NetScaler vs. F5

Discover 9 ways Citrix NetScaler outperforms F5

Today’s enterprises face new requirements for their data center and cloud architectures, from keeping pace cost-effectively with fast-growing traffic to ensuring optimal application performance no matter how quickly business needs or the enterprise environment evolve. At the same time, IT must reduce costs and data center sprawl, ensure security and uptime, and prepare for a new generation of cloud computing initiatives. While many Application Delivery Controller (ADC) solutions promise to meet demanding customer needs, the reality often falls short. Taking a closer look at the available options and how they measure up against the criteria that matter most, it becomes clear that Citrix NetScaler beats the competition—providing better performance and scalability than F5 ADC.

An ADC is one of the most critical elements of an organization’s data center and cloud architecture. As you evaluate ADC solutions, it’s essential to pay close attention to their ability to address the most important challenges in your environment. While F5 Networks has traditionally lead in ADC market share, organizations are discovering F5’s limitations in enabling next-generation cloud infrastructures and cloud-ready enterprise networks. At the same time, Citrix NetScaler, developed by the leader in cloud networking, has quickly grown market share by giving customers the features and functionality they need to build next generation-infrastructures—with the flexibility, scalability and performance to deliver optimal value even as customer needs evolve.

Discover nine key data center and cloud architecture challenges that NetScaler helps solve more effectively than F5:

Today’s dynamic business environment exerts new pressures on networks to respond quickly to sudden or unpredictable changes in demand without lag in application performance or missed SLAs. Traditional over-provisioning is costly and slow.

F5 claims to solve this problem with its VIPRION chassis-based systems, but the reality is that a hardware-centric approach will always involve substantial procurement and installation delays, as well as the risk of unused capacity and unplanned network investment. Per-chassis licensing drives high initial acquisition costs, and large chassis-based systems also consume valuable data center resources such as power, rack space and cooling capacity. Further, once a short-term surge has passed, there is no way to scale back resources, leaving you stuck with excess capacity.

Similarly, scalability is also an issue with many models of F5 appliances purchased by the company’s enterprise customers. While F5 claims that their fixed appliances offer a pay-as-you-grow model that is similar to Citrix NetScaler, F5’s appliance pay-as-you-grow model does not scale up in terms of device throughput and only impacts HTTP and SSL capacity parameters. NetScaler burst pack licensing, an element of Citrix TriScale Technology, makes it simple to flexibly scale up or down as business needs dictate. This is made possible by an architecture that lets customers purchase an ADC solution optimally sized to meet their current needs, while preserving the ability to scale up or down to support future capacity requirements as needed—all without purchasing additional hardware.

For example, compared with F5 BIG-IP 2000, Citrix NetScaler 8000 offers a superior pay-as-you-grow ADC solution providing significant scalability advantages through instant licensing on existing investment:

The graphic demonstrates that the comparable Citrix NetScaler 8000 offers better pay-as-you-grow scale-up growth, allowing NetScaler to keep pace with your requirements without requiring hardware replacement. In contrast, the F5 2000 platform allows some growth in HTTP RPS and SSL TPS—but does not scale up the actual throughput of the device.

Virtualization has delivered transformational benefits in servers, storage and networking by enabling IT to address the inefficient utilization and high management and infrastructure costs resulting from datacenter sprawl. Now ADCs are following a similar path, as inefficient utilization and high costs make them a prime candidate for consolidation through device virtualization.

Virtual application delivery controllers promise to extend the benefits of virtualization into the core of the networking infrastructure, enabling large-scale consolidation of separately deployed ADC appliances. F5 VIPRION chassis-based systems using virtual Cluster Multi-processing (vCMP) technology promise the benefits of ADC consolidation. However, they fall short of NetScaler on the criteria that truly matter to customers:

  • ADC consolidation density – A single Citrix NetScaler SDX appliance supports 80 fully isolated ADC instances in a single two rack-unit appliance. To support this many instances with F5 ADC devices, you’d have to deploy and manage 14 – 20 separate Big-IP appliances, or invest in a comparatively expensive F5 Viprion 2400 chassis-based system loaded with 2250 blades consuming twice the power and rack space. Support for the full 80 instances on the Viprion 2400 is conditional and subject to the number of software modules (LTM, GTM, APM, AFM, etc.) deployed, as both contend for CPU and memory resources on the system. In comparison, NetScaler SDX helps you consolidate existing ADCs in your network cost-effectively, without feature or performance degradation and with ample headroom to handle future expansion needs.
  • ADC isolation – NetScaler SDX dedicates critical system resources, including memory, CPU and SSL processing, to individual NetScaler ADC instances. With vCMP technology, on the other hand, F5 ADC does not allow SSL or compression processing to be assigned on a per-guest basis. As a result, a single vCMP guest can starve out adjacent tenants of resources—resulting in higher application latency or dropped sessions.

