxy | Forwarding Virtual Server, but can do much more with SSL Orchestrator module for chaining together SSL/TLS decryption with a decision flow |
Bot Management | Integrated Bot Defense |
AppCache | Used to be Web Accelerator module (WAM), but now F5 includes all the the WAM module features within the LTM module and can be called within a VIP via http profiles like HTTP Caching and HTTP Compression |
Citrix NetScaler to F5 BIG-IP LTM SSL / TLS Management
Often folks will have some serious concerns around how SSL management changes and for good reason – It’s something that’s caused sleepless nights for many of us over the years. The good news is that not much changes conceptually between the platforms and you’ll get an added layer of flexibility & features. F5 uses SSL profiles to bind SSL to VIP’s rather than directly binding the certificates themselves. Some might say this is just additional complexity, however, if used appropriately SSL profiles allow you to standardize SSL configurations through parent profiles, apply the same cert to multiple use-cases in a scalable fashion, and allows for you to marry the SSL Cipher configuration with the certificate rather than the VIP. When using profiles appropriately, SSL management becomes easier, as you have far fewer places to update configuration when certificates are renewed/replaced. Additionally, you can enforce SSL ciphers either through parent/child relationships or as part of being married to a specific SSL certificate.
F5 & Citrix VDI Integrations
If you are going to keep Citrix VDI around, but put your NetScalers to sleep, there are a number of integrations F5 offers, and some things it can replace. First and foremost, F5 is not a competitor with the actual VDI technology Citrix offers, it’s the infrastructure pieces that they are competitors to. Below is a list of integrations as well as solutions BIG-IP can replace – like the ability to replace Citrix storefront & Citrix Access Gateways with the F5 BIG-IP APM module. Note: Without the NetScalers, you will indeed lose is some increased visibility into VDI user sessions and application usage. That might be a show stopper for you, but it’s more likely you are not using those features.
Citrix StoreFront Integrations & Replacement:
- NetScaler Gateway integrates with StoreFront to manage access to apps and desktops delivered by Citrix Virtual Apps and Desktops
- F5 Solution: F5 BIG-IP APM can serve as a replacement to the Citrix Access Gateways (CAG), and can host applications on the APM webtop. With the CAGs replaced you have the choice to display the Citrix Storefront native interface, or utilize the APM webtop to obfuscate the Storefront interface. The advantage of doing that allows you to have the same look and feel for storefront and non storefront applications. For example if you could have a resource on your F5 APM webtop for a Citrix VDI resource, VMware horizon resource, 3rd party web application, and RDP resources etc. Check out the deployment guide for the most commonly configured deployments.
Citrix Endpoint Management (EOL Announced):
- Deployment with NetScaler Gateway allows for load balancing and ActiveSync Filtering for Citrix Endpoint Management.
- It also facilitates access from mobile devices using Citrix Mobile Productivity Apps and configures domain and security token authentication.
- F5 Solution: F5 BIG-IP APM has numerous integrations for dealing with End Point management (Most commonly deployed MDM solutions) as well as has its own endpoint inspection solution powered by OpSwat. This provides flexibility to use existing enterprise MDM for posture assessment of internal assets as well as the ability to run posture assessment on devices not under management such as BYOD or Business Partners. Read the article here
Microsoft Intune Integration:
- NetScaler Gateway integrates with Microsoft Intune for Mobile Device Management (MDM), allowing for network access control checks and the setup of micro-VPNs with Microsoft Endpoint Manager.
- This integration includes configuring NetScaler Gateway Virtual Server for Microsoft ADAL Token Authentication and extended support for Azure AD Graph
- F5 Solution: Microsoft Intune is one of the major MDM solutions that F5 BIG-IP APM supports integration with. Read the Article here
Citrix VDI Alternatives
If you’re not planning to keep any of Citrix’s VDI solutions around, we’ve put together a list of solutions we’ve seen work well in customer environments with and without F5. Each of these solutions offers different features and benefits, and the best choice depends on the specific requirements, existing infrastructure, and budget constraints of your organization. It’s important to evaluate each based on criteria like ease of management, scalability, user experience, integration capabilities, and total cost of ownership.
- VMware Horizon
- Overview: A leading VDI solution that offers a robust and flexible platform for delivering virtual desktops and applications.
- Key Features: Includes Blast Extreme protocol for efficient streaming, strong integration with VMware’s ecosystem, and support for various client devices.
- Strengths: Known for its scalability, user experience, and integration with VMware’s virtualization infrastructure.
- Microsoft Remote Desktop Services (RDS)
- Overview: Part of the Windows Server ecosystem, RDS provides technologies for deploying virtualized desktops and applications.
- Key Features: Offers Session-based virtualization, VDI, and RemoteApp for delivering applications.
- Strengths: Tightly integrated with Windows environments and Active Directory, making it a good choice for organizations deeply invested in Microsoft technologies.
- Amazon WorkSpaces
- Overview: A managed, secure Desktop-as-a-Service (DaaS) solution provided by AWS.
- Key Features: Easy to set up and manage, pay-as-you-go pricing model, and accessible from various devices including web browsers.
- Strengths: Benefits from AWS’s robust cloud infrastructure, offering flexibility and scalability without the need for upfront investment in hardware.
- Parallels Remote Application Server (RAS)
- Overview: A comprehensive VDI solution known for its simplicity and cost-effectiveness.Key
- Features: Supports multi-cloud deployments, provides a seamless user experience on any device, and includes built-in load balancing.
- Strengths: Particularly user-friendly and easier to deploy and manage compared to some other solutions, making it suitable for small to medium-sized businesses.
- Nutanix Frame
- Overview: A cloud-based solution that delivers virtual desktops and applications from multiple cloud providers.
- Key Features: Supports public, private, and hybrid cloud deployments, browser-based access, and integrates with various identity providers.
- Strengths: Known for its simplicity, scalability, and the ability to run on multiple cloud infrastructures, including AWS, Azure, and Google Cloud Platform.
Where are you in your Journey? Ready to talk?
Whether you’ve made up your mind and are navigating away from NetScaler or still deciding, WorldTech IT can help you make the decision that is best for you, and your organization. We’ll give you honest technical answers, and help you work through architecture approaches that are specific to your environment. Contact us today to schedule a call with one of our experts, or ask any questions you may have below! 🙂
JP says
Austin – this is laid out perfectly, most people (including myself) didn’t realize the history and the direction – and the wrike acquisition?? wth??. We’re current netscaler customers and are feeling the $ squeeze and the lack of support. Chatting with friends I was told support has been moved to India, and development has been moved to China and I’m not sure that is the right move. This helps me get going in the right direction, we’re looking at F5 Cloud and LTM/WAF, Ill be reaching out soon – ty
Austin Geraci says
You’re welcome! It’s all pretty clear once you start putting the puzzle pieces together. You know where to find us!