Scaling Citrix through Firewall

[lithe]

Hi,

Is anyone involved in a Citrix application of significant size in which ICA sessions pass thru a firewall and/or relay host. If so can you tell me or point me to someone that would know roughly the number of simultaneous ICA users supported per some FW platform and/or some Relay Host Platform. I recognize that these numbers will depend on the FW and RH platforms. At this point I am interested in getting any info on this topic. thanks.

 

[BeerGood]

You'll probably find that most relays/firewalls - even "low-end" consumer jobs such as netgear routers etc - will be easily able to cope with a *lot* of concurrent sessions as the amount of data that a citrix session generates is pretty low. As such, the limit will generally be the speed of your internet link and what else it might be doing, rather than any other factor. If you have many hundreds of concurrent connections, you'd probably want more than one firewall & some load balancing equipment though - not because of the amount of traffic, but more for redundancy should something fail. Check out

http://support.citrix.com/isearch!e...width&searchKB=true&searchForums=true&x=0&y=0

for some info on bandwidth usage.

Cheers

 

[lithe]

Our concern is in the FW and Relay Host forwarding performance for 2000-4000 simultaneous TCP connections and 24-48Mbps of aggregate traffic.

The firewall vendors all provide performance numbers for TCP regarding connection set up time and number of TCP connections supported. They also provide throughput numbers but for UDP only.

I would think the TCP througput is less then UDP due to state maintenance and that it decreases as the number of TCP connections increases but I dont know for sure.

Any other info on this topic especially knowledge of a production application inwhich at least 1000 simultaneous ICA sessions are running through a firewall and/or relay host would help.

thanks for your response.

 

[lithe]

The external connection by the way is a GE connection supported by a private fiber network hence the "internet link" is not the bottle neck.

 

[BeerGood]

Sorry - I can't tell you much more other than to say a Netgear probably won't hack it for you B-), but most of the larger kit should be fine. For example the virtually "entry level" (for an enterprise) Cisco PIX 525 can cope with well over 280,000 concurrent connections and 330Mbs of data so again the amount of traffic you're talking about would barely register on one of those, and if you split it between two using (say) a Cisco DistributedDirector.... hell, you could probably do something with some linux servers if you wanted to "do it on the cheap", but the black box gear always appeals to me...

Anyhow, the best place/person to contact would probably be your local Citrix rep who (particularly after hearing you're thinking of 1000+ users) I'm sure will be quite eager to provide you with data and perhaps some suitable reference sites.

Other than that, you may also want to try the people over in:

forum32 - Checkpoint Firewall 1
forum35 - PIX firewall
forum557 - Cisco Routers

Cheers