With application breadth and usage at an all-time high, the entire network foundation that carries this traffic needs to become more application-aware to ensure efficient and secure delivery of application data to users. Furthermore, the explosion of trends such as the cloud and bring your own device have reinforced the need for a truly application-fluent infrastructure.

An application-aware network lets you define truly app-centric network policies without the need to manually define policies for each app into each network service. The extensible architecture of NetScaler SDX enables best-in-class, alliance partners such as Cisco Systems to run NetScaler services directly on Cisco’s UCS Server and Application-Centric Infrastructure, allowing in-place NetScaler multi-tenancy and consolidation services to be extended to alliance partner solutions. In comparison to Citrix NetScaler, F5’s vCMP design is not a true SDX architecture. As a result, it lacks this extensibility, making it impossible to achieve a single unifying platform to consolidate advanced network services while preserving the ability to select best-in-class solutions from market leading providers. NetScaler customers benefit from numerous Citrix partnerships that help them deploy a fully integrated, application-aware network environment.

Citrix has collaborated with Cisco to deliver the Cisco 1000V, which provides best-in-class ADC services that run on Cisco’s Nexus Virtual Service Platform. This provides a virtualized network platform that delivers scalability, elastic instantiation and multi-tenant operation, all with a common approach to service provisioning and management. This allows customers to holistically control L2 – L7 network services in a unified manner and deliver true cloud service automation with deep network and application-level intelligence, speed service deployment and simplify networking services. Other aspects of the partnership include:

  • An open ecosystem for service integration – Cisco and Citrix are guiding the IETF standard for the Network Service Header (NSH) Protocol to support the fluid movement of service functions and application workloads within a flexible, elastic fabric.
  • A scalable and elastic architecture for physical and virtual appliances – The two companies are working to deliver NetScaler integration with Cisco ACI, which defines a policy-based service insertion mechanism for both physical and virtual ADC appliances.
  • Seamless deployment with Cisco Nexus 7000 – The NetScaler SDX service delivery networking platform and NetScaler MPX hardware-based ADCs offers integration with Nexus 7000 Series to provide higher resiliency, plug-and-play installation, improved agility, and increased leverage of both switching and ADC investments.
  • Cisco RISE Integration – This integration brings NetScaler MPX and SDX services to the Cisco Nexus 7000.
  • Cisco vPath integration – Customers can seamlessly insert NetScaler application delivery services into virtual and cloud networks.

F5 has made several announcements recently around application capabilities that its Synthesis architecture is capable of and their claims around a partnership with Cisco that has led to a Cisco Validated Design (CVD) supporting Cisco’s Application-Centric Infrastructure (ACI). F5’s references to this CVD imply that the CVD is complete however the design is still in the validation phase. Further, F5’s singular engagement with Cisco is minor in contrast to the breadth and depth of partnerships NetScaler is engaged in today with Cisco.

Other key Citrix NetScaler SDX alliance solutions include:

  • CA Technologies – The CA SiteMinder access management solution solves the problem of device, application and information diversity while simplifying user authentication and providing secure, high-performance access.
  • BlueCat Networks – BlueCat Networks software solutions give organizations the power to manage “everything IP” in their network, including devices, users and IP activity.
    CSE Secure Systems – SecureMatrix is a unique, patented and highly secure tokenless matrix authentication solution.
  • Palo Alto Networks – Next-generation firewalls allow users to safely enable applications and strengthen their security posture across the entire organization.
  • Websense – Unified content security provides protection from advanced persistent threats, preventing the loss of confidential information, and enforcing Internet use and security policies.

Business agility depends on IT’s ability to expand datacenter capacity seamlessly and cost-effectively to support new requirements such as revenue-generating applications or services. NetScaler provides a superior approach with advanced clustering technology that F5 can’t match.

F5’s vCMP clustering scheme scales out capacity by using multiple VIPRION blades together— an approach with significant restrictions. vCMP clustering is limited to just four or eight blades, and does not permit blades across different VIPRION chassis systems or any other F5 ADC appliances to function within the same cluster. This limits the ability to optimize utilization by including all F5 ADC devices, and impairs overall datacenter flexibility.

In comparison, to F5 ADCs, NetScaler clustering allows up to 32 physical or virtual appliances to be clustered together. NetScaler also allows customers to group multiple appliances transparently under a single virtual IP address (VIP) so they can work together simultaneously to support one or more applications. This is made possible by the ability of NetScaler to flexibly stripe application traffic across multiple devices in a cluster—providing significant application services availability and scalability across multiple ADCs in the cluster. F5 can only provide spotted application traffic support on ADCs in their clusters, with a high potential for significant application disruption in the event of failure by its host ADC.

NetScaler also ensures high availability through active-active clustering, providing a more cost-effective and manageable alternative to the wasted capacity, high cost and limited scalability of traditional active-passive pairs. In this configuration, multiple NetScaler ADCs share the load simultaneously; if one drops offline, the others pick up the load automatically. Only NetScaler supports active-active Striped VIP clustering. The spotted support provided by F5 ADCs means that customers must double their ADC costs to ensure high availability—a tremendously inefficient and expensive approach, especially for large-scale deployments.

Whether a customer’s cloud strategy revolves around public cloud services, a private cloud within their own data center or a hybrid approach, datacenters needs to be designed with new levels of flexibility to help them leverage the agility, elasticity and economics of cloud computing. The ADC they choose is often pivotal in this transformation.

NetScaler CloudConnectors provide advanced cloud-enabling technology that F5 has failed to incorporate into its WOC products. CloudConnectors make applications appear as though they are running on one contiguous enterprise network, enabling your enterprise for hybrid clouds by providing:

  • Seamless network bridging to overcome IP addressing and routing challenges
  • IPSec security to ensure that data remains secure as you run application workloads in external cloud environments
  • TCP optimization, compression and data de-duplication to minimize WAN-induced performance degradation between your datacenter and the cloud
  • Transparent global server load balancing so users have a single path to their applications no matter where they’re hosted

The functional shortcomings of F5 BIG-IP and VIPRION devices reflect the company’s failure to fully embrace cloud computing. For example, the F5 WAN Optimization Module (WOM), which uses an iSession feature to establish secure tunnels between two locations, falls short in providing the network-layer transparency necessary for seamlessly extending enterprise networks into cloud infrastructures.

As traffic volumes rise, applications become more complex and the enterprise workforce grows more distributed, it becomes more challenging to deliver a high-quality experience for every user in every location. To ensure optimal application performance, customers need application-aware ADC capabilities far beyond basic load balancing.

The ADC selection process now includes making sure that the solution can handle simultaneously managing numerous traffic profiles dominated by higher-layer protocols, as well as providing the required processing power for a multitude of advanced features from IPv6 to SSL offload. But it can be hard to evaluate the impact of this intensive usage on the ADC’s overall performance when vendor specifications fail to reflect real-world usage—as is the case with F5 ADC products.

F5’s approach to packet processing relies on two different modes that are incompatible with each other:

  • ‘Fast Path’ (FastPath Virtual Server), a dedicated high-speed technique using their PVA ASIC and CPUs with dedicated code to perform basic load balancing and other rudimentary tasks
  • Standard CPU processing to run all other supported features and feature combinations

F5 reports performance levels of close to 100 percent of rated specifications when their appliances are used in Fast Path—but a large majority of real-world implementations for ADCs require the use of advanced packet processing for tasks such as IPv6, SSL offload, compression, caching and virtual server authentication. These tasks don’t function in Fast Path mode. Instead, they rely solely on iRules using standard CPU processing—at a much slower speed. In other words, while F5 talks about the performance made possible by Fast Path, your real-world experience will be determined more by F5’s standard CPU processing performance.

In contrast, independent ADC testing from the Tolly Group comparing the performance of Citrix NetScaler vs F5 in a battery of tests reflective of customer deployment and traffic behaviors showed that NetScaler delivers:

  • Up to 4.8 times the performance of F5’s BIG-IP in real-world testing scenarios
  • More consistent performance as more features are enabled
  • Significantly better performance when scaling multi-tenancy or multi-instance configurations

For more information, download the official Tolly Group report detailing how NetScaler outperformed F5’s BIG-IP.

Shifting business requirements and a rapidly evolving enterprise environment call for a dynamic approach to application delivery. ADC administrators need to be able to quickly adapt ADC policies as needed to ensure optimized application delivery in every scenario. Requiring them to perform this work through manual coding both diverts their focus from application delivery and introduces the possibility of disruptive user errors—an unacceptable risk. To meet the needs of the business accurately and efficiently, administrators need intuitive, easy-to-use tools to quickly deploy and update ADC policies—without the need for programming.

F5 strongly encourages BIG-IP and VIPRION customers to develop script-based iRules for even the most commonly used content switching and load balancing policies. This may introduce a steep learning curve for many administrators. While F5 touts the flexibility of a programmatic approach to defining policies on an ADC, the reality is that customers must adapt their policy definition and management processes to fit the complex F5 iRules model. Administrators could end up spending much of their time sorting out complex scripting environments, deducting from the time spent focusing on the applications and meeting business needs. This opens the business to risk in the event that the coder leaves the organization.

Compared to F5, NetScaler takes a far simpler approach with innovative declarative policy expression. The NetScaler AppExpert Visual Policy Builder abstracts NetScaler’s underlying policy framework infrastructure—including the object model, APIs and language syntax—so administrators can state straightforward application delivery policies such as “I want to compress this” or “I need to cache this” to get the best out of the organization’s applications.

The ever-increasing flow of personal and financial data over the Internet, combined with the spread of easy-to-use hacking tools such as Firesheep, has led application owners to adopt an SSL Everywhere posture. For better protection, many are migrating from the de facto standard of 1024-bit to 2048-bit SSL key strength, which offers an exponential increase in protection— but also requires five times more processing power. Citrix NetScaler MPX and SDX appliances incorporate the industry’s most advanced SSL acceleration and offload technologies to handle the increased processing imposed by the use of 2048-bit keys. In many cases, NetScaler also outperforms equivalent F5 solutions on SSL transactions per second due to key optimizations including:

  • Intelligent load balancing of SSL – SSL sessions are load balanced across the set of integrated SSL acceleration chips to provide the best processing performance and lowest latency
  • Multiple queues – Multiple SSL operations can be queued per chip to optimize utilization of a chip’s processing capabilities
  • SSL resource isolation – In a multi-tenant ADC deployment, each tenant is assigned dedicated SSL resources, preventing one ADC instance from consuming a disproportionate processing capacity and degrading the performance of other tenants

To maintain high productivity and customer satisfaction, you need to deliver an outstanding user experience in every scenario—even as app and desktop virtualization, mobility and the cloud reshape your architectures. Application and network managers depend on tools that provide deep visibility into application-layer data within both datacenter and cloud environments for proactive health monitoring and to enable fast problem resolution.

Unlike NetScaler, F5 tools lack the ability to export and analyze application-aware historical data in standard formats for analytics. F5 is also unable to deconstruct ICA traffic, rendering it useless for optimizing Citrix virtual desktops and applications.

The NetScaler Insight Center application visibility solution combines network-based instrumentation with an efficient and powerful management system that transforms raw data (real-time and historical) into actionable information. Support for the open AppFlow standard extends the TCP-level information captured by IPFIX, letting you use your NetScaler footprint as a full application tap. HDX Insight provides visibility into ICA traffic down to the level of individual virtual channels, allowing you to ensure an optimal user experience and maintain SLAs for any user, anywhere, on any device.


Citrix NetScaler delivers the advanced ADC capabilities your business demands

The ADC you choose will have a definitive impact on the performance, scale and security of your entire application environment—as well as the return on your investment. As you consider your options, make sure to look beyond vendor promises and past history to the solution’s ability to meet your most important challenges for the future of your data center and your business. Citrix NetScaler measures up far better than F5 on the features and capabilities that matter most.

On-demand elasticity helps you cost-effectively keep pace with surges in traffic, while advanced clustering lets you support new requirements seamlessly and efficiently. Third-party integrations to enable application-awareness, combined with unique cloud-enabling technology, help you leverage the agility, elasticity and economics of the cloud while handling workloads more intelligently. Even as your environment grows more diverse and distributed, NetScaler improves your performance in demanding real-world environments and helps you deliver an outstanding user experience—without sacrificing security. Delivering the advanced ADC capabilities your business demands, with the cost efficiencies and streamlined management your IT organization needs, NetScaler provides a foundation that F5 ADCs can’t hope to match—as more and more businesses have already discovered.